Wednesday, July 14, 2010

Network Forensics Vendors: Get in the Cloud!

I know some of us worry that the advent of the "cloud" will spell the end of Network Security Monitoring and related network-centric visibility and instrumentation measures. I have a proposal for any network forensics vendors reading this blog: get in the cloud!

For example, imagine you are a proxy-in-the-cloud (PITC) provider, like ScanSafe, now owned by Cisco. You provide a Web portal to your customers so they can see what bad sites employees were not allowed to visit. But what about all the subtle traffic that evaded your filters, block lists, heuristics, and other defensive mechanisms? What about the insider stealing intellectual property, indistinguishable from a "normal employee?" How does your abuse-centric Web portal address the sorts of threats that really matter?

To me, one answer is to deploy a network forensics solution like NetWitness or Solera in front of your PITC infrastructure. The PITC vendor must have a way to identify legitimate clients, or else you've created the world's greatest open Web proxy. Use the identity information to tag the traffic collected by the network forensics product.

When a customer needs to analyze an intrusion, or conduct an investigation, he can connect to the hosted network forensics platform.

I also like this approach because it helps address the consumerization of IT. You can create a policy (weak I know, but it's an option) that Company users must point any device that processes Company data to the PITC infrastructure for Web access. By doing so you can collect the network forensic data you need.

Of course, encryption is always an issue, but if really necessary I'm sure you can work with the PITC vendor on a MITM approach.

I'm sure I'll get a few comments from critics saying "NSM is dead," "network traffic is worthless," etc. It's just a sign you don't know how to use that sort of data effectively, and probably never will. After evangelizing for 10 years, I've given up trying to convince critics like that.

I also don't intend for this post to be a signal that I hate logs or host-based evidence. It's just another piece in the puzzle.

So, network forensics vendors, who will be the first to publish a press release saying you've partnered with a PITC provider?

10 comments:

pcapr said...

xtractr @ http://www.pcapr.net/xtractr is already one step ahead of you! :-)

Richard Bejtlich said...

I don't mean hosting traffic in the cloud, I mean collecting and analyzing traffic that I generate between my end point and cloud infrastructure. I also don't mean running Wireshark in Amazon E3.

Richard Bejtlich said...

I'm looking for more of this:

Terremark Leverages NetWitness NextGen™ Security Solution to Protect Enterprise Cloud Customers

pcapr said...

Understood, but unlike the pcapr site (a public repository on the cloud) itself, xtractr leaves your traffic on your premise, just the app is on the cloud. So no uploads, no privacy/infoleak issues. But yeah, I get what you are saying.

Anonymous said...

In part Xplico can do what you ask. HTTP is well managed and it can also be filtered by user (IP/target).

Richard Bejtlich said...

Anonymous, Xplico can not do what I am discussing. I am looking for a VENDOR to partner with ANOTHER VENDOR to provide a SERVICE in the CLOUD. I am not looking for a tool.

Paolo (Anonymous) said...

You are right my speech was inconsistent with the post. Sorry.

VivekRajan said...

Just curious if these solutions run off a tap on backbone infrastructure links or distributed within the cloud.

Eddie Schwartz said...

Hi there,

Next time you are in the office we'll tell you more about what we have been doing in the cloud... lots going on there to talk about actually... :)

Eddie Schwartz
CSO
NetWitness

Benjamin Wright said...

Richard:

As the cloud comes to dominate computing, professional investigators, such as police officers or tax auditors, need reliable methods to record the activity in a dynamic, online venue, such as a Facebook Wall or an online chat room.

This blog article and video demonstrate a new method for capturing and authenticating legal evidence:

http://legal-beagle.typepad.com/wrights_legal_beagle/2011/04/credible.html

What do you think? --Ben