Incident Response

In any enterprise where data on the network is mission critical, effective network security Incident Response is crucial to an organizations ability to avoid what could be potentially disastrous results from the impact of a misdiagnosed alert. An enterprise's network security infrastructure (Security Information Management, Intrusion Detection, Network Behavior Analysis, etc) is doing a better and better job of alerting the security team to potentially malicious attacks. The question is, once an alert is generated, what action should a member of the security team take? Security specialists must be able to quickly assess, react and put definitive context around network alerts to determine the level of response resources necessary. The question is how.

Much like any forensics investigation, either in a network environment or in the physical world, you generally have a few pieces of information to start your investigation. In the physical world as a homicide detective you might have been alerted by dispatch that shots were fired at a particular location. From the information you've been given you know the time and the general location but not much else. From that point your investigation begins. Similarly, in a network incident response situation you generally know several pieces of information when you get an alert: time frame and IP address or port information. Without an effective incident response tool the security team is unable to definitively determine what happened beyond the few pieces of information generated by the alert. Questions that must be answered before a definitive response to the alert can be generated are:

  1. What other hosts have been involved with the incident?
  2. How long has the event been going on? (generally the alert is not the first indication of the incident)
  3. Is the activity that generated the alert still going on?
  4. What ingress and egress points were used for the suspicious activity?

There is a vast amount of security information in the form of IP-based network logs that exist throughout the enterprise. One valuable piece of information is Flow data (NetFlow, sFlow, J-Flow, IPFIX, etc) which is being generated by almost every enterprise network router and is essentially a free resource of forensic information. It is necessary to search through all of the Flow data in association with the rest of the enterprise IP-based network data to answer the forensics questions above. For a security incident response initiative to be effective an enterprise must:

  1. Retain all its network data for an extended period of time
  2. Have real-time access to that data
  3. Be able to perform rapid, deep search and analysis on that data

With the current set of tools in place within most enterprise networks, it is virtually impossible to perform the above tasks. Net/FSE, the network forensic search engine by Packet Analytics, gives security analysts the ability to collect all of the enterprise's network event data. If an enterprise is already collecting that data Net/FSE can retrospectively index the data to minimize duplication of data. Net/FSE gives the security incident response team access to network data in near real-time (as real-time as the devices that are sending data to Net/FSE). Most importantly Net/FSE gives security analysts the ability to perform deep search and intuitive analysis on all of the network data to arrive at definitive answers. Net/FSE's intuitive, easy-to-use and security-purposed web interface gives analysts the ability to get their hands on the data and not just have to rely on alerts to determine the severity of a potential incident. Net/FSE is the search and analysis incident response tool for security analysts by security analysts.

Download Net/FSE today!