Network forensics tools increasingly aid security response teams

As malware continues to evade signature-based antivirus and intrusion prevention systems some organizations are turning to network capturing and analysis tools to detect anomalies and respond to security threats as they happen. One such vendor, Herndon, Va.-based NetWitness Corp., competes in the network forensics market against Solera Networks, Check Point Software Technologies and Endace, offering appliances that can suck up network IP packets like a vacuum and store it for real time analysis and detection capabilities. Eddie Schwartz, chief security officer at NetWitness sees growing momentum in the industry as security teams in government agencies, large financial firms and telecommunications companies increasingly turn to network analysis to stop threats that are getting by traditional security systems. In this interview, Schwartz said signature-based systems have their place, but network collection and forensics tools help large businesses respond to threat vectors that had been previously unknown.

Let's talk briefly about what NetWitness does. Is it really just about placing forensics tools around an intrusion...

defense system? There's a lot of discussion around this space. Gartner dubbed this space network forensics so that's the moniker that it's getting these days. But a lot of it really does have to do with advance threat intelligence. For organizations that are really thinking about ways to deal with these advanced threats – these security problems that are getting past the antivirus, evading intrusion detection systems and fall into this category of sophisticated threats. There's this category of solutions that are based on full packet capture and then real time situational awareness and that's where we fall into. There are a few products in this category and of those there are only a few that deal with real time incident response or real time intrusion detection and management and NetWitness falls into that category. You mention the word response. Is there in fact a response or is it more of an alert? Once you start talking about response, doesn't that turn it into an intrusion prevention system?

Intrusion detection and network forensics:
New Zealand firm, Endace, making next generation IDS a reality: One firm is having success in the government sector with an IDS appliance that can capture 100% of network traffic.

Zeus Trojan continues reign infecting 74,000 PCs in global botnet: Researcher at NetWitness discovers cache of thousands of bank account credentials, email logins and SSL certificate files related to Zeus infected machines. 

I'm not a big fan of the word prevention because I think the world is too complex today. I think there are a number of simple tasks that do fall into the category of what could be prevented or where there could be an action. That's the world of signatures or definition files where somebody's already been hit with something or there is some existing foreknowledge of an attack. The problem as you correctly describe in your article on the KHOBE issue is that in a lot of cases if you look at some of these malware instances you'll find that one out of 35 vendors will actually recognize these things and there's only an eight hour window where you're dealing with the notion of a stimulus and response. Prevention is not really a good strategy. When something is known and understood you could feed it into some preventative platform. So when we say response, it's more an issue of proactive detection and then taking whatever steps are necessary as a response action. In some cases the response may be a combination of things where you're changing a firewall rule and writing a Snort signature and where you're simply monitoring something more closely or engaging some additional threat feeds in your environment to look at some new threat vector that you hadn't considered before. You mentioned full packet capture. Are the appliances out there powerful enough to collect packets without dropping any?
There's a number of ways to approach it, but just as an example, one of our customers is arguably one of the largest private IP networks in the world and they're doing 60 GB/s of aggregate throughput and has got 1.5 PBs of inline real time storage in what you would call a real time situational awareness grid. It's definitely doable in a very large environment. The issue is just building scalability into the environment. There are ways to do it with commodity-type appliance based storage and there are ways to do it with traditional approaches to storage, such as storage area networks or other types of approaches. It just depends what your goals are with respect to data retention and use cases. Some organizations have use cases that are strictly incident response for security operations so the useful life of that information is shorter than an organization that may have more of a classic forensics or investigatory type of use case where they want to go back and look at the history of network traffic for a longer period that might be 60 days, 90 days or even longer in some cases. One term we've been hearing is "advanced persistent threat (APT)." I spoke to one expert who said it's being watered down by security vendor marketing departments. What is your definition of an APT?
For me to classify something as an APT there's a few different criteria that has to be met. First of all, there has to be evidence that there is a specific adversary and that the adversary has some sort of organization, motivation and funding associated with them. The second is that there are specific targets in mind. The third is that they have the ability to operate across a broad spectrum of different types of activities from social engineering to malware creation to network-based attacks or things of that sort. For example, we've seen with certain government clients where there have been a series of spear phishing attacks. These spear phishing attacks have ranged from being very clear social engineering attacks that have hand crafted malware in them, that have never been seen anywhere before to where once the malware is installed, it's very clear that the malware had some prior information relative to the specific assets in the organization – some network mapping had been done at a prior time. That would fall under my definition of an APT.

This Content Component encountered an error



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: