Gartner Blog Network

Category: 'network-forensics' Blog Posts

from the Gartner Blog Network

Network Anomaly Detection Track Record in Real Life?

by Anton Chuvakin  |  October 15, 2018

As I allude here, my long-held impression is that no true anomaly-based network IDS (NIDS) has ever been successful commercially and/or operationally. There were some bits of success, to be...

Read more »

Can We Have NDR, Please?

by Anton Chuvakin  |  September 28, 2018

We have EDR (thanks Anton!), but can we also have NDR – if only to make the world of acronyms more consistent? Instead, today we have NIDS (detection that is...

Read more »

Can I Detect Advanced Threats With Just Flows/IPFIX?

by Anton Chuvakin  |  July 21, 2016

Source IP. Destination IP. Source port. Destination port. Network protocol. Connection time. A bit more context data. Is this enough to detect “an advanced threat”? Before you jump to conclusions,...

Read more »

Your SOC Nuclear Triad

by Anton Chuvakin  |  August 4, 2015

Let’s talk modern SOC tools. The analogy I’d like to use is that of a “Nuclear Triad” – a key cold war concept. The triad consisted of strategic bombers, ICBMs...

Read more »

SIEM/ DLP Add-on Brain?

by Anton Chuvakin  |  February 27, 2015

Initially I wanted to call this post “SIEM has no brains”, but then questioned such harshness towards the technology I’ve been continuously loving for 13 years :-) In any case,...

Read more »

Security Analytics - Finally Emerging For Real?

by Anton Chuvakin  |  January 12, 2015

Security analytics - a topic as exciting and as fuzzy as ever! My 2015 research year starts from another dive into this area. However, how can I focus on something...

Read more »

Speaking at Gartner Security & Risk Management Summit 2014

by Anton Chuvakin  |  March 24, 2014

For those attending Gartner 2014 Security and Risk Management Summit (June 23-26, 2014 in Washington, DC), here is what I am presenting on: SIEM Architecture and Operational Processes Network and...

Read more »

Our Network Forensics Paper Publishes

by Anton Chuvakin  |  July 1, 2013

Our paper on network forensics tools and practices (“Network Forensics Tools and Operational Practices” by Anton Chuvakin | Eric Maiwald) has just published. “Network forensics tools are valuable to some...

Read more »

Alert-driven vs Exploration-driven Security Analysis

by Anton Chuvakin  |  May 20, 2013

Is alert-driven security workflow “dead”?! It is most certainly not. However, it is being challenged at some enlightened organizations that deploy SIEM, network forensics or other analytics technologies (notice how...

Read more »

On Futility of Dead Packet Storage

by Anton Chuvakin  |  March 8, 2013

Think about it: if you typically detect compromised  assets in 60 days after the attacker gets in (a great result, BTW, compared to published industry averages!) and you store packet...

Read more »