Network Forensics: Security Attack Analysis

Customer Pain Point

6 You get the phone call that every network security professional dreads: "We’ve been hacked." Action must be swift and decisive. Do you have the data and the analysis tools that will enable you to reconstruct the chain of events? How is the attack unfolding, and what steps should you take next?

  WildPackets Solutions

Omnipliance™
OmniEngine™ Enterprise
OmniPeek™ Enterprise
OmniPeek™ Enterprise Connect

  Results

• Hours or even days of network traffic collected by a single system and stored in a common format.
• Ongoing data collection—so you’re always read for analysis and response.
• A single graphical interface provides access to terabytes of data.
• High-level analysis tools eliminate the need for brute-force analysis from disparate data sources.

The Challenge: Detecting and Characterizing Network Attacks

The NOC of a medium-sized online retailer suspected a network breach, and immediately contacted the Chief Security Officer. The CSO knew she must quickly to determine:

• What damage has been done?
• Who was the intruder?
• How did the intruder penetrate our security?
• Did the intruder leave other dangers behind? Worms? Trojan horse?
• Did we collect sufficient data to analyze and reproduce the attack?

In the past the CSO and her staff suspected that a breach had occurred, they found themselves having to collect diverse types of data, with different formats, from a multitude of sources such as firewall logs, router logs, Intrusion Detection Systems (IDS), server logs, hard drives and system dumps. This resulting hodge-podge of data could not be easily recompiled into a coherent picture. As a result, the security team had to make their best guess about network security, working from incomplete data.

The Solution: WildPackets OmniPeek Product Family

This time, using the WildPackets OmniPeek Product Family, the CSO and her team were able to capture, analyze and reconstruct the packet stream on demand. This examination of individual packet streams and their component packets allowed the CSO to quickly reconstruct the sequence of events that were occurring during the time of the suspected network breach.

The solution incorporated real-time data collection, using a combination of dedicated hardware appliances and software. The deployed solution took the following form.

• Omnipliance, a high-performance, line-rate capture appliance containing large amounts of disk storage to capture and store data over a long time period in the NOC
• OmniEngine Enterprise running on key nodes at the core of the network
• OmniPeek Enterprise for remote data monitoring and analysis
• OmniPeek Enterprise Connect for local monitoring and analysis at the source of data collection

Benefits: Centralized Data, Powerful Analysis Tools, and a Clear Picture of Network Activity

The OmniPeek security forensics solution makes data always available for reconstruction and analysis. All pertinent data is collected in a single location, rather than scattered across the network. Data is captured in a single data format and does not need to be transferred or translated in any way for analysis. Using the network forensics data mining tools, security teams can reconstruct the sequence of events that occur at the time of a breach. The OmniPeek forensics solution provides security teams with the complete picture they have been lacking until now.

Security professionals can now quickly determine the magnitude, source, consequences and corrective action to be taken in response to a network breach. Satisfying compliance requirements and keeping proprietary company information and client data secure.

For more details or to arrange a demo, please call (925) 937-3200 or write to sales@wildpackets.com.