Introduction
Network "Forensic Investigation"
If an organization is at risk of data leakage, needs to do behavioral analysis, collect business intelligence or reconstruct network sessions, a first step should be installing a comprehensive network surveillance system. Solera Networks offers the industry's most robust network packet record and stream-to-storage technology to support any network forensics solution. Solera Networks' scalable deep packet capture and stream-to-storage appliances provide the ability to see, discover and analyze everything that hits a network. It's a new way to protect data: it's prevention of data leakage through accountability and deterrence and a platform for performing deep network analysis.
DATA LEAKAGE
According to Gartner Inc., more than 80 percent of high-cost security incidents occur when data from inside the organization gets out. "Most data leakage occurs by accident or because of poor business processes," says Rich Mogull, a research director at Gartner. "Whether accidental or malicious, security breaches from inside the company aren't addressed by the bulk of security dollars spent on technology that addresses the perimeter of the network."
How much critical data is there on the network and where is it going? The short list of common data types that an organization can't afford to have leaking from the network includes: social security numbers, financial documents, customer lists, credit card numbers, business plans, personal employee information, and more.
What are all the ways that this critical data can be leaked from the network? Pathways leaving a network include email (POP, IMAP & HTTP), FTP transfer, HTTP transfer, copying to laptops or portable devices, instant messaging as well as more calculated and concealed methods.
How can an organization effectively monitor and control data leakage, given the dispersion of critical data and the many exit conduits for data transfer?
Solera Networks' DS Series packet capture appliance. Rather than randomly trying to locate, monitor and then plug every possible egress avenue, the best leakage prevention starts with a comprehensive network surveillance system—a solution that displays where every bit of data was transferred: what moved, where it moved and who moved it. Now there is real accountability for data leakage, emphasizing prevention through deterrence. This is a new capability which relies on Solera Networks' ability to inexpensively capture and store every packet that crosses a network, and it should play a major role in any network security strategy.
Today's enterprise organizations rely on digital assets that must be protected from unauthorized access or dispersion. The costs of data leakage are well documented and include not only loss of value, intellectual property and customers, but could justify government sanctions and fines for noncompliance with data privacy regulations.
Traditional approaches such as firewalls or network and application authentication schemes protect against many outside perpetrators. However, according to Gartner Inc., more than 70 percent of high-cost security incidents occur when data from inside the organization gets out—employees (accidentally or maliciously) emailing customer lists to competitors, leaking product road maps to press, messaging internal memos or financial information to friends or family. What can an organization do to protect against this type of internal threat?
The answer is, establish a comprehensive monitoring system—something that ensures every bit of information that gets transmitted on a network is recorded. Similar to a video surveillance system, a network monitoring system watches everything in motion on the network...not just what someone thinks might be at risk. In practically all cases, data at risk is transferred on the network and therefore recorded on the network surveillance system.
BEHAVIORAL ANALYTICS, BUSINESS INTELLIGENCE, SESSION RECONSTRUCTION
With the recorded data, an organization can use a myriad of tools to perform analysis, collect intelligence and reconstruct network sessions.
A comprehensive network monitoring system based on Solera Networks technology provides a wide range of flexibility on two fronts:
It provides the ability to analyze network behavior and look for any type of anomaly or activity—not just those that are suspected or pre-defined as a source for data leakage. Efforts to define specific at-risk data types and leakage scenarios have spawned hundreds of policy templates, and yet the list of threat scenarios continues to grow. Solera Networks' packet capture, record and playback technology ensures that any type of activity—any protocol, any data type, any destination, unintentional or malicious—will be captured. Often, IT managers and security officers may not know what to look for until the leak is exposed. The guesswork is taken out of what to look for and record when there is a complete record of all network traffic.
After-the-fact analysis and forensics are possible using the complete record of all network traffic, providing the ability to verify conclusions or test assumptions against actual data. Playback displays actual activity filtered by time, data type, protocol, or based on custom policies and analytics. Think of it as live video surveillance, combined with TiVo™ record and playback, plus added hooks for search, forensics, and analysis. Capturing all of the evidence for after-the-fact forensics and analysis eliminates the need to know what to look for in advance.
