Get the ECT News Network Editor's Pick Newsletter » View Sample | Subscribe
Welcome Guest | Sign In

Caught in the Act: The Mall Cop Approach to Network Security

By Jack M. Germain
Apr 19, 2010 6:00 AM PT

Advances in searching through massive piles of storage data could speed up deployment of a decade-old surveillance technology to catch bad guys dedicated to breaching corporate networks.

Caught in the Act: The Mall Cop Approach to Network Security

Heightened use of network forensic technology can provide network admins with the equivalent of a video camera placed within corporate computer networks. This technology allows admins to rewind through weeks of network activity to catch hackers in the act of breaking in.

Breaches do not occur in isolation. This type of TiVo effect would allow network security cops to trace the hacker's footsteps through the network to see where those committing the breach went and what they left behind.

More than 85 percent of corporate security officers expect a major network security event in the next three years or have had one in the past three years, according to a 2009 Trusted Strategies Network Forensics Market Survey. Typically, it takes organizations rebounding from breach attacks two to 10 to discover the full scope of the incident -- sometimes even longer.

"It is a matter of when and not if a company will suffer a network breach. A secure company is one that manages a breach well by catching it early and minimizing damages," Andreas Antonopoulos, senior vice president and founding partner of The Nemertes Research Group, told TechNewsWorld.

What's Necessary

At least 171 significant data breaches happened so far this year. Of that number, 20 involve financial services companies, according to the Identity Theft Resource Center (ITRC), which tracks data breaches. For a clue as to why network forensics tools are becoming a growing need, 20 incidents actually occurred last year but are just now being brought to light, according to the ITRC.

The most common use for network forensics is for post-incident analysis and on-demand investigations, according to a Gartner report titled "Network Forensics Market" written by Gartner Vice President John Pescatore. These uses could thrust this type of technology into the spotlight given the changing threat landscape.

"Network forensics provides VCR-like tools and activity analysis. The technology is some 10 years old. There is not a lot of demand for it yet. Now interest is growing due to the involvement of federal agencies as a way to preserve evidence," Pescatore told TechNewsWorld.

Three uses for network forensics could help network admins to carry a bigger stick in chasing hackers from networks. The technology is used to replay network events and watch a specific PC use on the network. These are reactive strategies, explained Pescatore. A third and more proactive use is looking forward to potential activity.

More Money

The network forensics industry generated US$100 million in overall revenues in 2009. Gartner predicts this will grow to $145 million by year's end, Pescatore said.

"Still this is a relatively small industry compared to other technologies. This is not a mass market. It also requires a lot of expertise," Pescatore said.

Threats have changed in the last few years. The altered threat level is putting more focus and demand on this type of security technology, he added.

Costly Solution

Strategies to catch hackers in the act of breaching networks dictate that access controls and network monitoring are in place, noted Nemertes' Antonopoulos. But there is too little industry effort on monitoring. Why? Because it's really expensive, he suggested.

For example, security experts can secure a shopping mall with locks on doors and bars on windows. This approach is cheaper than hiring guards and installing cameras -- and then paying another couple of people to watch the cameras.

The same analogy explains the cost factor that has hindered the use of software and hardware solutions that provide the "mall cop" methodology needed to bring networks forensics into prominence.

Slow Grow

The manpower drain and the cumbersome process of reviewing recorded network traffic may very well be the deal breakers in using network surveillance technology to catch more bad guys bent on breaching corporate networks.

Both tasks can be done, of course, but only for a sometimes hefty price. Networks handle and enormous amount of traffic, all of which would have to be monitored by on-the-job personnel. Another cost relates to long-term storage, said Antonopoulos.

"You have to make compromises in deciding when to turn off the capturing and how far back to keep the records," he said.

Different Strokes

The industry standard for network security relies on the age-old method of trusting signatures and other observable triggers to detect aberrant network behavior. Network forensics provides one of several alternative security strategies.

One security method similar to the forensics approach is a strategy known as "SIEM," or Security Information and Event Management. These products capture, archive and correlate events from logs on computer and network devices. However, they do not provide full network packet capture, according to Gartner.

Similarly, Intrusion Prevention Systems (IPSs) and next-generation firewall appliances can see well into network traffic and do deep packet inspections. But they cannot store long-term the captured traffic and use analytics for network forensics tasks, noted Pescatore.

Vending Forensics

Due to its small market slice, the vendor space for network forensics is small and varied. Gartner's report highlights firms such as AccessData, SilentRunner, Narus, NetScout Systems, NetWitness, Network Instruments, Niksun, Solera Networks and WildPackets as some of the key players in this space.

From this list of vendors -- though not an endorsement from Gartner or The Nemertes Research Group -- Solera Networks recently added what could prove to be a significant contribution to the network forensics category.

"Solera's approach is new, but the network forensic technology is 15 years old. The company's approach is to create vast indices to simultaneously categorize the traffic by markers. Before this approach, it took too much effort to review all the stored data," Antonopoulos said.

Innovation Counts

Network forensics technology is much like placing a security camera on the network, and network is a very dark place. What else Solera Networks does to brighten this process could make users more successful in routing the breachers.

"Other companies try to analyze network activity but are merely collecting metadata. Our technology actually records events. It's like a TiVo for the network. You can go back in time to play full action," Peter Schlampp, vice president of marketing for Solera Networks, told TechNewsWorld.

This forensics approach is like a casino security video office that sees all that is happening in real time with 100 percent fidelity.

No Hit, Just Miss

A key factor in finding hackers making breaches is having technology that allows admins to see a playback. Breaches happen incrementally. This technology allows network managers to go back in time to see what happened so they can fix it, said Antonopoulos.

Seeing a breach is only one aspect of the process. You still don't know the extent of the damage. That's what's wrong with using network forensics until now.

"The industry doesn't effectively roll back its investigation when breaches occur. It's not even accurate to describe the industry's involvement as hit or miss. It's mostly miss," said Antonopoulos.

Digital River - Start Here. Sell Anywhere.
Which product review rating most influences your decision to make a purchase?
5 Stars - I want to learn why others think the product is awesome.
4 Stars - I want to know what's liked, along with minor flaws.
3 Stars - I want to find out why the product is neither loved nor hated.
2 Stars - I want to learn why others find the defects to outweigh the benefits.
1 Star - I want to know why others think the product awful.
Forrester names NICE inContact CXone a leader in cloud contact center software