Computer forensics have long focused on the end point, like the hard drive or cell phone, where the data is static. Forensics through the network, however, where information is transient and there for only a second or two, can be much more valuable.
Using the ability to check the network in the same way, say, a security camera at a casino can scan everything that is happening on the floor, Peter Schlampp, vice president of marketing and product managment at Solera Networks, explained to me, security personnel can get a much better look at where and when breaches happen, as well as any activity leading up to the breach. Schlampp said:
What network forensics is, is the ability to capture, store, and index 100 percent of the information that goes through the network. At a later time, you can replay it, reconstruct it, analyze it, so you can identify when something bad happens. For example, say you have an insider threat, someone selling commercial property to a third party. With network forensics, you can go back and reproduce the exact documents, e-mails, or VoIP calls just as they were when they went over the network.
While the concept of network forensics isn't new, the market for those who provide network forensic products is still small. To investigate why this is a vital area for improving network security, Gartner published a report, "Network Forensics Market." Some key findings from the report include:
The threat environment has changed, Schlampp said, and network forensics allows companies to have real-time visibility. Yet, it also gives businesses a chance to look at the big picture, such as activity before the breach occurred and what the root cause of the breach was.
Most security efforts start small, Schlampp added, but grow as the enterprise recognizes their importance. Network forensics looks to be on the edge of being an important element in overall data security.