Network Forensics Separate Signal From Noise

Identifying data breaches in progress and distinguishing false positives from real security attacks requires effective network forensics software.

Jay Botelho

March 4, 2015

4 Min Read
Network Computing logo

At 11:20 am, an intrusion detection system (IDS) on your network reports an nmap decoy attack. An nmap port-mapping application is using a number of phony addresses as source IPs in addition to what seems to be an attack machine ( to determine which services and ports are active on the network.

By capturing, recording, and analyzing network traffic -- a capability generally known as network forensics -- IT engineers can "rewind" the port-scanning activity and analyze all network traffic from five minutes before and after the IDS alert. They can focus on the primary port-scanning machine's IP address and use a visualization called a "peer map" to quickly analyze all activity involving the suspicious machine.

The peer map illustrates all network activity between and any other IT assets, including which protocols were used and how much data was exchanged. In this case, the peer map shows that the number of other assets involved is low, and the protocols in use do not indicate suspicious activity, so engineers can quickly but confidently classify this alert as a false positive.

Anticlimactic? It shouldn't be. Being able to quickly distinguish false positives from real security attacks is going to be an increasingly important capability for IT departments going forward.

In last year's data breach at Target, the security monitoring systems properly alerted the company's IT team to an attack in progress. Unfortunately, the IT team was used to seeing so many false positives that they dismissed the alerts and unwittingly allowed the attack to continue, putting customers' financial standing at risk and damaging the company's reputation.

Chastened by the examples of Target, Anthem, and others, many businesses and government agencies are increasing their investments in security this year. That means IT organizations can expect to be deluged with more security alerts than ever before. Inevitably there will be false positives -- a lot of them -- and most likely there will be a few notifications of real attacks, as well.

To tell the false positives from the true alerts, and to rapidly characterize real attacks when they do occur, IT organizations should be investing in network forensics.

When a data breach occurs, network forensics enables IT to quickly identify the root of the issue and remediate it as soon as possible. Working in conjunction with security experts, network engineers can use network forensics to analyze traffic and instantly determine the cause of a network event, replacing guesswork with the hard evidence of captured network packets. To deliver this benefit, network forensics systems must be in place before a cyber attack -- capturing, storing and analyzing all network traffic so it can be replayed after a breach.

To do this job well, an effective network forensics product will meet these four requirements:

Lossless data capture: The software must be able to capture traffic -- at the packet level, not just high-level flow statistics -- reliably at rates of at least 20 Gbps, the equivalent of a full-duplex 10 Gbps link. It should never drop packets, even when network segments are experiencing high utilization.

Comprehensive data recording: Capturing data is meaningless if the traffic cannot be recorded. Network forensics systems must provide sufficient storage to record days or even weeks of packet-based network data, and must also be flexible enough to work with SANs if additional storage is needed.

Network engineers and security analysts must be able to search through the recorded data (tens to hundreds of terabytes of data) quickly and efficiently to identify the cause of problems, discover proof of security attacks, and perform other types of forensics investigations. Efficient data recording makes this possible.

Powerful search and inspection: Search and inspection enables administrators to comb through archived network traffic for anomalies and signs of problems. Using a powerful software application that automatically identifies and analyzes problem areas allows analysts to quickly isolate issues. Ideally, the forensics solution should be able to export data for further analysis and reporting, making it easy for IT experts to collaborate on resolving problems with security professionals.

Insightful reporting: Reporting distills analysis into actionable reports so that security and IT experts can document the results of their investigations and perform a post-mortem analysis of any network vulnerabilities. Reporting features should also support the generation of reports for line-of-business managers, compliance officers and auditors. 

So much for the basic capabilities. Given the speed at which breaches can occur and the subtlety of many of today's security attacks, enterprises should also look for two additional requirements in network forensics solutions. 

First, the software must capture data 24/7 and generate real-time statistics, giving engineers all the data they need for at a moment's notice. Whether a breach is perpetrated by insiders or by external attackers across the globe, forensic analysis gives immediate access to the most detailed analytics available to help engineers and security experts quickly identify the source and activity of the attack. 

About the Author(s)

Jay Botelho

Jay Botelho is Director of Engineering at LiveAction

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights