Network Forensics: Effective Incident Response - from 51 Hours to Less than 3
Background: This is a large government lab that performs research for industry, universities, and other government agencies. The laboratory employs more than four thousand individuals, including recognized scientists and engineers that focus on technology innovations and applied research in areas such as: information analysis, cyber security, energy, and the environment. The lab operates a number of facilities and has received numerous national and international awards for research and contributions with the public sector.
Challenges: The lab operates a distributed network to support over 4000 individuals. As a large government organization, keeping the network secure against intrusions, malware, and unauthorized access is vital. It's also critical that taxpayer money be used wisely and that IT security staff have the tools to quickly and cost-effectively respond to security events. For a number of years the lab had been searching for a network forensics solution that would:
Provide full packet capture with zero packet loss on their high-speed 10Gb networks
Scale to the amount of storage they required
Integrate with existing security tools sets (commercial and proprietary)
This solution was necessary because the traditional method for identifying the source of a security event was costly, inefficient, and time consuming. The traditional method required the IT security department to locate the hardware believed to be the source of the security event, such as a computer propagating malware. They would then make an image of that machine's hard drive, leaving the user without access to it for at least 16 hours. Once imaged, the security staff would interrogate the drive using traditional tools like Encase. This interrogation required an additional 35 man-hours to conduct, raising the total amount of time needed to identify the source of a security event to roughly 51 hours.
Best Deployment Scenario - Forensics Solution
Solution provided: Solera Networks was invited to participate at SuperComputing 2008 (SC08) in Austin TX and add the Solera DS 5150 10Gb forensics appliance to the show's Network Operating Center (NOC). The lab had management responsibility of the NOC and wanted to test the DS 5150's ability to capture on a 10Gb network. The appliance was fed a steady stream of traffic, between 6-7Gbps, and captured everything without losing a single packet. The lab was amazed. Seeing that the appliance had the ability to create the lossless historical record of network traffic, they brought the box in-house for additional testing of other components. With the appliance in place they are able to capture, filter, search, and replay all network traffic. The Solera DS 5150 provides the lab with:
Ultra-fast capture on 10Gb networks without losing a single packet
Up to 16 TB of storage on a single box (scalable to petabytes) to create a large window of captured traffic
Passive deployment through a network tap or span port that fits into any network undetected and without affecting network performance
Filtering capabilities to identify and capture only packets that meet desired criteria based on any piece of information found within the packet
Replay capabilities to regenerate traffic to other security tools for further analysis
PCAP delivery for analysis of captured data by many standard network analysis tools including: Wireshark Snort Pilot etc.
Simple searching and navigation of captured traffic using browser-like search simplicity
Open Web Services APIs to integrate with existing tools that deliver alerts and will benefit from the full context of network traffic surrounding the alert
Summary: Identifying the source of a security event is no longer a costly, time-consuming exercise. Rather than spending up to 51 hours tracking the suspected endpoint responsible for the event, the captured record of traffic tells them the story of where the malware got in, where it went, and the extent of its spreading throughout the organization. All in less than three hours of investigative work.
10713 South Jordan Gateway Suite 100
South Jordan UT 94095