Gartner Blog Network

Category: 'network-forensics' Blog Posts

from the Gartner Blog Network

Can I Detect Advanced Threats With Just Flows/IPFIX?

by Anton Chuvakin  |  July 21, 2016

Source IP. Destination IP. Source port. Destination port. Network protocol. Connection time. A bit more context data. Is this enough to detect “an advanced threat”? Before you jump to conclusions,...

Read more »

Your SOC Nuclear Triad

by Anton Chuvakin  |  August 4, 2015

Let’s talk modern SOC tools. The analogy I’d like to use is that of a “Nuclear Triad” – a key cold war concept. The triad consisted of strategic bombers, ICBMs...

Read more »

SIEM/ DLP Add-on Brain?

by Anton Chuvakin  |  February 27, 2015

Initially I wanted to call this post “SIEM has no brains”, but then questioned such harshness towards the technology I’ve been continuously loving for 13 years :-) In any case,...

Read more »

Security Analytics - Finally Emerging For Real?

by Anton Chuvakin  |  January 12, 2015

Security analytics - a topic as exciting and as fuzzy as ever! My 2015 research year starts from another dive into this area. However, how can I focus on something...

Read more »

Speaking at Gartner Security & Risk Management Summit 2014

by Anton Chuvakin  |  March 24, 2014

For those attending Gartner 2014 Security and Risk Management Summit (June 23-26, 2014 in Washington, DC), here is what I am presenting on: SIEM Architecture and Operational Processes Network and...

Read more »

Our Network Forensics Paper Publishes

by Anton Chuvakin  |  July 1, 2013

Our paper on network forensics tools and practices (“Network Forensics Tools and Operational Practices” by Anton Chuvakin | Eric Maiwald) has just published. “Network forensics tools are valuable to some...

Read more »

Alert-driven vs Exploration-driven Security Analysis

by Anton Chuvakin  |  May 20, 2013

Is alert-driven security workflow “dead”?! It is most certainly not. However, it is being challenged at some enlightened organizations that deploy SIEM, network forensics or other analytics technologies (notice how...

Read more »

On Futility of Dead Packet Storage

by Anton Chuvakin  |  March 8, 2013

Think about it: if you typically detect compromised  assets in 60 days after the attacker gets in (a great result, BTW, compared to published industry averages!) and you store packet...

Read more »

Processes for Network Forensics

by Anton Chuvakin  |  February 15, 2013

Just as I did with SIEM and DLP, I wanted to explore the process (practice, procedure, workflow) side of network forensics tooling. So, my question is the same: what processes/practices...

Read more »

Use Cases for Network Forensics Tools

by Anton Chuvakin  |  February 5, 2013

Most of the network forensics tool discussion focuses on two types of use cases. These are, on a high level: incident response and investigations of captured traffic, either related to...

Read more »