Effective preparation, including investment in network performance monitoring tools such as packet capture, delivers network security forensics capabilities that are ready when attacks occur.

The three main phases of a network security stance today are prevention, detection, and remediation. A recent survey by ServiceNow of 300 Chief Information Security Officers (CISOs) investigates the state of network security response in large organizations and their strategies for navigating this challenging environment. It states:

  • 70% of organizations surveyed say it is difficult to prioritize security alerts based on the importance of the data under attack. This failure to prioritize can paralyze organizations that try to address all threats equally, given that they can be hit by thousands of cyberattacks daily.
  • The quality and quantity of the data available is critical, too, and a lot of that data flows from IT; over 90% of respondents say this information is substantially or highly important to detecting AND responding to breaches.

With these concerns in mind, building an effective network security stance becomes like building a castle’s defense. You don’t fill a moat, but neglect to build any walls. You don’t build walls, and then never hire any guards. As protectors of our castles, we would want to avoid putting all of our strengths into one area, but instead make calculated decisions around what strengths to place (and where) in order to fortify the castle walls.

Network Security: Detection vs. Remediation Phase

I’ll briefly describe how engineers can identify the role and value of tools in the detection phase versus the remediation phase. Imagine, if you will, an engineer learns that a server has made a web communication to a nearby server that is completely unexpected. This could be learned by an AI behavior analysis tool, NetFlow tool, Syslog tool, or any other mechanism that lands in the detection phase. The next question is: Now what?

Did a developer hard-code the wrong IP into something he was working on? Or is there an intruder that is trying to burrow deeper? It’s time to move into the remediation phase, where the previously mentioned tools are very little help.

To get to the root of the problem, I’ll be using the Viavi Observer Platform, specifically Observer Gigastor, and assume the RESTful API was utilized to automatically mine the related packets out based on any tool from the detection phase.

Based on the packet data, what can we learn about the situation?

Network Security Forensics Image 1

11 Packets, source and destination, over HTTP – pretty much what I knew from my detection tools.
Network Security Forensics Image 2

After one right-click, now we are getting somewhere. Note the GET call to “select * from” – proof that it is an intruder and they are playing with a SQL Injection attack. The logical next questions are: What was the response? Did he get anything?

Network Security Forensics Image 3

After another right-click I have my answer. He got an error message and no data was exfiltrated.

At this point, the security engineers can make a choice on the next step:

  • Research what that machine did over the past few days based on historical packet data
  • Wipe the machine and go home
  • Redirect the intruder to a honeypot

Network Security Isn’t a Tool – It’s an Evolving Stance

There may be a different answer depending on the business, but they are in a much stronger position than they would be if they relied on detection tools alone. In fact, security isn’t a tool – it’s an ever-evolving stance that plans out everything from who has access to data, how to detect possible events, how to respond to threats – all the way to managing public relations after an event.

It can be daunting, but with some preparation (including investment in tools such as always-on packet capture), you can sleep easy when the cyber-dragons breathe fire on the castle walls.

To learn more about why network security forensics is a must have in any security strategy check out our video.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Close