Network Forensics - The Forgotten Need for IT

Convergence Corner

Network Forensics - The Forgotten Need for IT

By Erik Linask, Group Editorial Director  |  June 03, 2014

With all the talk about cloud and virtualization taking center stage in networking, as enterprises seek to leverage the latest technologies to increase efficiency and reduce costs, many of them – 55 percent, according to WildPackets (News - Alert) – are neglecting network forensics. With network technology and business applications evolving at such a torrid pace, it’s easy to see how it can become lost in the mix, and for many, forensics seems too costly an investment.

The truth is that, when it comes to security and risk, businesses often feel they are playing from behind in a reactionary manner anyway; not realizing proper network forensics can put them in a position to proactively mitigate risk. Even a 10 percent increase in utilization from last year has largely been a reaction to recent highly publicized breaches at Target (News - Alert) and Neiman Marcus.

Further adding to the confusion is that with so many applications and services now being moved into cloud and virtual environments, network forensics appliances still have to be deployed on-premises, which as executives seek to reduce costs, seems at first glance, counterproductive.

“People invest so much in surveillance, so why not network recording as well?” asks Jay Botelho, director or product management at WildPackets. “If there is an issue or breach, businesses can look back at what happened and quickly mitigate or eliminate any impact on the network, data, or devices.”

In an era in which the network access is increasing exponentially due to an ongoing explosion of applications and connected devices, most companies have made at least some level of investment in data center visibility, but have neglected the local networks. Take the retail industry, for instance. Businesses are starting to leverage customer data in astounding new ways, even to the point of developing apps that interact with them immediately as they enter their facilities. But most have little idea of what may actually be happening with their local networks, which are often prone to misuse or breach.

In theory, forensics could be done in the cloud, but it would be highly inefficient, as traffic flows would have to pass to the cloud before accessing the local networks, or the flows would have to be duplicated to apply forensics in the cloud.

“It has to be inexpensive to deploy locally,” says Botelho. “It also has to come from the top down – the C-level executives are responsible for managing risk at the corporate level, and that’s where the investment has to be made.”

There is also, in many cases, a misperception that network forensics appliances aren’t capable of handling the migration to 10G or 40G networks, which Botelho says isn’t the case. But, when undertaking such a migration, businesses with existing forensics tools in place don’t necessarily have to replace or upgrade them immediately. In most cases, the traffic flow won’t increase much at the outset, perhaps from 1G to 1.5G or 2G, which most existing forensics products can easily handle. But, they have to start planning and budgeting for upgrades as traffic does increase.

With risk models guaranteed to increase in the age of mobility and IoT, businesses should be sure to ensure they have security policies and measures in place, but even those aren’t foolproof. They need to also have the ability to track incidents when they do happen, whether it’s a full-blown breach, a virus infecting the network, or simply unauthorized access of applications or data, either maliciously or inadvertently. It’s the responsible thing to do.

 “People invest so much in surveillance, so why not network recording as well?”

–Jay Botelho of WildPackets

Edited by Maurice Nagle