Enterprise IT Watch Blog

Apr 14 2010   10:20AM GMT

Network forensics: Putting the CSI in Cisco

Michael Morisy Michael Morisy Profile: Michael Morisy

Networks are the corporate crime scenes of today. Just ask Google, TJX, or any one of the thousands of companies that have seen their networks turned against them. IT professionals need to step up their game when it comes to dusting for digital prints.

Fortunately, they’ve got a set of tools that (almost) makes CSI look amateur, and some of the best tools have fallen into the domain of networking professionals, according to Gartner’s John Pescatore (bio)

“We have a broader array of tools called data forensics, and one half of that is network forensics and the other half is computer forensics, which you can put on every PC and server. The network products have the major major advantage of it’s very expensive to put software on everybody’s PC and server, and people … can very often disable that software,” he told the IT Watch Blog recently in an interview. “The network tools are more widely used because of those advantages.”

Rather than watching every bit on every computer, network tools watch the choke points: They can see what users are downloading and uploading, e-mailing and IM’ing, and even record all that data for later playback, like a closed circuit television camera or omniscient network DVR.

But just like CSI, today most of the security lapses aren’t discovered until somebody turns up dead or, in corporate terms, the customers start complaining and stuff starts breaking.

“Incident responses come from a lot of places, such as highly publicized cases like TJX where millions of customers started complaining,” said Pescatore. “More commonly, it will the firewall logs showed something came in and this attack looks like it got through, or a server will crash or a server alarm will go off that some unauthorized access was made on a server.”

By then, it’s too late to stop the attack so it’s time to start sifting through for clues: Who was connecting at odd hours, and what were they downloading off the Intranet? Why did someone in accounting upload a 4GB data dump? Hopefully, the clues will point back to the culprit and damage can be minimized.

Vendors are saying a better approach is on the horizon: Like Minority Report‘s PreCogs, they hope to catch crimes before they happen, or at least before the damage is done. Gartner terms it “proactive situational awareness,” the “highest value, but least common, use case” for network forensics. By providing and analyzing network data in real time, with better flagging of deviations, Jane Doe might be locked out of her computer temporarily when she does that 3 A.M. data dump, or IT might be alerted as soon as Joe Public downloads a suspicious looking attachment, whether or not he did it maliciously.

You already see high-end financial organizations and federal government agencies, bracing for cyber defense, tapping into these capabilities, but Pescatore said don’t hold your breath waiting for breakthroughs and silver bullets to come to the common company.

“Think about retail: That’s the oldest form of commerce,” he said. “We still have shoplifting and theft in retail, but we keep it down to an acceptable cost of doing business. In online retail, it’s the same thing: It’s never going to be that no attacks going to get through.”

Full proactive situational awareness requires a staff is trained to use the products, and it requires a staff to be “leaning forward,” alert for threats 24/7/365 said Pescatore.

“Typically our numbers show that average enterprise business spends about 6% of the budget on security,” he said. “For 24 by 7 security, that would require a lot of money: Training, people, the price of tools.”

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Building the ultimate network security and troubleshooting utility belt - Enterprise IT Watch Blog
    [...] IT Watch Blog « Network forensics: Putting the CSI in Cisco Apr 14 2010   2:19PM [...]
    0 pointsBadges:
  • AshishSingh10

    Can you throw some light on as how this embedding of CSI in Cisco can prove beneficial in avoiding the DoS (Denial-of-Service Attacks)?

    Awaiting reply..

    Thanks and regards
    1,330 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: