According to IBM's 2022 breach report, the mean time to detect a breach was 207 days, that is almost 7 months. 

Attackers are very resourceful when it comes to finding new ways to infiltrate and compromise the networks of unsuspecting organizations. What if your network gets compromised by a technique so new that nobody in the cybersecurity industry knows any of its indicators of compromise (IoCs)? In that case, Lumu's real-time analysis of metadata might deliver different results than if we knew this attack's IoCs. This may allow adversaries to remain active and undetected. Luckily, this is when Lumu's Playback feature comes into effect, so your organization can take a proactive approach against insidious attackers and precursors, instead of reacting when the adversary reveals itself along with the damage it has caused. 

What is Lumu Playback? 

Lumu's Playback feature allows Lumu to analyze network metadata retroactively. This means that older data that  didn't show signs of compromise at the time can be analyzed later while considering new findings, information, and detected IoCs to reveal potential incidents and compromise.

How does Lumu Playback work? 

Lumu can store up to two years of metadata and run automated analysis on it to cross check with more recent intelligence and thousands of new IoCs confirmed and verified by various intelligence sources every single day. This way, incidents that may have remained undetected can be brought to light to protect organizations from insidious attackers and the harm they entail.

Playback Incident Details

By going to the Highlights tab, you will be able to easily see the incident's summary. Here, you'll find relevant information about it such as the date when the incident was opened, the date of the first contact and the duration of the incident. 

Remember that these dates may vary vastly since the date when an incident is opened thanks to newly discovered intelligence can be fairly far from the date when the actual contact occurred. 

Playback Incident Summary

How can I use Lumu Playback in my operation?

Previously undetected incidents translate into latent risks, and the longer they go on, the worse their consequences can be. Older data isn't necessarily obsolete data, and the incidents found by Lumu Playback must be operated on by your organization's cybersecurity team as they would any other confirmed incident.  

If Lumu Playback detects an incident retroactively, assume it as an active threat; any incident your organization hasn't taken action against can likely be an adversary causing harm to your organization from the date of the first contact.  

Ask yourself the following questions and operate the incident accordingly:

1. Was this IoC on my organization's radar? 
2. Has it been active recently according to the data on the Lumu Portal? 
3. Which devices and endpoints have made contact with it and how often? 
4. How much damage could it do if left unattended? 
5. Is it a risk worth taking to ignore an incident found by playback? 

If after answering these questions, you conclude that your network has been, or even worse, is still in contact with an adversary, then Playback has already made a positive impact in your cybersecurity operation.