Acquisition


Broad File Type Retention

Default retained file types include archives, executable formats, and common malware carriers, e.g., Adobe documents, Microsoft Office documents, Java applets, and Flash applets. FDR recognizes an extensive set of well-known and commonly recognizable file types - covering the vast majority of malicious and benign formats.

Configurable Data Retention Window

FDR Collectors are provisioned to support at least 30 days of file retention and 365 days of metadata retention at their peak bandwidth speeds. However, the file retention window is still a function of user-defined policy, mixture of ingested data, and storage capacity of the underlying InQuest component. By design, FDR Collectors have no inherent limitation with respect to data retention. As a result, retention capacity may be increased as each customer desires by over-provisioned collectors, e.g., placing a 20 Gbps collector on a 10 Gbps pipe.

Collection Control

FDR Collectors (appliance or software) are 'headless', i.e., their capture and retention tuning is controlled by an FDR Manager (appliance or software). Each collector is responsible for its own file storage, while a presiding Manager is responsible for the storage of metadata across all managed collectors.

Comprehensive Data Ingest

File and associated network session information (email headers, web headers, SSL certificates, and individual file headers/IPs/certificates) can enter an IT environment through multiple pathways including email, web connections, mobile devices, etc. FDR Collectors leverage SPAN and/or TAP ports for native packet capture. The FDR Manager uses ICAP for Web Content Filtering (WCF) and/or proxy integration, and the Server Message Block (SMB) protocol for analyzing data at rest. Automated (via API) and manual (analyst upload) utilities enable additional means of ingestion.

Multi-Tenancy Policy Controls

A key element of FDR's data acquisition design enables compartmentalization of customer data, policies, users, etc. on a per customer basis. End customers and/or managed service providers (MSPs) will appreciate that data ingest security policy settings, e.g., enable, disable, modify, create sigs, etc., are independently-provisioned and invisible to adjacent departments, divisions, agencies, etc.

Atomic Parsing and Deduplication

Session metadata and extracted artifacts are stored in a relational database, whereas file artifacts are stored on the filesystem and organized via a proprietary deduplication algorithm. As the DFI process typically results in 400% (4x) more data than the amount originally ingested, deduplication is key to ensuring optimal retention, which in turn, helps extend the RetroHunt lookback window.

Full Corpus File and Metadata Retention

All files are retained, regardless of whether there is a perceived threat or data-loss event at the time of ingestion. Additionally, a number of extensive retention signatures exist for capturing file-less malware, malware pivots, and other suspicious objects in transit. Finally, the entire subclass of extensible network session header signatures (mail and web) are executed on every captured session. Any alerts from this layer also result in retention of the captured session information and associated files.