Forensics for everyone as a new approach to network security [Q&A]
Organizations are increasingly under pressure to respond to security incidents quickly in order to minimise damage and losses. Yet conventional security approaches don't always provide enough information, or make it accessible enough, for this to happen.
Is it time for businesses to take a more forensic approach to securing their networks? And won’t this involve time-consuming trawls through masses of raw packet data? We spoke to Uriel Cohen, head of marketing at network forensics specialist WireX Systems to find out.
BN: Network visibility is nothing new, so why has it become more relevant recently?
UC: The ability to truly understand what is going on in the network was and always remains critical to every organization with an IT team. And yet, 2014 has proved that no one is immune to cyber-attacks, from large finance firms who spend millions of dollars on security, to small retailers who mistakenly believe they are not a target. The paradigm of enterprise security today is shifting from prevention towards detection and forensics and security budgets are changing accordingly. It all comes down to better visibility as a first and crucial step to mitigate business loses from the inevitable security beaches.
BN: Why isn't the normal approach of collecting logs and other metadata sufficient any more?
UC: Network solutions record high-level event details to logs and discard the actual content. This is barely enough and sometimes even irrelevant when trying to understand network activities across the many applications running your business. It wasn't surprising when Verizon found that less than one percent of successful attacks were spotted by SIEM. For over a decade we were trying to achieve contextual awareness around incidents by aggregating and correlating endless logs and failed. Today we have the technology to keep it all -- the actual content of our entire network history.
BN: So how come most organizations today are still left behind with limited visibility into their network activity?
UC: To date, there have been no tools available to the enterprise that could bring true value. Adopters of forensics technologies report challenges in investigating network and security incidents without a team of dedicated experts working around the clock. Every week we are meeting more frustrated analysts, telling us that instead of devoting their time to conducting investigations, they are sorting through massive amounts of unrecognized sessions, gluing together the bits and bytes. Another important factor is the required storage. Existing solutions are based on full packet recording, meaning that you need 11TB to store a single day of 1Gbps network traffic. Obviously, this cannot scale considering today's growing infrastructures.
BN: How does WireX approach the problem?
UC: Think of it as a Google-like interface that enables even entry-level personnel to understand every action and piece of data that traversed the network. Instead of choosing between limited visibility with metadata only or an army of experts digging in mountains of packets, WireX approaches this with deeper, more powerful analysis capabilities. The WireX Platform automatically analyses all parts of the enterprise network to reduce to zero the time wasted on collecting relevant intelligence.
BN: What makes WireX special? Tell us a bit more about your analysis capabilities.
UC: Our core technology is WireX Layer-8 Contextual Analysis which provides real-time network analysis. WireX picks up where traditional DPI has failed, creating intelligence that is human-readable. The analysis engines understand the activities within each application and therefore reveal the precise actions performed and extract its content. This includes the data center, perimeter, organization's LAN and the cloud, with the ability to easily add new decoders also for homegrown applications. Moreover, by performing real-time extraction and compression of textual content, the WireX platform provides significantly longer history than traditional solutions that rely on full-packet capture.
BN: Does this do away with the need for specialist analysts?
UC: Once the network traffic is fully analyzed, stored and indexed, security and IT teams can finally perform their tasks effectively. Whenever an alert is triggered by any existing solution (such as next-generation firewall, IPS or SIEM), the solution will provide the complete network story related to the incident in question, including the actual content. The important part to understand here is that the intelligence delivered can be understood immediately, without any additional post-processing needed.
BN: What's the next step for the company?
US: WireX was founded in 2010 to empower defence forces and intelligence agencies with tools to combat cyber-terrorism. Today, we are expanding our reach to the enterprise market, tailoring WireX's field-proven technology to revolutionize security operations. We are currently preparing for launch in the US by the end of the year.