Given today’s increasingly commercial threat landscape, network defenses are almost inevitably breached. To support incident investigation, evidence gathering, impact assessment, and clean-up, Network Forensics Appliances deliver full-packet recording, in-depth analysis, event reconstruction, visualization and reporting.
In this EnterpriseNetworkingPlanet Network Forensics Appliance buyer's guide, we look at how Solera Networks DeepSee lets security teams quickly navigate massive volumes of network forensic data. By issuing ad hoc queries or pivoting directly from IPS and SIEM dashboards, DeepSee users can efficiently glean investigative details needed to resolve security incidents and identify their consequences.
Delivering actionable insight – fast
According to marketing director Alan Hall, Solera customers use DeepSee to tackle both day-to-day and advanced persistent threats. “Today, attackers know who we are and what we have. They use multi-vector attack methods like social media phishing linked to malware. They morph identities and use non-standard ports to evade detection,” he said.
“When attacks occur, network security teams need to know who did it, how they did it, and what systems were impacted,” said Hall. “Too often, the answer is: We don't know. DeepSee addresses this by arming customers with complete, clear, concise information about attacks. If you have the right data, you can minimize loss and fortify your network against further attack.”
Specifically, DeepSee is a network forensics platform for visualizing and understanding suspicious activity. According to Hall, there are three keys to enabling effective forensic investigation. “First, you must collect it all; [traffic] sampling is not enough. Second, if you're going to create a haystack of data, you must provide an easy way to get to it. Third, you must efficiently analyze that data to detect attacks.”
Post-event incident analysis is the most common use of network forensics, but proactive situational awareness (tracking a threat as it unfolds) can deliver higher value. "For this use, capturing data at high rates and indexing to speed access are critical,” he said. “Some customers are capturing close to a petabyte; we can turn that data into actionable insight."
Under the covers
Solera’s approach starts with dedicated DS appliances. All DS appliances run the Solera OS, optimized for high-speed network packet capture, storage and playback by using proprietary disk management and a patented technology that compresses data 10-fold while simultaneously indexing it for rapid retrieval.
- For smaller venues, the DS 1200 uses four copper or fiber Gb ports to capture up to 2 Gbps of passing traffic, saved on 3TB of internal storage.
- For mid to large organizations, the DS 3200 uses eight Gb ports to capture at peak rates up to 5 Gbps (3 Gbps sustained) on 12TB of redundant internal storage.
- For even larger networks, the DS 5200 uses two 10 Gb SFP ports and four 1 Gb ports to double peak capture rate while bumping internal storage to 16TB.
- Where further extensibility is required, Solera’s flagship DS H200 captures traffic at 10 Gbps, storing as much as 200TB on external DS storage units (20TB each).
In addition, Solera sells a DS Virtual Appliance that captures up to 1 Gbps of traffic when installed on any VMware ESX server with 2TB of storage. “We have customers with multiple offices each using a DS VM, along with one of our larger DS appliances in their data center,” said Hall. “Our DS C200 centralized management console can manage all of our appliances and perform forensic data searches across appliances.”
Pivoting into applications
All DS appliances include Solera’s entire set of DeepSee applications. “Our customers use best of breed security tools; DeepSee integrates with [those tools] to add very important historical and near-real-time look-back capability,” explained Hall.
Specifically, the DeepSee application dashboard can be launched from several popular IPS and SIEM products, including ArcSight ESM, FireEye, Palo Alto Networks, Q1 QRadar, Snorby, SonicWALL, Sourcefire and Splunk. In addition, a Firefox plug-in can drill into DeepSee from any IP address or port number shown on a third-party web page, such as an HTML-formatted server log or an RSA EnVision alert.
“All those tools use signature alerting or behavioral analysis to alert you to fishy traffic. We give you the ability to do deeper dive investigation [by] pivoting directly into DeepSee,” he explained. “Our applications allow you to make sense of packets captured by a DS appliance, letting you see what happened 5 minutes before or after an alert, etc.”