According to ESG research, 49% of enterprise organizations suffered a successful malware attack over the past two years (note: “successful” implies that the malware compromised an IT asset and caused some type of impact such as a system re-imaging, data theft, downtime, etc.). Of these firms, 20% suffered 10 or more successful malware attacks.
Obviously, malware is circumventing existing security controls and not triggering any alarms on traditional SIEM tools. So what can organizations do to improve their malware detection and response capabilities? Many are turning to network forensic tools. Wikipedia defines network forensics as follows:
Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.
Of course network forensics is nothing new. Security analysts have been using tools like Ethereal, Wireshark, and various other network sniffers for years. So what’s different? First, users are now using network forensics in a more proactive manner to help them detect suspicious activities as soon as possible. Second, security and networking vendors are offering canned products designed for more pedestrian users. Finally, commercial network forensic tools support security analysts with custom algorithms for incident detection.
Network forensic tools tend to collect a lot of data. Some provide full packet capture (i.e., copy all packets that cross the network), giving the quaint but antiquated nickname, “network VCR.” Others eschew full packet capture in favor of some unique formula for meta data capture and analytics.
Are these tools necessary? Maybe not for mid-market organizations but large enterprises with global networks will certainly want to kick the network forensic tires. Look at a few recent security events and see if network forensics could have helped speed up the detection and remediation process. Think about how you could add network forensics information into security and legal investigations as well. Network forensics are likely a good fit.
There is also reason to believe that this is a market that is about to explode. In fact, ESG research indicates that 49% of organizations plan to collect and analyze more security data over the next 24 months. Much of this data will be network-based and likely come from network forensic tools.
As far as products go:
- Endace (i.e., Emulex), RSA Security Analytics (aka NetWitness), and Solera Networks (i.e., Blue Coat Networks) are all large stable companies. They may be the best choice for risk-averse CISOs.
- Click Security is designed from the ground up for network analytics. The goal is to remove the guess work and actually pinpoint problems in real time. Creative CISOs looking for a new angle on an old problem will find Click intriguing at the very least.
- LogRhythm just entered the network forensic market with a stand-alone product that is tightly integrated with its existing SIEM. This makes LogRhythm an attractive option for CISOs looking for an integrated security analysis solution (i.e., SIEM and network forensics).
- Although not technically a “network forensics” tool, Lancope provides similar functionality and has a long track record in the market.
Like other security analytics categories, the best products will provide superior algorithms, canned analytics, and leading-edge visualization to help security analysts improve their efficacy and efficiency.