One of the most valuable big data applications is for network security and any big data consultant should be prepared to include security strategies, including network forensics, as part of his big data arsenal. The requirements for network forensics to support network security and big data are very similar. In fact, you might even think of network forensics as the “killer application” for big data. It certainly is one area where a big data consultant can readily demonstrate big data ROI.
What Is Network Forensics?
Network forensics is a relatively new science being applied in network security and law enforcement. As with any type of forensics, the purpose of network forensics is to gather digital evidence in order to fight cybercrime. Network forensics basically monitors all network traffic, using either a “catch-it-as-you-can” approach that mirrors all network traffic for later analysis, or “stop, look, listen” systems that analyzes part of each packet; catch-it-as-you-can requires a tremendous amount of data storage while stop, look, listen systems require less storage but more processing power.
With all the high-profile enterprise breaches in the past few years, organizations in finance, retail, health care, insurance, manufacturing, and even government agencies understand that at some point a data breach is inevitable. As a result, IT security professionals are splitting their time between reinforcing the network barricades and looking for anomalous behavior that could indicate a breach. Network forensic is becoming an invaluable part of detection and remediation.
According to a new research study by Enterprise Management Associates (EMA):
- 53 percent of respondents understand that security analytics and network forensics augment their Security Information and Event Management (SIEM) systems.
- 46 percent see network forensics as the next logical step in security evolution.
- 90 percent say the introduction of incident forensics has reduced false positives and improved actionable alerts.
- 95 percent of those who have implemented analytics and forensics have seen expected or greater than expected value.
Network Forensics Looks Like Big Data
In many ways, network forensics is another form of big data. It requires gathering and analyzing large pools of data, and it uses customized algorithms for analytics. Network forensics also meets the definition for big data: volume, velocity, and variety. Both require massive amounts of storage, either on premise or in the cloud (volume). They both use analytics. Many SIEM vendors are delivering off-the-shelf security solutions with built-in analytics while others are offering custom algorithms for threat detection. Developing custom forensic algorithms for specific environments to provide real-time analytics is similar to big data (velocity). And both network forensics and big data use different types of data sets.
For example, validating a security key could require correlating different data sets such as user authentication, user security privileges, the asset, history, action requested, IP address information, and much more (variety).
The network forensics processes uses big data techniques. Both big data and the forensics methodology require the identification of data sources, data capture, data review, and data analysis. Both big data and forensics deal with structured and unstructured data sources, real-time data feeds, time-sensitive data, and meta data about the data. By extending network forensics with real-time big data analytics, you can go beyond capturing digital evidence and detection to automating network remedies using sophisticated algorithms that can instruct the network to take action when a threat is detected.
Consider, too, that big data repositories become part of network forensics detection. In order to address compliance issues, forensics has to be able to identify big data sources to determine if they are trustworthy. Data also has to be organized and compliance-sensitive data isolated as part of security for compliance. This can present the big data consultant with security issues. For example, if customer or patient data is required for analytics but that data is protected as part of compliance, you have to be sure the data is handled securely so sensitive information isn’t exposed. Network forensics tools can work in tandem with big data tools to enforce regulatory compliance.
Understanding the value of network forensics may prove to be the easiest way to sell big data solutions. There is a growing demand for analytics that provide early detection of targeted attacks and data breaches. The growing need to detect data breaches and identify security threats is going to continue to drive SIEM sales. The need for stronger network security is always a compelling sales pitch, and as a big data consultant, you are in an ideal position to demonstrate how big data complements network forensics. Once the client sees ROI from big data for security, you can demonstrate big data value in other areas.