If you need to make your environment resistent against zero-day attacks or reduce impact of a security incident. Your incident response team (IRT) should react fast to determine the scope and impact of the incident.
In such case IRT needs automation tools:
To satisfy these requirements:
Create a Security Domain with incident analysis and investigation toolkit as well as storage to store digital evidence.
Once a project or cluster is compromised, change a gateway IP to redirect to a forensic network for monitoring and analysis.
Take advantage of using automated malware analysis systems within the Security Domain for both: early detection of suspicious objects and forensic investigation.
For example, use IDPS such as Suricata, Snort, or Bro to extract files from a mail or web unencrypted stream and send them to a malware analysis sandbox to verify behavior by opening or executing it in an isolated environment.
Note
For TLS/SSL encrypted traffic, terminate encryption on a virtual proxy server or use a special hardware-based firewall solution capable of decrypting traffic for deep packet inspection with a high throughput.