In my spare time, limited as it might be, I have been taking a deep dive class on anonymous browsing. Specifically, it goes into great detail on ways to hide under the radar and on many of the legal aspects of both sides. So far the class has been right up my alley!

One of the sections of the class talked about the growing demand for data retention and how it related to undercover operations along with a good helping of general OPSEC. We dove into how each and every country has started to enact retention rules along with various compliance laws. With these changes some companies are now required to log who is looking at their data and are now required to retain their history for a certain amount of time. As a matter of fact, recent changes in data retention, VAT laws, and GDPR compliance in Europe have been all over the news.

USA Today wrote a list of the top 10 countries that censor the internet and you can go to to gain in-depth knowledge of the current data retention laws. As we explored these laws, the act of subpoenaing, and other government intervention practices, one common theme came out: “trust no one.”

Although my class is more tailored to the “Evil Jimmy D,” it did bring up a few good real-world points. First, as I mentioned earlier, compliance laws are changing right before our eyes. Sadly, data breaches seemed like they were being reported daily in 2017. Companies really need to be up to date on what the laws are for their side of the world. In my class, the instructor preached the same message: you really need to be aware of the rules and laws of the country you are in.

Second, companies need to make sure they have the means to effectively retain conversation data. In one of my past blogs I talked about the NetFlow vs. Packet Capture battle. Depending on your requirements, you may need both, but in the end NetFlow/IPFIX is the most scalable. It has also become the preferred method for meeting the requirements of various data retention regulations.

That means you need to make sure that your NetFlow/IPFIX collector can store a record of every conversation that is sent to it. You also need to make sure that it can store that data for as long as necessary. Flexibility in those settings is an added plus. I’ll use Scrutinizer as an example of how this is done.

Scrutinizer: data history

In Scrutinizer, we clicked on the Admin Tab (1) , then on Settings (2) and on Data History (3).

The next screen (4) shows us all the data retention settings. The one that is most important is “Flow Historical 1 Min Avg.” This tells the collector to retain every conversation for the number of hours you specify. What this means to the end user is, if you need to find out all the conversations for “Evil Jimmy D” on a specific day or over a period of time, you can.

Data retention settings in Scrutinizer

The next question is, “how do I report on a specific time period?” You need to make sure that whatever collector/reporter you use can filter via a time range in its conversations report. In Scrutinizer, click on the report settings “gear” icon (5). Now you can change the date range for the report. As a matter of fact, you have two options here: set your report for a rolling timeframe under “range,” or set it for a specific start and end time.

Scrutinizer report settings

In all fairness, no one really knows what the future holds for internet and network security. If I were a betting man, I would bet on retention laws becoming stricter, deeper metadata becoming a requirement, and an intelligent reporting tool becoming a must. I also think AI is going to play a big part in this game, but I’ll talk about that in a future post.

Do you need certain data for compliance, but don’t know where to start?  Why not evaluate Scrutinizer?

Jim D author pic

James Dougherty

I have worn many hats in my professional life. Support engineer, developer, network admin and manager are all points on my resume, but the one common thread with all of these jobs is that I enjoy working with people; that is what I do here at Plixer. I make sure that everyone understands our product and can get the most out of it. It's just simple 'no bull' support!

Let me know if you have any questions, I would be happy to help.

- Jimmy D


Leave a Reply