FORENSICS/ANALYTICS EXAMPLES
AUDITS
Use Solera to prove compliance. With a comprehensive audit trail, it's easy to show:
- No transfers were made between questionable destinations
- All access to sensitive content was authorized
- Communications between parties did or didn't occur
LEAKAGE DISCOVERY/DETERRENCE
- Use Solera to discover existing data leaks.
- Reconstruct HTTP sessions just as they occurred
- Trace email messages including attachments
- Monitor and assess leakage without alerting offending parties
- Deter intentional or reckless data transfer with visible monitoring policies
NETWORK ANALYSIS
Use captured data to analyze behavior and pinpoint possible harmful behavior or reconstruct an offending activity for use as forensic evidence.
COMMON DATA LEAKS
- social security numbers
- credit card numbers & expiration dates
- confidential internal memos
- customer lists
- financial documents
- business plans
- legal documents
- marketing plans
- product road maps
- phone numbers & addresses
- drivers license numbers
- account numbers, balances & passwords
- service or membership codes
- medical records
- insurance policies
- corporate financial data
- details on mergers & acquisitions
- internal web postings & chats
- trade secrets/ intellectual property details
- source code
« Introduction || Why Solera »
WHY SOLERA NETWORKS?
Solera Networks' line of deep packet capture and stream-to-storage devices are industry-best in everything from performance to openness to versatility. As a powerful key component for any network forensics strategy, Solera Networks devices are designed from the ground up with the following features:
SPEED & PERFORMANCE
Few capture devices actually capture ALL network traffic, including payload. Solera Networks' devices have the industry's highest line capture rates (up to 8.1Gbps with configurations available for full 10Gbps). Capture is comprehensive (entire stream), lossless, and based on Solera Networks' proprietary and patented file system.
Playback for analysis is possible at full-line rate within 1 microsecond of capture. This provides the advantage of real-time analysis without any network impact, eliminating the overhead associated with running network monitoring tools directly in the production environment. Instead of expensive server-logging or added bandwidth to support the monitoring of the traffic, simply replay to a separate analysis segment for multiple tools analysis (see diagram). Because the Solera Networks appliance supports multiple regenerated streams concurrently, organizations can now have analytical tools, data leakage prevention solutions, intrusion detection systems, and performance management software reviewing identical traffic without fear of network degradation.
SECURITY
Solera Networks' proprietary encryption satisfies chain-of-custody evidentiary rules regarding the manner in which data is captured and stored. Solera Networks captures data and streams it to storage in a format that can't be altered. Proprietary on-disk formats mean that any attempt to edit, alter, or otherwise modify will be evident. Moreover, Solera Networks' devices can be configured to have no IP address, making them invisible to the network they reside on. Simply connect to a port and listen passively.
OPENNESS
Solera Networks' captured data can be made accessible to various intrusion detection systems. Captured network traffic can be exposed to external appliances and devices utilizing three primary methods: a VFS (virtual file system) exposing pcap formatted files, a virtual network interface (Ethernet) device, or a regenerated stream of packets to external network segments feeding external appliances or applications. Solera Networks also integrates with iSCSI and Fibre Channel, providing a myriad of options for external storage.
SCALABLE
Recording capacity is scalable for the largest of operations with the ability to store up to 576TB of data on Solera Network archive appliances, or limitless external storage. Additionally, Solera Networks can capture up to ten different ports, enabling consolidation or expansion of monitoring operations across multiple segments. This support includes the ability to consolidate asymmetrically routed traffic flows. And finally, Solera Networks' unique file storage and caching mechanisms provide for continuous recording with newest data overwriting oldest data, eliminating problems of storage overflow.
