Posted on | April 12, 2012 | 12 comments
Company network attacks — and successful intrusions — continue at a steadily rising pace, for aÂ litany of reasons. The core driver is a complex dynamic. We continue to expand commercial uses of the Internet, pumping more cloud services, social media and mobile devices into the mix.
The end result is an ever expanding canvas of attack surfaces for highly skilled and motivated cybergangs to tap into corporate databases. In this LastWatchdog guest post, Timothy David McCreery, President and CEO of network monitoring firm WildPackets, examines why it might make sense for companies to embrace network forensics as ongoing preventive maintenance, instead of turning to it in after the fact investigations only.
By Timothy David McCreery
Homeowners insurance, health and life insurance are well known forms of risk coverage. While these modes of protection have remained relatively the same there is a litany of new threats that arenâ€™t as well accounted for. Most businesses today operate some form of computer network and for many, their entire business in based online. Company computer networks are increasingly more vulnerable in the era of phishing scams, cyber attacks and large-scale data breaches. So then, what is their form of insurance?
Today, preventative security is a top priority for any IT department, but no amount of security can protect all of your networks all of the time. Even global brands and governments arenâ€™t immune to attacks, and every company should have a contingency plan in place in the event of a breach. One of the most easily implemented, but often-overlooked contingency plans for your network is network forensics.
While many companies believe that a simple activity monitoring solution is the only thing they need to help protect their network, network forensics is an essential part of any comprehensive security strategy. Although IDS/IPS (Intrusion Detection/Intrusion Prevention Systems) solutions do help indicate and prevent problems, when they miss something security teams have no data to analyze and figure out what went wrong. Typically simple activity monitoring solutions involving IDS/IPS are tedious and require sorting through possibly thousands of packets of data â€“including IP address, source/destination port, time, date, protocol, string and more â€“ to find one incident.
Network forensics, on the other hand, captures complete network conversations, recording all network activity at the packet level to fixed storage, displays key network performance statistics, and provides visual tools for post-capture analysis in real-time. Captured data is stored in a central location and translated into a common format, allowing users to easily drill into problem areas and quickly locate a specific incident or monitor for potential virus â€˜fingerprintsâ€™ to avoid a major infection.
With an increase in breaches from both inside and outside the network, analysis and prevention can only be achieved if you have a complete view of your network activity. This level of insight is even more essential with the number of on-the-go users and BYOD policies growing within companies. In fact, it’s often business-critical issues that have nothing to do with performance or cyber attacks, like violations of industry regulations or data breaches, which drive the need for post-incident analysis.
A breached mobile device or infected personal laptop brings outside threats inside the network, which can go undetected by most IDS/IPS solutions. The ability to recognize a breach and pinpoint the source prevents a compromise of the entire network. In addition, network forensics can be used to identify rogue or unauthorized devices trying to access the network, preventing another kind of potential hack.
Network forensics can be a powerful tool in both your security and compliance strategies, but the key to network forensics is to have a solution in place now â€“ before you have a need for incident analysis or require data to investigate an attack.
About the essayist: Timothy David McCreery is the President and CEO at WildPackets, a provider of network analysis solutions. McCreery co-founded WildPackets, Inc. as AG Group in 1990. McCreery taught undergraduate Computer Science at U.C. Berkeley obtaining a Masterâ€™s degree in EECS, and is an industry veteran with over 25 years of experience.