Industries
  Network Forensics for GovernmentsThreats to government networks have increased exponentially over the past few years with no signs of slowing down. As a result, government systems have been and will continue to be penetrated in spite of the billions of dollars being spent every year on security countermeasures. The problem doesn't lie in a lack of cybersecurity effort on the government's part, but in the fact that there is no way to foresee every possible system vulnerability, or to defend against every possible attack. Critical systems will continue to be breached, and government agencies need to prepare for these attacks by having a forensic record of what happened on the network. This will allow network defenders to easily see if newly discovered vulnerabilities have already been exploited or not, quickly contain successful attacks, rapidly mitigate damages, and do a better job preventing the same exploits from happening again in the future. |
Challenge
Government organizations have a unique challenge of protecting information as a matter of national security, but they also face the same cybersecurity challenges that large enterprises contend with, including:
- Protecting the confidentiality, integrity and availability of data - in this case the data that keeps our nation operational, protected, and growing.
- Ensuring that personally identifiable information is not disclosed inappropriately or without the proper consent.
- Responding rapidly and efficiently to security incidents.
- Preventing data leakage.
- Monitoring content for inappropriate material or transactions.
- Keeping systems running and operational.
- Protecting the reputation and integrity of the organization.
Network Forensics - The Solution
Network Forensics Appliances from Solera Networks can help address each of these challenges by capturing, indexing, storing, and replaying all of the traffic on your network. This allows security analysts to see what has been accessed, who accessed it, where the data went, and everything that occurred on the network.
In addition to dealing with the security issues faced by all large organizations, United States federal agencies must also comply with a large and growing number of government specific initiatives, mandates and laws such as FISMA, NIST SP 800-53, FIPS 200, DoD Instruction 8500.2, and others. Furthermore, integrating with and advancing the use of government security standards and initiatives such as ISAP, SCAP, NVD, is also critical to the success of our national security and important to leading agencies.
These regulations and initiatives, FISMA in particular but all of them to some extent, require each federal agency to implement security controls to counteract or minimize security risks before, during, and after security incidents.
There are a number of security products and technologies available that are focused on security before an incident occurs. However, until recently there have been relatively few controls or defenses that operate effectively during or after an incident to facilitate swift response. Fortunately, Network Forensics Appliances from Solera Networks now make it possible to comply with the latter two critical aspects of these regulations.
Everything that happens during an attack is captured and saved by Solera DS Network Forensics Appliances. Every data packet or session can be replayed and viewed by security analysts, so an on-going attack discovered while it is still operating can be monitored and watched essentially as it plays out. Who is logging in, what processes are started, what files are accessed, modified, or transmitted can all be viewed within seconds of their occurrence. Attacks that are discovered after they occur can also be replayed in full fidelity to learn what happened and determine the true scope of the attack.
Implementing Network Forensics allows government agencies to address incidents during and after their occurrence. Combined with existing technologies such as firewalls, identification and authorization, antivirus, and others that are aimed at preventing incidents before they happen, agencies can now better address all three aspects of the required controls.
Problem:
A large government agency's firewall, IDS or IPS wasn't updated with the latest software. A new worm, virus or malware shows up on the network. How do you identify the infected system that was first afflicted and how is the security breach resolved?
Solution:
Replay your historic network traffic through your updated system to uncover where the worm, virus or malware entered your system. Filter on any known signature of the offending data and you will narrow in on the details of how it got through. Take measures to close the breach and further update your layers of security to prevent it from happening again.
Result:
Get the to root cause of the intrusion and identify weak security points much faster. You don't have to wait for the same intrusion to happen again. You can identify the problem in a safe environment using historical traffic.
Problem:
One morning a government agency's network dashboard reveals abnormal network utilization during off-peak hours. How do you identify the root cause of the abnormal traffic?
Solution:
Replay the actual network traffic from the previous night and analyze using any number of analysis tools.
Result:
You don't have to wait for the abnormality to happen again and hope you are looking this time. The historical record reveals the actual occurrence and you make corrections before it happens again-risk averted.
Problem:
A public school district has mandated strict public school network usage policies for both staff and students. You get a report that a staff member has been abusing the policies and viewing inappropriate content. How do you investigate, view his past history and obtain evidence?
Solution:
With a Solera Networks appliance, you simply replay traffic and filter on his MAC or IP address. With DeepSee, you can quickly uncover specific network activity and Internet use and recreate actual pages to provide evidence of what was viewed.
Result:
You have an actual recording of the network traffic and offending content so you have evidence to take action as needed. Announce your capability to record traffic to network users to provide a deterrent to others.