Posts Tagged “Network Forensics”

Feb 06 2008

Network Flow Data: What's the big deal?

Posted by: Ben Uphoff in NetFlow for Security, Network Forensics, network security, tags: , , , , ,

Most of my posts on BreachBytes are about using flow data, primarily NetFlow, for network security, incident response and network forensics on enterprise networks. I also tend to get rather technical most of the time. For this post I want to take a step back and answer the following question: what’s the big deal about network flow data? Let me try to answer this question in a single sentence:

“Network flow data, which can be generated by all enterprise routers, provides security analysts with real-time, long-term network visibility that can be used to prevent data leakage, defend against the insider threat and enhance incident response effectiveness.”

Key Points:

  1. Generated by all enterprise routers: The technology is in place, your network can generate flow data in some form.
  2. Real-time: Flow reporting can be near-real time depending on configuration.
  3. Network visibility: Most enterprises are essentially blind to their internal network (the Soft Gooey Center — good in candy, bad in networks).
  4. Long-term: Disk is cheap and flows are small, while still providing adequate information for a variety of network security tasks.

(more…)

Comments No Comments »

Jan 08 2008

Computer Forensics vs. Network Forensics

Posted by: Ben Uphoff in Network Forensics, tags: , ,

The security industry today is making big money on forensics. SANS alone has three different courses on the subject. Guidance Software has built a highly successful company by focusing solely on computer forensics. This is great but anyone that has ever done a computer forensic investigation knows that it is a time consuming, tedious process that is prone to human error. They also know that computer forensics is often not the end of an investigation but the beginning of a larger incident.

Often a computer forensic investigation will yield evidence showing that the compromised host was not an isolated compromise but part of something larger and nastier. This is where computer forensics meets network forensics. Surprisingly, the security industry is lagging far behind when it comes to network forensics. The focus has been on computer forensics but a shift towards network forensics in the industry is inevitable.

(more…)

Comments 1 Comment »