A lot has changed in the network forensics space in the past couple of years. Network forensics tools have become more specialized and have a clearer role in both security and network troubleshooting. For network channel partners this signals a myriad of new opportunities as they learn how to sell the technology into both areas along with support services.
Network forensics tools capture, store and analyze network events in order to discover the source of security attacks or other problem incidents. But network forensics tools go deeper than other security appliances. They offer threat protection and incident management, but they also offer memory while firewalls and IDS do not.
“Companies have firewalls, antivirus and intrusion detection solutions, but they want to know what’s next,” says Benjamin Stephan, director of incident management at solution provider Fishnet Security. Network forensics tools fill in the gaps, he adds.
Partners often sell network forensics tools that work with other security appliances. So, for example, while a firewall monitors and reports on an ongoing basis with real-time alerts, forensic tools then take the information and do deeper analysis, seeking the root cause. Also, the ability to store network capture data allows engineers to study individual problems, as well as overall trends.
At Solera Networks, forensics are becoming a feature subset of security intelligence and analytics. Bill Dean, director of computer forensics at Sword & Shield Enterprise Security, a Solera Networks channel partner, says the company's DeepSee product “helps you zero in on the type of data traffic or a specific machine” going much deeper than other security tools.
Network forensics tools for troubleshooting
Meanwhile VARs such as Motta Network Experts, a Network Instruments partner, approach network forensics from the network performance and troubleshooting angle. Mike Motta, territory manager at the company, resells, installs and provides training for Network Instruments’ GigaStor product that captures transactions, packets and protocols for retrospective troubleshooting analysis.
Learn more about network forensics tools
Enterprise network forensic analysis: Reconstructing a breach
Network diagnostics that see through virtualization
With companies moving to faster 40GbE and 100GbE networks that handle intensive applications, engineers are forced to analyze a lot more very complex data running on the network. That requires network forensics capture appliances that have a whole new level of capacity, Motta says. If these tools work right, they can even be used specifically for application performance assurance since they can get so granular.
Network forensics sales pitch: Security meets troubleshooting
While security and troubleshooting are seen as very different roles in the world of network management, Motta says there is “more business potential” to selling network forensics tools based upon both sets of features at once.
While network forensic solutions can seem very different depending on whether they're focused on security or troubleshooting, the gap in these tools is narrowing.
That's evident as network application performance and monitoring vendors such as Network Instruments and NetScout Systems have learned to talk up the security aspect of what they had been selling as an analysis tool. NetScout will release a solution this April with more robust security features in addition to its main network assessment and analysis features.
Selling network forensics support services
Whether partners sell network forensics for security or troubleshooting, there's lots of opportunity for selling accompanying long-term analysis services. Sword & Shield Enterprise Security sells equipment along with installation, training and, most importantly, incident response and electronic discovery. Selling network forensics along with network assessments simply offer an opportunity for higher-margin.
Meanwhile, the market for selling network forensics as a managed service is beginning to grow as well. Joe Gabriel, director of global channel marketing with RSA, The Security Division of EMC, says the company has begun to work with the channel to sell managed network forensics and incident management.
“Not every company wants products on the premise and would rather partner with a third-party for remote monitoring and analytics,” he says. That's especially the case for companies that don't have the IT staff in place to dedicate to time-consuming analysis.
Network forensics tools are still too pricey
For many companies, network forensics tools are attractive, but too expensive. Network forensic product pricing is upwards of $20,000 for entry-level appliances, and that would have to come down for broader adoption.
For now, federal, state and local government are top network forensic customers to date, but partners are getting interest from other verticals, such as financial and healthcare.
This was first published in April 2012