Network forensics is the process of capturing, storing, and analyzing network events. The term is often associated with solving network security breaches, but the practice can be used for much more than simply solving security issues. It can also help you with everything from improving network performance to identifying rogue activity.
Below are four ways where network forensics comes in handy. If at the end of this post you’re interested in learning more, check out our webcasts on the topic.
Monitoring User and Device Activity
Many companies have user policies that prohibit activities like accessing Twitter or Pandora to help overall productivity in the office. Occasionally, you will get a user or users who do not want to adhere to these policies and will attempt to circumvent them through the use of proxy servers. When this occurs, not only is productivity possibly affected, but your network becomes more vulnerable to various malware and other security risks.
Network forensics allows all of these “rogue” activities to be monitored, revealing what policy infraction was committed, who violated the policy, and the time it occurred.
Identifying the Source of Data Leaks and Points of Attack
It seems like every day you read about another internal data leak – Office Space, anyone? Or, a distributed denial of service attack (DDoS) occurring at a company or against a government website. Whether you are a big company or an SMB, data leaks or attacks can happen and are harmful to your business. Network Forensics can be used to clean up the mess.
For DDoS, network forensics can help you pinpoint where the attack occurred and can also help you determine if any of the hosts in your own network are sending similar traffic. For more details on how to combat and clean up a DDoS attack, check out this blog.
The process for cleaning up data leaks is more straightforward. Network forensics helps you find out who leaked the data and at what time. From there, you can determine if the act was purposeful or accidental.
Business Transaction Analysis
For transactions that take place in clear text like SQL, HTTP, FTP, or telnet, network forensics allows the network administrator to see the exact nature of every transaction. Additionally, network forensics shows both the server and client side, so you can quickly discover transaction problems that server logs might miss.
Pinpointing the Source of Intermittent Performance Issues
Since the practice of network forensics involves capturing and storing data, it can help solve intermittent network problems, especially those that happened hours or even days ago. This can come in handy if you are on a 10G network where the traditional “reactive” ad hoc troubleshooting simply is not efficient in quickly identifying problems due to the influx of data on the network. Additionally traditional ad hoc troubleshooting can also miss patterns that indicate larger network problems.