One of my research projects this quarter will be focused on a really, really exciting subject: network forensics. While we will likely formally define it in the course of our research, I wanted to briefly explore it in this blog post. As I understand it now, “network forensics” today exists at the confluence of several essential capabilities:
- full packet capture at massive scale and in compliance with digital evidence rules
- retention of data for days or longer
- fast access to captured data via search and other tools
- packet header analysis, including summarizing and trending the network activity
- packet contents analysis across protocols, including file extraction, session viewing and application protocol analysis.
Since I just landed in the realm of network forensics from the realm of DLP, the last of the needs – content analysis – needs to be kept in focus here as well. It is not only about the packet headers, however fun those may be. Binary extraction, image preview, document searches all play a major role in network forensics tool use cases.
It is also helpful to point out what network forensics tools are not:
- not Netflow capture and analysis (NBAD) tools
- not NIDS/NIPS packet capture based on alerts
- not DLP, even though DLP tools may capture and analyze files
- not SIEM, even though some SIEM vendors are exploring full-packet capture functionality.
(as you can guess, network forensics tools have pockets of overlapping functions with all of the above, but they are not the same in either their mission or their overall capabilities)
Furthermore, as I am starting to look into this, one startling realization looms: while few organizations do it, much fewer do it well. In any case, we will be working on a detailed guidance (GTP style) on network forensics operational practices and using network forensics tools effectively.
So, here is my next call to action:
- Vendors with network forensics tools, got anything to say about it? Here is a briefing link … you know what to do.
- Enterprises, got a network forensics story – either about tool deployment or operations – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).
- Network forensics-focused consultants [yes, that probably just means you Rocky ], got a story (“inspired by” your recent project) to share? I’d love to hear it as well!