Automating Incident Response with Riverbed AppResponse

This global biopharmaceutical leverages Riverbed AppResponse to automate the process to preserve packet-based evidence associated with security events and streamline investigations.
Automating-incident-hero-cs

Challenges

  • Security team needed to retain long-term packet history to analyze security breeches

Benefits

  • Improves the security team’s forensic recall
  • Streamlines further security investigations
  • Improves security posture

This global biopharmaceutical innovator deploys the entire Riverbed Unified Network Performance Management(NPM) solution—full-fidelity flow monitoring, packet capture, and infrastructure monitoring—because theyunderstand the adage: You cannot manage what you can’t measure. They also support its corollary: Youcan’t secure what you cannot see. And that’s what we are exploring today.

Solution

Incident Response Requires Packet Data

When deploying AppResponse, this biopharmaceutical customer’s target goal is to retain 24 hours of packet dataon any AppResponse appliance. The security team may need much longer history, especially when packets pertainto IDS/IPS/NDR detections but sometimes the packets of interest may have already aged out of the AppResponsecapture buffer.

This situation is common to all packet capture solutions: The amount of time any packet capture solution canstore packets is influenced by the volume of data being captured and the available packet storage on theappliance. While AppResponse provides granular control over what packets should be written to packet storage,the potential exists that the packets needed to support a performance problem or security investigation may notbe available when they are needed. While adding more packet storage will help extend packet retention time,there will always be a limit to how much packet data it can retain. Riverbed professional services was able toprovide a creative and successful solution to help the customer get the most from the available packet storage.

API Automates Packet Storage

Riverbed professional services provided the customer’s security team with a two-step packet capture processfor incident response:

  1. Created an API that allows them to request packet captures for specified IPs, ports, and time ranges in an automated fashion based on events detected by their security tools. A request made to the API returns a list of AppResponse appliances that contain packets associated with the specified request.
  2. A second API makes a subsequent request to any of the identified AppResponse appliances to retrieve the packets of interest. It then saves the packets to a secure FTP server for later analysis. With the API framework in place, the customer was also able to build a web frontend for the security team and other stakeholders to request packet captures of specified IPs and port(s) for a specified start/end time. Once the request is scheduled and completed, the user receives an email message letting them know that their request is complete and providing a secure link to where the requested packets are stored.

Stakeholder Benefits

This innovative solution improves the security team’s agility and forensic recall capabilities by providing an automated process to preserve packet-based evidence associated with security events and the needed support for further security investigation. The solution extends the AppResponse ROI for the tools team by allowing them to satisfy additional stakeholders by extending packet retention time without necessarily having to invest in additional storage units.

global biopharmaceutical
Industry

Healthcare Pharmaceutical Biotech

Solutions
Download PDF
footer-cta

Ready to Get Started?

Reach the full potential of your digital investments with Riverbed
selected img

Selected Country/Language: English