Network Forensics Appliance Buying Guide: Solera Networks - Page 2
Solera DeepSee uses speedy forensic data navigation to improve time-to-resolution
DeepSee accomplishes this by employing deep packet inspection to fingerprint applications and extract metadata (e.g., email addresses, subjects, file names). Solera OS 5.0 currently understands over 490 applications and can pivot on more than 5000 metadata attributes as search criteria to rapidly narrow the scope of an investigation. Even sessions otherwise obscured by SSL/TLS can be inspected if decrypted first by a product like Netronome SSL Inspector.
Efficient data navigation
DeepSee uses metadata to quickly search its massive packet database (or any supplied PCAP file), along with active reporting to speed result delivery. “We start displaying data very quickly; we don't wait for a report to finish processing,” said Hall. “You might find that preliminary results are enough to resolve [an incident] or cause you to head down a different path. Active reporting makes forensic investigations more efficient, reducing time-to-resolution.”
DeepSee applications are highly graphical, both summarizing and drilling into network traffic. For example, DeepSee automatically reassembles packets into sessions and extracts application artifacts, including web pages, email messages, IM texts, PDF and Word documents, PPT presentations, and images. These artifacts can be filtered, searched for keywords or displayed exactly as they were seen by the user who sent or received them, with the exception of unsafe objects. An investigator can browse and quickly eyeball exchanged images to spot forbidden content.
Similarly, DeepSee applications can filter packets based on IP address or country. An investigator can use this to spot anomalous traffic – either to/from unusual destinations, or in excess volume over a period of concern. But sometimes, one picture is worth a thousand words. DeepSee's geolocation panel can deliver a visual depiction of network traffic, plotted on maps or exported into Google Earth.
Solera customers use DeepSee for many reasons, ranging from incident response (including root cause analysis and outbreak/pathway analysis) to situational awareness (including near-real-time investigation of data loss due to suspected insider theft). Some customers use DeepSee to enforce Acceptable Use Policies – for example, gathering evidence of banned peer-to-peer downloads to support disciplinary action. DeepSee can also be used for Security Assurance, replaying traffic to validate security systems and deliver compliance reports.
According to Hall, DS appliances deliver top-notch performance and scalability, operating at line rate up to 10 Gbps -- see Meircom Labs test results [PDF]. But even smaller organizations will appreciate DeepSee's ability to churn quickly through large packet databases and captures to present highly-visual, actionable forensic data – especially when displayed in context, reached directly from other security systems.
To demonstrate the power of network forensics, Hall described a customer case study. Before deploying DeepSee, this US National Laboratory investigated malware outbreaks by locating infected PCs, imaging those hard drives and interrogating them with Encase. Roughly 51 hours was required to resolve each incident with this process. Since installing DeepSee, this lab has used network forensics to determine where malware entered, where it propagated and where remediation is required in less than 3 hours. "We're all about saving time and money," said Hall.
Bio: Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.