Gartner Blog Network


Processes for Network Forensics

by Anton Chuvakin  |  February 15, 2013  |  3 Comments

Just as I did with SIEM and DLP, I wanted to explore the process (practice, procedure, workflow) side of network forensics tooling. So, my question is the same: what processes/practices are absolutely essential for an effective use of a network forensics tool?

I can think of a few off the top of my head:

  1. incident response process (and, yes, I cringe as I am writing this as it is so painfully obvious)
  2. indicator analysis process which essentially means investigating a clue reported by a 3rd party, logs, NIPS alerts, etc
  3. process for defining and refining capture policies
  4. process for defining and refining detection alerts (if the tools is utilized for monitoring)
  5. data exploration process aimed at understanding what is going on, was going on, which  may be based on a threat hypothesis or other suspicions (see additional details on this here)

Other ideas!? Do you think #5 is the same as #2 perhaps?

P.S. BTW, check out this great piece called “The Security Processes You Must Get Right.

P.P.S. While we are on the subject of network forensics, check out this excellent piece by a true network forensics literati.

Related posts:

Additional Resources

Category: monitoring  network-forensics  security  

Tags: network-forensics  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Processes for Network Forensics


  1. Steve says:
    February 16, 2013 at 5:05 am

    Probably part of nbr 5 but look at the outliers. What is an outlier in your company? The 1%?

  2. Nrupak says:
    February 18, 2013 at 3:27 am

    Hi,

    I believe this would also come along with other processes, or may be included in some of the above mentioned processes.

    a. Process/Policies for retention

    – retention of data captured (logs/packets)
    – retention of evidence

    b. Process/Policies for retrieval

    I also think below mentioned points would be required, possibly these may be included in above mentioned process.

    – Defining/Applying context to the captured data (i.e. either business context, technical context, or anything useful) – Possibly this is covered in #5

    – Process for defining a baseline for security alerts (#4, #2)

    With Regards,
    Nrupak D Shah

  3. Anton Chuvakin says:
    February 19, 2013 at 5:22 pm

    @steve That’s a good point – whatever outliers you define (rare, first-time-seen, occurring in unique combinations,etc) are likely to be reviewed in #2, but what is an outlier defined in #5 based on explorations.

    @nrupak Thanks for a great comment. I like a separate process for *evidence* retention. Will check whether any NTF users have that separated as such.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.