Given today’s increasingly commercial threat landscape, network defenses are almost inevitably breached. To support incident investigation, evidence gathering, impact assessment, and clean-up, Network Forensics Appliances deliver full-packet recording, in-depth analysis, event reconstruction, visualization and reporting.
In this EnterpriseNetworkingPlanet Network Forensics Appliance buyer’s guide, we look at how Solera Networks DeepSee lets security teams quickly navigate massive volumes of network forensic data. By issuing ad hoc queries or pivoting directly from IPS and SIEM dashboards, DeepSee users can efficiently glean investigative details needed to resolve security incidents and identify their consequences.
Delivering actionable insight – fast
According to marketing director Alan Hall, Solera customers use DeepSee to tackle both day-to-day and advanced persistent threats. “Today, attackers know who we are and what we have. They use multi-vector attack methods like social media phishing linked to malware. They morph identities and use non-standard ports to evade detection,” he said.
“When attacks occur, network security teams need to know who did it, how they did it, and what systems were impacted,” said Hall. “Too often, the answer is: We don’t know. DeepSee addresses this by arming customers with complete, clear, concise information about attacks. If you have the right data, you can minimize loss and fortify your network against further attack.”
Specifically, DeepSee is a network forensics platform for visualizing and understanding suspicious activity. According to Hall, there are three keys to enabling effective forensic investigation. “First, you must collect it all; [traffic] sampling is not enough. Second, if you’re going to create a haystack of data, you must provide an easy way to get to it. Third, you must efficiently analyze that data to detect attacks.”
Post-event incident analysis is the most common use of network forensics, but proactive situational awareness (tracking a threat as it unfolds) can deliver higher value. “For this use, capturing data at high rates and indexing to speed access are critical,” he said. “Some customers are capturing close to a petabyte; we can turn that data into actionable insight.”
Under the covers
Solera’s approach starts with dedicated DS appliances. All DS appliances run the Solera OS, optimized for high-speed network packet capture, storage and playback by using proprietary disk management and a patented technology that compresses data 10-fold while simultaneously indexing it for rapid retrieval.
- For smaller venues, the DS 1200 uses four copper or fiber Gb ports to capture up to 2 Gbps of passing traffic, saved on 3TB of internal storage.
- For mid to large organizations, the DS 3200 uses eight Gb ports to capture at peak rates up to 5 Gbps (3 Gbps sustained) on 12TB of redundant internal storage.
- For even larger networks, the DS 5200 uses two 10 Gb SFP ports and four 1 Gb ports to double peak capture rate while bumping internal storage to 16TB.
- Where further extensibility is required, Solera’s flagship DS H200 captures traffic at 10 Gbps, storing as much as 200TB on external DS storage units (20TB each).
In addition, Solera sells a DS Virtual Appliance that captures up to 1 Gbps of traffic when installed on any VMware ESX server with 2TB of storage. “We have customers with multiple offices each using a DS VM, along with one of our larger DS appliances in their data center,” said Hall. “Our DS C200 centralized management console can manage all of our appliances and perform forensic data searches across appliances.”
Pivoting into applications
All DS appliances include Solera’s entire set of DeepSee applications. “Our customers use best of breed security tools; DeepSee integrates with [those tools] to add very important historical and near-real-time look-back capability,” explained Hall.
Specifically, the DeepSee application dashboard can be launched from several popular IPS and SIEM products, including ArcSight ESM, FireEye, Palo Alto Networks, Q1 QRadar, Snorby, SonicWALL, Sourcefire and Splunk. In addition, a Firefox plug-in can drill into DeepSee from any IP address or port number shown on a third-party web page, such as an HTML-formatted server log or an RSA EnVision alert.
“All those tools use signature alerting or behavioral analysis to alert you to fishy traffic. We give you the ability to do deeper dive investigation [by] pivoting directly into DeepSee,” he explained. “Our applications allow you to make sense of packets captured by a DS appliance, letting you see what happened 5 minutes before or after an alert, etc.”
DeepSee accomplishes this by employing deep packet inspection to fingerprint applications and extract metadata (e.g., email addresses, subjects, file names). Solera OS 5.0 currently understands over 490 applications and can pivot on more than 5000 metadata attributes as search criteria to rapidly narrow the scope of an investigation. Even sessions otherwise obscured by SSL/TLS can be inspected if decrypted first by a product like Netronome SSL Inspector.
Efficient data navigation
DeepSee uses metadata to quickly search its massive packet database (or any supplied PCAP file), along with active reporting to speed result delivery. “We start displaying data very quickly; we don’t wait for a report to finish processing,” said Hall. “You might find that preliminary results are enough to resolve [an incident] or cause you to head down a different path. Active reporting makes forensic investigations more efficient, reducing time-to-resolution.”
DeepSee applications are highly graphical, both summarizing and drilling into network traffic. For example, DeepSee automatically reassembles packets into sessions and extracts application artifacts, including web pages, email messages, IM texts, PDF and Word documents, PPT presentations, and images. These artifacts can be filtered, searched for keywords or displayed exactly as they were seen by the user who sent or received them, with the exception of unsafe objects. An investigator can browse and quickly eyeball exchanged images to spot forbidden content.
Similarly, DeepSee applications can filter packets based on IP address or country. An investigator can use this to spot anomalous traffic – either to/from unusual destinations, or in excess volume over a period of concern. But sometimes, one picture is worth a thousand words. DeepSee’s geolocation panel can deliver a visual depiction of network traffic, plotted on maps or exported into Google Earth.
Solera customers use DeepSee for many reasons, ranging from incident response (including root cause analysis and outbreak/pathway analysis) to situational awareness (including near-real-time investigation of data loss due to suspected insider theft). Some customers use DeepSee to enforce Acceptable Use Policies – for example, gathering evidence of banned peer-to-peer downloads to support disciplinary action. DeepSee can also be used for Security Assurance, replaying traffic to validate security systems and deliver compliance reports.
According to Hall, DS appliances deliver top-notch performance and scalability, operating at line rate up to 10 Gbps — see Meircom Labs test results [PDF]. But even smaller organizations will appreciate DeepSee’s ability to churn quickly through large packet databases and captures to present highly-visual, actionable forensic data – especially when displayed in context, reached directly from other security systems.
To demonstrate the power of network forensics, Hall described a customer case study. Before deploying DeepSee, this US National Laboratory investigated malware outbreaks by locating infected PCs, imaging those hard drives and interrogating them with Encase. Roughly 51 hours was required to resolve each incident with this process. Since installing DeepSee, this lab has used network forensics to determine where malware entered, where it propagated and where remediation is required in less than 3 hours. “We’re all about saving time and money,” said Hall.
Bio: Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.