An incident occurred on your network and you need to find where it happened and why it happened. It’s situations like this that make it important to have a network forensic solution in place, because your monitoring data alone will not tell you where the problem occurred. Yes, it might alert you to a problem, but without a recording you may never know what caused your network to fail.
What is Network Forensics?
Network forensics is the capture, storage and analysis of network events. It can also be called packet mining, packet forensics, or digital forensics, but the idea is the same: record every piece of network traffic – all emails, all database queries, anything that is traversing on your network – to a single repository that can be examined after the fact.
Why do we Need Network Forensics?
Think of network forensics as the ‘network time machine’ that helps you with everything from identifying the source of data leaks to pinpointing the source of intermittent performance issues. With network forensics you can capture and handle problems that occurred hours or days ago. Traditional “reactive” ad hoc troubleshooting can miss patterns that indicate network problems, so network forensics can be used to catch things that were originally missed.
Network forensics helps you in a multitude of ways. If you have a security breach, network forensics enables you to analyze historical network traffic in order to conduct investigations for security attacks. It also helps in improving network performance, tuning intrusion detection solutions, identifying rogue devices accessing your network, and stopping network hacks or viruses.
How does Network Forensics Work?
There are usually three types of investigations:
- Responding to a specific network incident
- Gathering background for an internal corporate investigation
- Supporting a criminal investigation
Each investigation has different aims and employs different methods. However, all three share the need for a common collection of network traffic that is captured before, during, and after the event that triggers the investigation.
To facilitate the investigation, there are three common capabilities that your network forensic solution must have.
- Capturing and Recording Data: This is the ability to capture and store terabytes of data at high network throughput (for example, 10Gbps) without dropping or missing any packets. However, every network forensic solution has its limitations, including sustainable throughput, packets per second, data management, search functions, etc. These limitations can and should be determined through lab tests.
- If you need to monitor while capturing data, look for solutions that include real-time dashboard views that can help you zero in on a specific time, protocol and nodes, providing insurance that you truly are capturing the data you need.
- Most investigations start with terabytes upon terabytes of data. With this much data, you’ll want to think about a solution that allows you to analyze data at the point of capture, thus eliminating the need for large data transfers that consume time and bandwidth. You’ll also want a simple and intuitive means to drill down into the relevant data, making it easy to find the needle in the multi-terabyte haystack.
- Discovering Data: Once data is recorded on the storage appliance, the solution should provide a simple mechanism to filter particular items of interest, for example, by IP address, application, context, etc.
- Analyzing Data: Finally, you need some built-in assistance for examining the patterns and anomalies found during the discovery process to help you determine what actions were recorded in the captured packets.
Finding an issue on your network is really like trying to find a needle in a stack of needles – many issues can look the same at first glance. Instead of simply having a monitoring solution in place, think about network forensics as it will eliminate the time it takes you to recreate the problems that occur on your network.