According to IBM's 2022 breach report, the mean time to detect a breach was 207 days, that is almost 7 months. 

Attackers are highly resourceful in discovering innovative methods to infiltrate and compromise the networks of unsuspecting organizations. What if your network is breached by a technique so cutting-edge that no one in the cybersecurity industry has identified its indicators of compromise (IoCs) yet? In cases like this one, Lumu's real-time analysis of metadata may not reflect the actual cybersecurity state of the network, which may allow adversaries to remain active and undetected. This is when Lumu Playback comes into play, so your organization can take a proactive approach against insidious attackers and precursors, instead of reacting when the adversary reveals itself along with the damage it has caused.  

What is Lumu Playback? 

Lumu Playback® allows Lumu to store and log up to two years of network metadata and analyze it retroactively. This means that older data that didn't show signs of compromise at the time can be analyzed later while considering new findings, information, and detected IoCs to reveal potential incidents and compromise. It also allows Lumu customers to run queries on stored metadata logs for compliance, forensic investigations, and threat hunting exercises.

How does Lumu Playback work? 

Lumu can store and log up to two years of metadata and run automated analysis on it to cross check with more recent intelligence and thousands of new IoCs confirmed and verified by various intelligence sources every single day. This way, incidents that may have remained undetected can be brought to light to protect organizations from insidious attackers and the harm they entail. This data is available on demand and can be queried by the organization to be used internally, and for compliance purposes.

Playback Incident Details

By going to the Highlights tab, you will be able to easily see the incident's summary. Here, you'll find relevant information about it such as the date when the incident was opened, the date of the first contact and the duration of the incident. 

Remember that these dates may vary vastly since the date when an incident is opened thanks to newly discovered intelligence can be fairly far from the date when the actual contact occurred. 

Playback Incident Summary

How can I use Lumu Playback in my operation?

We will explore two particular use cases where Lumu Playback® can provide value to our customers.

Retrospective Threat Hunting

If Lumu Playback detects an incident retroactively, assume it as an active threat; any incident your organization hasn't taken action against can likely be an adversary causing harm to your organization from the date of the first contact.  

Ask yourself the following questions and operate the incident accordingly:

1. Was this IoC on my organization's radar? 
2. Has it been active recently according to the data on the Lumu Portal? 
3. Which devices and endpoints have made contact with it and how often? 
4. How much damage could it do if left unattended? 
5. Is it a risk worth taking to ignore an incident found by playback? 

If after answering these questions, you conclude that your network has been, or even worse, is still in contact with an adversary, then Playback has already made a positive impact in your cybersecurity operation.

Network Log Retention - Lumu Traffic Logs

Bear in mind that only metadata stored and analyzed by Lumu during the last two years can be queried.