American Security Today's 2016 CHAMPIONS EDITION Digital Magazine AST 2016 CHAMPIONS EDITION | Page 92

Fast retrieval is important for several reasons
Gathering Forensic Evidence
Volume 9
and indexing all packet data by their unique session ID .
Doing this will quickly find all data packets belonging to a given session between two entities , such as in a specific YouTube video playback .
In addition to overcoming the challenge of finding data packets of interest quickly , it is also important to get the relevant packet data retrieved from the packet capture solution and into the hands of the forensic network security team for analysis as fast as possible .

Fast retrieval is important for several reasons

Imagine investigating a possible security breach and quickly identifying some suspicious packet data in the packet capture database , only to then spend several hours retrieving the suspicious packet data .
Firstly , this will prevent the forensic network security team from making progress until the retrieval process is complete . Secondly , there is a chance that the suspicious packet data will be overwritten by newly captured packets before the retrieval process is done .
Champions Edition

Gathering Forensic Evidence

Having packet capture capabilities is like having a time machine . We now have a complete picture of what happened 10 minutes , one hour , one day , one week , one month or one year ago on the network .
The big question is : How far back in time must we be able to travel ?
No CIO wants to be in a situation where a possible cyber security attack cannot be investigated due to insufficient packet capture history .
The recent Target breach showed us that the attackers were present in the company ’ s IT infrastructure for more than 200 days before the data breach was discovered and a detailed investigation was initiated .
An organization needs to determine how much data storage capacity it needs . It does this by obtaining different levels of packet capture history and determining how much packet data an average organization or enterprise is generating . Let us assume the small / medium enterprise will generate an average network load of 750Mbps across a 24-hour window and a large enterprise will generate 5Gbps under the same conditions .
Using that information , we can calculate the minimum required data storage capacity for one day , one week , one month and one year of packet capture storage . Enterprise
Network load average
1 day 1 week 1 month 1 year
( Napatech provides network management and security solutions that help customers monitor their networks and prevent data loss . Watch the video and find out how Smarter Data Delivery can help you stay in control of your network and get data when , where and how you want it . Courtesy of Napatech and YouTube )
Small / Medium
750Mbps
8TB
57TB
243TB
2957TB
Large
5Gbps
54TB
378TB
1620TB
19710TB
Because most of today ’ s packet capture solu- 92