MULTIPLE OPTIONS TO FIT ANY SIZE ORGANIZATION
SIMPLE
Simply plug in and turn on. Solera Networks devices connect to your network via copper or SX fiber cables using either a SPAN (switched port analyzer – port mirror) port or a network TAP. A built-in web-based interface guides you through setup with capture/playback filters and allows you to specify time periods and session filters based on filtering or monitoring policies.
VERSATILE
Forensics/Analytics is only one area where Solera Networks solutions have been effectively implemented. With full capture and playback capabilities combined with other analysis tools, Solera Networks can provide a comprehensive historical engine for, network security, lawful intercept, and network management. In addition to reconstructing communications (browser sessions, phone calls with VOIP, instant messages or email), Solera Networks solutions can be used to detect intrusions (port scanning over time) and determine sources of high bandwidth use or erratic activity.
« Forensics/Analytics || How it Works »HOW IT WORKS
Solera Networks solutions are comprehensive, deep packet capture and stream-to-storage devices. In short, they record all traffic on a network and make it available for near- immediate playback. It's like a digital video recorder (DVR) or TiVo™ for a network, but instead of being limited to recording one or two channels it can record all 500 channels simultaneously. All channels are available for playback—or—just a few (i.e., only email between two target points, only VoIP sessions, or any combination of protocols).
From a Forensics/Analytics perspective, Solera Networks packet capture is like having an all-seeing surveillance camera watching all of the digital assets. Movement of any asset is recorded and tagged. Even if there is no predetermined policy-based enforcement, a complete trail of evidence is available for analysis of what happened after-the-fact.
Using Solera Networks devices, packet information can be filtered by VLAN, TCP/IP version (IPv4 or IPv6), MAC address, protocol or port (i.e. HTTP or SMTP), IP Address or IP network or subnet (for example: 67.137.0.0/16 or 192.168.0. or 192.168.0.1). Data can be further defined by time domain.
A sample implementation for forensics or analytics using Solera Networks' DS appliances would have the following architecture:
Solera Networks' capture device easily fits into any network as the foundation for any forensics or analytics system.
BENEFITS OF A GOOD DATA LEAKAGE PREVENTION STRATEGY
Data leakage prevention is more than just a precautionary exercise. It could mean the difference between maintaining a company's competitive advantage and going out of business; the difference between a productive work environment and employee lawsuits; the difference between certified government compliance and imposed fines or sanctions. The benefits of Solera's network surveillance solutions include the following:
At any level, data leakage is costly. Not only can organizations lose customers and revenue with a leak, but reputations, brands, competitive advantages and years of good will can all be put at risk. One publicized incident can be devastating. In addition, leakage of sensitive, personal or financial information can easily violate government security policies or regulatory compliance exposing an organization to sanctions, lawsuits or fines.
Organizations are responsible for creating and maintaining a safe environment for employees—including protection against objectionable material, harassment, and discrimination. Network surveillance helps organizations barricade against dangerous content while providing an evidence trail for objectionable or harmful sources. It also helps protect against unauthorized access to or distribution of personal or confidential employee information.
The list of government standards that mandate control of corporate data continues to expand with no relaxing of requirements apparent in the foreseeable future. HIPAA, Sarbanes-Oxley, the Gramm-Leach-Bliley Act, the PCI Data Security Standard, California Senate Bill 1386 and other state data privacy laws, SEC regulations, U.S. federal employment standards, EU Data Protection Directive, UK Data Protection Act and Safe Harbor are all regulations with varying compliance requirements. Solera provides the foundation for discovery, audit and compliance enforcement for these and any other information specific mandates.
« Why Solera || Conclusion »CONCLUSION
In summary, Solera Network's scalable packet capture and playback devices provide the best foundation possible for vigorous monitoring of data leakage. Deep packet capture capabilities on the industry's most powerful, scalable, and secure platform will deter data leakage through accountability and deterrence and a platform for performing deep network analysis.
Contact
For more information on how you can rapidly implement an intrusion detection solution using Solera Networks products, please visit our website at www.soleraNetworks.com or call us at 801-623-5705.
« How it Works