Network Forensics Appliance Buying Guide

Network Forensics Appliances can provide situational awareness and incident preparedness. In this buying guide, we examine the capabilities and features they offer so you can make the best buying decision.

 By Lisa Phifer
Page 1 of 3
Print Article

According to Gartner, organizations spent $145 million on network forensics last year, driven by the need to not just stop cyber criminals, but to learn when and where they succeeded. In this era of advanced persistent threats and laser-focused phishing, IPS and SIEM defenses are more essential than ever but still insufficient. When traditional defenses are inevitably breached, is your organization ready to react?

Network Forensics Appliances narrow this gap by delivering situational awareness and incident preparedness. Like a network DVR, these passive systems record and catalog every single bit that enters or exits a link. By delivering speedy-but-exhaustive full-packet replay, analysis and visualization, Network Forensics Appliances support cybercrime investigation, evidence gathering, impact assessment and clean-up.

In this buyer's guide, we examine the capabilities and features offered by Network Forensics Appliances. Although the specific needs of each organization differ, we look at questions that every buyer should ask when choosing advanced network infrastructure to enable forensic analysis.

Why network forensics?

During and after a suspicious event, digital forensics may be used to gather and examine evidence, providing insight into precisely what happened: where an incident originated, which systems may have been touched, what data may have been extracted and so on. In the wake of a costly breach, forensics experts may be called in, bringing both computer and network forensic tools with them. Gartner estimates that 70 percent of enterprises rely on third-party services to handle infrequent incidents that require forensic expertise.

But even experts are limited by available data. Sifting through firewall and IPS and server logs can take investigators only so far. By definition, some traffic associated with each breach slipped through those defenses. Without a comprehensive record of network activity, it is hard to determine the true duration of a break-in or the extent of its damage. Even when forensic programs were installed on servers to log all system activity, some traffic sent by hacked or unmanaged devices is likely to have escaped detection.

Organizations that are risk-averse or frequent targets of high-stakes cybercrime – such as financial services – are most likely to invest in Network Forensics Appliances. Just as a storefront that is often robbed or can't afford theft might install surveillance cameras, organizations that require complete cyber threat visibility can install Network Forensics Appliances. In fact, market analysts expect recent escalation in attack frequency and impact to stimulate Network Forensics Appliance sales.

How the game is changing


Network Forensics Appliances have been around for a decade, deployed largely by high-security facilities (e.g., government). But changes to the threat landscape and products are now combining to spur enterprise interest and investment.

According to Nemertes Research, point-products are no long sufficient to protect today's perimeter-less, virtualized, distributed, multi-application and multi-device environment. "As the economy has shifted online, the primary motive of attackers has changed from seeking to showcase technical skills to economic gain with theft of identities and intellectual property," wrote analyst Johna Til Johnson. "Security technology is improving at an evolutionary pace, while threats are increasing at a revolutionary pace."

This article was originally published on Sep 16, 2011
Get the Latest Scoop with Networking Update Newsletter