Caught in the Act: The Mall Cop Approach to Network Security

Advances in searching through massive piles of storage data could speedup deployment of a decade-old surveillance technology to catch badguys dedicated to breaching corporate networks.

Heightened use of network forensic technology can provide networkadmins with the equivalent of a video camera placed within corporatecomputer networks. This technology allows admins to rewind throughweeks of network activity to catch hackers in the act of breaking in.

Breaches do not occur in isolation. This type of TiVo effect wouldallow network security cops to trace the hacker’s footsteps throughthe network to see where those committing the breach went and whatthey left behind.

More than 85 percent of corporate security officers expect a majornetwork security event in the next three years or have had one in thepast three years, according to a 2009 Trusted Strategies NetworkForensics Market Survey. Typically, it takes organizations reboundingfrom breach attacks two to 10 to discover the full scopeof the incident — sometimes even longer.

“It is a matter of when and not if a company will suffer a networkbreach. A secure company is one that manages a breach well by catchingit early and minimizing damages,” Andreas Antonopoulos, senior vicepresident and founding partner of The Nemertes Research Group, toldTechNewsWorld.

What’s Necessary

At least 171 significant data breaches happened so far this year. Of that number, 20 involve financial services companies,according to the Identity Theft Resource Center (ITRC), which tracksdata breaches. For a clue as to why network forensics tools arebecoming a growing need, 20 incidents actually occurred last year butare just now being brought to light, according to the ITRC.

The most common use for network forensics is for post-incidentanalysis and on-demand investigations, according to a Gartner reporttitled “Network Forensics Market” written by Gartner Vice PresidentJohn Pescatore. These uses could thrust this type of technology intothe spotlight given the changing threat landscape.

“Network forensics provides VCR-like tools and activity analysis. Thetechnology is some 10 years old. There is not a lot of demand for ityet. Now interest is growing due to the involvement of federalagencies as a way to preserve evidence,” Pescatore toldTechNewsWorld.

Three uses for network forensics could help network admins to carry abigger stick in chasing hackers from networks. The technology is usedto replay network events and watch a specific PC use on the network.These are reactive strategies, explained Pescatore. A third and moreproactive use is looking forward to potential activity.

More Money

The network forensics industry generated US$100 millionin overall revenues in 2009. Gartner predicts this will grow to $145 million by year’s end, Pescatore said.

“Still this is a relatively small industry compared to othertechnologies. This is not a mass market. It also requires a lot ofexpertise,” Pescatore said.

Threats have changed in the last few years. The altered threat levelis putting more focus and demand on this type of security technology,he added.

Costly Solution

Strategies to catch hackers in the act of breaching networks dictatethat access controls and network monitoring are in place, notedNemertes’ Antonopoulos. But there is too little industry effort onmonitoring. Why? Because it’s really expensive, he suggested.

For example, security experts can secure a shopping mall with locks ondoors and bars on windows. This approach is cheaper than hiring guardsand installing cameras — and then paying another couple of people to watch thecameras.

The same analogy explains the cost factor that has hindered the use ofsoftware and hardware solutions that provide the “mall cop” methodologyneeded to bring networks forensics into prominence.

Slow Grow

The manpower drain and the cumbersome process of reviewing recordednetwork traffic may very well be the deal breakers in using networksurveillance technology to catch more bad guys bent on breachingcorporate networks.

Both tasks can be done, of course, but only for a sometimes hefty price. Networks handle and enormous amount of traffic, all of which would have to be monitored by on-the-job personnel. Another cost relates to long-term storage, said Antonopoulos.

“You have to make compromises in deciding when to turn off thecapturing and how far back to keep the records,” he said.

Different Strokes

The industry standard for network security relies on the age-oldmethod of trusting signatures and other observable triggers to detectaberrant network behavior. Network forensics provides one of severalalternative security strategies.

One security method similar to the forensics approach is a strategyknown as “SIEM,” or Security Information and Event Management. Theseproducts capture, archive and correlate events from logs on computerand network devices. However, they do not provide full network packetcapture, according to Gartner.

Similarly, Intrusion Prevention Systems (IPSs) and next-generationfirewall appliances can see well into network traffic and do deeppacket inspections. But they cannot store long-term the capturedtraffic and use analytics for network forensics tasks, notedPescatore.

Vending Forensics

Due to its small market slice, the vendor space for network forensicsis small and varied. Gartner’s report highlights firms such asAccessData, SilentRunner, Narus, NetScout Systems, NetWitness, NetworkInstruments, Niksun, Solera Networks and WildPackets as some of thekey players in this space.

From this list of vendors — though not an endorsement from Gartner orThe Nemertes Research Group — Solera Networks recently added what couldprove to be a significant contribution to the network forensics category.

“Solera’s approach is new, but the network forensic technology is 15years old. The company’s approach is to create vast indices tosimultaneously categorize the traffic by markers. Before this approach,it took too much effort to review all the stored data,” Antonopoulossaid.

Innovation Counts

Network forensics technology is much like placing a security camera onthe network, and network is a very dark place. What else Solera Networksdoes to brighten this process could make users more successful inrouting the breachers.

“Other companies try to analyze network activity but are merelycollecting metadata. Our technology actually records events. It’slike a TiVo for the network. You can go back in time to play fullaction,” Peter Schlampp, vice president of marketing for SoleraNetworks, told TechNewsWorld.

This forensics approach is like a casino security video office thatsees all that is happening in real time with 100 percent fidelity.

No Hit, Just Miss

A key factor in finding hackers making breaches is having technologythat allows admins to see a playback. Breaches happen incrementally.This technology allows network managers to go back in time to see whathappened so they can fix it, said Antonopoulos.

Seeing a breach is only one aspect of the process. You still don’tknow the extent of the damage. That’s what’s wrong with using networkforensics until now.

“The industry doesn’t effectively roll back its investigation whenbreaches occur. It’s not even accurate to describe the industry’sinvolvement as hit or miss. It’s mostly miss,” said Antonopoulos.