The recent Symantec security breach proves that even global brands and governments are vulnerable to hackers, and companies need to have contingency plans in place, as no amount of security can protect all of your data all of the time. So, what is one of the best contingency plans on the market?
Network forensics is an essential, but often overlooked, part of any comprehensive security strategy. Many companies believe that a simple activity monitoring solution typically involving IDS/IPS (Intrusion Detection/Intrusion Prevention Systems) is the only thing they need to help protect their network and dissect what has happened if a problem does occur. However, these solutions are not foolproof, as indicated by the many recent and very public attacks, and seem less effective against Advanced Persistent Threats (APTs), which are on the rise. And although IDS/IPS solutions help indicate and prevent problems, when they miss a problem you have no data to analyze to figure out what went wrong. Also, many IDS/IPS employ extensive use of log files to record incident data, but log files themselves are vulnerable to manipulation in today’s sophisticated attacks. Network forensics, on the other hand, records all network activity, not just that which it deems suspicious. Network forensics solutions can capture at line rate on 10G networks (typically at or above 10Gbps), record all network activity at the packet level to fixed storage, display key network performance statistics in real-time, and provide visual tools for post-capture analysis that allow users to quickly drill in on problem areas.
With all of the data in a central location and in a format that can be easily analyzed, security teams can quickly locate the source of a virus or other security breach, or monitor for specific virus ‘fingerprints’ to avoid a major infection. And network forensics goes beyond just providing security insurance. The insight provided by these solutions is even more essential with the growing number of on-the-go users within a company. In fact, it’s often business-critical issues that have nothing to do with cyber attacks, like violations of industry regulations or data breaches, which drive the need for post-incident analysis. A breached mobile device or infected personal laptop brings outside threats inside the network, undetected by most IDS/IPS. The ability to recognize a breach and pinpoint the source prevents a compromise of the entire network. In addition, network forensics can be used to identify rogue or unauthorized devices trying to access the network, preventing a potential hack.
In reviewing network activity after a breach to break down the attack, network forensics can be leveraged in three ways:
Real-time Statistics: A key feature in a good network forensics solution is the ability to see important statistics in real-time, while continuing to record abnormal or suspicious traffic on the network. Seeing statistics in real-time provides assurance that you truly are on the right track.
Detailed Analysis: Real-time statistics provide assurance, but the crux of network forensics is in drilling into the data, accessing detailed information for discovering DDoS (Distributed Denial of Service) attacks, worms, or other abnormal activities.
Suspicious Events Discovery: Expert modules can detect potential attack activities or problems in any of the 7 OSI layers. Additionally, network forensics can reduce analysis time by filtering on particular items of interest—for example, IP addresses, applications, payload stings, etc.
Network forensics can be a powerful tool in your security, as well as your compliance, strategy, but the key is to have a solution in place now – before you have a need for post-incident analysis or require data to investigate an attack that’s missed by your IDS/IPS. If you want to learn more about popular security breaches happening now and get more details on network forensics, check out our “It’s Not a Mwebinar When… – Network Forensics, the Ultimate Security Tool” on demand webcast here.