Network Observations

Over the weekend one of our territory managers shared a great question-and-answer session he had with a security consultant about adopting a strategy to research and document security breaches.

Q. Most perimeter security devices on the network primarily detect and/or prevent anomalous traffic outside the firewall. When a breach occurs, what makes up an effective security forensics strategy to understand why a breach has occurred?

A. With the variety of industry compliance standards that hold organizations responsible for protecting sensitive data and the impossibility of protecting against all network threats, how can an organization be confident that they can provide adequate documentation detailing how a breach occurred?

Beyond log files, tools exist that can capture and save network traffic to disk for later analysis. These tools capture either NetFlow data or full-packet streams for analysis. In this case to have all network-level data to review is optimal, however, partial data is better than none at all. These tools can be used in conjunction with a security information management (SIM) solution to enable correlation of events across devices, but by themselves, these tools provide an adequate level of forensics information.

Products such as NetWitness are solely focused on security-specific incidents, whereas product like Network Instruments GigaStor provide a broader view that includes network, security, and application issues. Both solutions have the ability to capture terabytes of data, reconstruct incident, and pinpoint the culprit.

These tools are a useful part of a security strategy that includes firewalls, IDS/IPS, host-based filtering, and NAC-type functionality.