What if your security breaks and you don’t know it? Do you wait an average of 277 days and get breached to find out? Let’s hope not. But if something in your security infrastructure isn’t doing what it’s supposed to be doing or getting the input it’s supposed to get, it can’t tell you.
Security operates on an assumptive model. Security devices and solutions assume that the data they receive is correct and complete. They don’t know when they aren’t getting what they need because they don’t know what traffic they need. They only know how to do their regex, policies, or other functions correctly. When they only receive part of the inputs they need, or if what they receive isn’t correct, they have no way to tell.
As an example, a client was implementing data surveillance to defend intellectual property in a hostile compliance environment. The client encrypts all of its internal data, which is decrypted when it arrives on the network segment where their DLP, IDS/IPS, security devices, and data surveillance were deployed. Data is supposed to be decrypted by the firewall before being made available to all other solutions. As data surveillance monitored the client’s data, we quickly saw that a high percentage of data we received was not completely decrypted.
Data surveillance performs session reconstruction—then looks at the payload (a file for example), extracts it, and analyzes the payload and session. With incomplete sessions, data surveillance couldn’t reconstruct sessions or extract payloads. The firewall was not decrypting anywhere from 20% to 80% of the data. This meant that none of the other security measures on the network could do their jobs either. They assumed that the data they received was complete and accurate. It wasn’t. Data surveillance was the only solution to identify that the core function of the decryption mechanism—on which all other security measures relied—was broken.
Data surveillance delivers binary-level visibility into data, which enables teams to see and validate that the security measures in place are doing what’s expected. They will also know exactly the state of their data with positive proof and a data chain-of-custody accounting. With that visibility, teams now have intelligence about their security processes that were previously invisible.