Network Forensics Appliance Buying Guide - Page 2

Network Forensics Appliances can provide situational awareness and incident preparedness. In this buying guide, we examine the capabilities and features they offer so you can make the best buying decision.

 By Lisa Phifer
Page 2 of 3   |  Back to Page 1
Print Article

As a result, Nemertes advises security teams to pursue more comprehensive threat protection: "Comprehensive in both scope (type and variety) and in time (starting even before a threat has been detected," wrote Johnson. "Network forensics tools provide a natural starting point for this comprehensive functionality, as they serve to tie together data from all these products."

Network forensics tools that have expanded beyond their capture-and-store roots by integrating near-real-time capabilities have grown more powerful. "Merely analyzing packets doesn't convey effective insight into an attacker's strategy. The ultimate goal is to provide a comprehensive solution that paints the full source and scope of an attack, outlines prevention techniques and automates prevention in real time," she wrote.

Finally, technology improvements must be accompanied by human evolution. "It's no longer sufficient for a security team to provide [breach details] to colleagues and senior management," concluded Johnson. "The team must be prepared to translate the impact into business terms and risks." To this end, Network Forensics Appliances now often support applications designed to rapidly deliver actionable insight to HR, law enforcement, compliance officers and other users in addition to forensic experts.

Finding an appliance that fits

Organizations interested in network forensics should begin with expected use cases. Gartner sees four primary uses among its clients:

  1.  Post-incident analysis – After a suspicious event, packets recorded by a Network Forensics Appliances can be used to perform detailed analysis, correlation, signature-based classification and behavior inspection to isolate zero-day attacks. This is the traditional and most common reason to buy Network Forensics Appliances, and can include looking to see whether a recently-patched bug was previously exploited.
  2.  On-demand investigation – In response to HR or legal requests, the same historical packet database can be used to extract, filter, visualize, and report upon all activities initiated by a user or system – for example, to investigate suspected insider abuse. This use is less common but growing along with Network Forensics speed and usability.
  3.  Compliance – During an audit, staff responsible for ensuring or proving regulatory compliance can use the Network Forensics database as a resource to spot network segmentation or data leaks and determine when and where they started. This is being driven by regulations like PCI, taking advantage of products that can quickly reconstruct and filter documents and messages.
  4.  Situational Awareness – Organizations that place a premium on real-time threat awareness can use Network Forensics to complement proactive in-line defenses by delivering deeper and more complete detail behind an IPS or SIEM alert. This historically limited use is now being expanded by improved security systems integration.


Determining which use-cases are important to your organization can help justify acquisition and prioritize requirements. An organization focused on incident analysis may care little about canned compliance reports, while one driven by situational awareness may demand integration with specific SIEM. And so on.


This article was originally published on Sep 16, 2011
Get the Latest Scoop with Networking Update Newsletter