With targeted cybercrime and advanced persistent threats on the rise, enterprises have greater incentive than ever to maintain security awareness and preparedness. CISOs have started to acknowledge that firewalls
Understanding network forensics
Network forensics refers to the capture, recording and analysis of network traffic in order to discover security incident sources and consequences. Like a firewall, a network forensics system inspects packets, reassembling them into sessions and reconstructing transmitted artifacts (e.g., emails, texts). Like a network IDS, a network forensics system searches for patterns that match attack signatures.
Solution providers can use network forensics to augment their expert professional service offerings. Providers who deliver emergency incident response and post-incident investigation services can add network forensics to their toolkit, helping them deliver more actionable insight and reduce time-to-resolve.
Unlike a firewall or network IDS, network forensics systems do not focus on real-time policy enforcement. Instead, they passively capture and index large volumes of traffic over long periods of time for the express purpose of supporting offline investigations. This is akin to recording all cashier activity with a surveillance camera for consultation after robberies. Beyond being a deterrent, the camera plays no role in stopping robberies. Instead, surveillance video comes into play after a theft, helping law enforcement understand what happened, what was stolen and who perpetrated the crime. Similarly, network forensics systems gather traffic for use as evidence, employing data indexing and mining techniques to facilitate as-needed review and extraction.
Network forensics tools are investigative aids that can be useful immediately after an incident, as network operations center (NOC) operators try to respond to IDS alerts and contain damage. They can also be helpful long after incidents – for example, to determine whether a newly patched vulnerability has already been compromised. Finally, network forensics can be used to deliver evidence for human resources action or legal prosecution by reconstructing activity to determine which systems were impacted, what regulated data was lost or whether acceptable use policies were violated.
Reselling network forensic appliances
One way for security solution providers to capitalize on this network forensics technology is by selling, installing, integrating and validating proper operation of network forensics appliances.
Network forensics requires capturing and storing very large traffic volumes at line rate. This can be done by deploying dedicated "recorders" at high-visibility intersection(s) within the network to be monitored, using span ports or taps. Network forensics appliances that offer terabytes of storage and GigE/10GigE interfaces include:
- AccessData Group’s SilentRunner
- Network Instruments LLC’s GigaStor
- NetScout Systems Inc.’s’ nGenius
- Niksun Incomporated’s NetDetector
- EMC’s RSA NetWitness
- Solera Networks Inc.’s’ DeepSee
Of course, captured traffic is only valuable given efficient tools to extract and analyze activities of interest. This is accomplished in two steps. First, appliances index traffic in near-real-time, storing metadata along with packets. Second, investigators use forensics applications to interactively sift through traffic recorded during periods of interest, pivoting through metadata, reconstructed sessions and associated artifacts. Some applications deliver quick visual summaries – for example, highlighting systems and data affected by an attack. Others enable deep look-back analysis, helping experts drill into suspect packets, map their content to known exploits and export evidence.
Security solution providers that resell other security systems can generate additional revenue by adding these network forensics appliances and applications to their portfolio. Integration with network elements, upstream security systems and network attached storage can also create new business opportunities. Periodically auditing network forensic deployments to confirm proper operation can also bring customers peace of mind.
Selling network forensics as a managed security service
Another way for security solution providers to help customers improve situational awareness and incident preparedness is by offering network forensics as a service.
Many solution providers already offer managed security services – notably managed firewall and managed IDS. A decade ago, those services were commonly based on provider-installed and operated customer premise equipment (CPE). In recent years, cloud-based managed services have grown popular – using either CPE hosted at the provider's data center or multi-tenant server farms.
These approaches can be used to deliver managed network forensics services. With CPE-based managed services, the provider does the "heavy lifting" associated with installing, provisioning and maintaining network forensics software and appliances, letting customers focus on using forensics applications to analyze recorded traffic. In this model, providers can use forensics to add value to other managed security services – for example, security operations center (SOC) operators can jump right into forensics to supply detail upon receipt of a high-priority IDS alert.
Very large network forensics systems can also be hosted by service providers to record all packets flowing over access links. Instead of recording traffic at the customer's network egress, traffic is recorded at the provider's network ingress. This model poses scalability and privacy concerns but, if executed well, could add considerable value to a "clean pipe" network service offering.
Delivering expert incident response and investigation services
Finally, security solution providers can use network forensics to augment their expert professional service offerings. Specifically, providers who deliver emergency incident response and post-incident investigation services can add network forensics to their toolkit, helping them deliver actionable insight and reduce time-to-resolve.
But how can this be possible if network forensics appliances are not already capturing the customer's traffic? Some network forensics vendors sell portable briefcase-sized devices or even virtual appliances for (beefy) laptop installation. Such products can be carried on-site by responders for use during an active incident to identify hacked nodes, back channels and exfiltrated data. Additionally, some forensics applications can import packet capture files generated by third-party security systems, providing post-incident analysis. While these approaches may not paint as complete a picture as network forensic tools already in place, they can still help providers deliver value and professional services to their customers.
About the author:
Lisa Phifer is President of Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year network industry veteran, Lisa has been involved in Internet security since 1996. She is a technical editor for Information Security Magazine, site expert for SearchNetworking and frequent contributor to many other TechTarget websites.
This was first published in September 2011