|Dan Baker Blog|
A Powerful Tool for Fraud & Security Investigators: Real-Time Packet-to-Event Translation
While the primary use of real-time IP traffic analysis is security and service performance monitoring, another vital use is in deeper, after-the-fact investigations across a variety of assurance areas. This is the business of network forensics — enabling investigators to reconstruct and analyze network activity. Network forensics has been around for many years, but up to now it’s been a slow and ponderous science because to look at events (emails, Web searches, database searches) requires a great deal of upfront translation work performed by IP experts who tediously stitch packets together to form human-understood events.
Well, help is on the way from NetScout, which has recently rolled out a new analytics module for its nGenius product line, nGenius Forensic Intelligence. The breakthrough that Forensic Intelligence delivers is to automate IP translation work on the fly so that users can get very rapid access to events in an understandable way. This technology could be a boon to telecom investigators in fraud, security and service assurance.
The Forensic Intelligence platform supports both IPv4 and IPv6 traffic and can reconstruct and replay hundreds of IP-based services and applications, including Web services, email, social media, corporate applications, and voice and video sessions.
Here to tell us about this innovation is Steven Shalita, NetScout’s vice president of marketing. Now besides network forensics, I would be remiss if I didn‘t mention NetScout’s larger mission — something Steve calls “Unified Service Delivery Management."
In fact, after we conducted our interview, NetScout announced it was acquiring another telecom service assurance vendor, Accanto Systems, based in Europe – further evidence of NetScout’s confidence it can drive assurance unity and innovation.
In the circuit voice world, network events are largely pieced together by collecting and analyzing switch CDRs and SS7 event records. But now, as the immensely complex IP cloud steadily descends over and permeates the telecom service layer, what becomes the unifying principal for delivering network events in the IP realm?
Well, it’s the packets themselves. The packets may not see the telecom transport layer, but they are the ticket to seeing and understand everything else – from applications and VoIP conversations to criminal activity and the user experience.
So the future belongs to firms like NetScout which can devour and analyze terabytes of IP streams, then quickly convert the packets into useful assurance events — be it for security, fraud, revenue, churn, or margin analysis.
In our interview, Steve discusses network forensics and how the investigator uses the tool. He also explains how packet storage requirements are evolving and the longer range implications of unified service delivery.
Dan Baker: Steve, can you briefly explain why this new system is an improvement over traditional IP network forensic solutions?
Steve Shalita: Sure, Dan. Up to now, the enterprise-style of forensic analysis was done the old fashioned way — with traditional network or protocol analysis tools. Now while our nGenius InfiniStream appliance does a good job of looking at network streams and pulling out information, it’s rather complicated to use because you need a specialist in packet analysis.
So the new Forensic Intelligence module automates packets-to-event analysis so an investigator can reconstruct and visually replay events as if the user were doing those things. This is about two key things: simplifying the whole activity and speeding time to knowledge.
The product competes with the traditional network analysis vendors, including our own Sniffer technologies, as well as point vendors that are focused on network forensics – companies like Solera, NetWitness (recently bought by RSA), or Narus [recently bought by Boeing].
DB: How does the network forensic tool present the events?
SS: Key to the presentation are more than 100 adapters that automatically reconstruct email, Web, and many other applications. In the case of Outlook, Word or other commonly used business apps, we spawn a viewer that is linked into that particular application which allows you to see the Outlook or Word screens. If the user visited a website, we provide a link to the website.
Say you wanted to examine what John Smith did for the last hour. Well, the system sifts through all of the network traffic and brings back that filtered data to the investigator’s screen. Then, at the push a button, you get a VCR-like view of all John Smith’s network-based sessions. And you can get down to exact sequence and the exact times that events occur. For example, you would see at 5:30, Smith logged in, checked his company email; at 5:45, he did some instant messaging. And you would see he went off to a server and copied five confidential files. After that he went to his personal email and sent those files to someone and so on. If you see a similarity to the WikiLeaks scenario here, that would be a good real-world use case.
DB: What’s it look like from an investigator’s perspective?
SS: The diagram shows the product in action. The system automatically analyzes the targeted packet flow data and turns it into named events [shown in the green box of the diagram below].
The left side green pane summarizes reconstructed sessions into events with high-level details such as type (email, web etc.), time-stamp, etc. Once an event is clicked, the fully reconstructed session is shown on the right side such that the whole email in its entirety or the complete webpage including embedded videos, dynamic links within the webpage are seen.
The captured packets for the visited websites are used to reconstruct complete webpages, including content, formatting and dynamic elements. You see it exactly as the person who visited the webpage saw it.
Point-and-click action on each event is shown in the fully reconstructed session on the right side. Like film frames, you can watch each frame or play them back sequentially as a continuous stream.
Now all the things I discussed are new capabilities. If you were trying to reconstruct this using raw packets, it would take you hours or even days. So what the product does is to automatically aggregate the packets into events that a security, fraud, or criminal investigator can easily understand.
You could be looking at a particular user – what they did on their screen. Or you could look at a particular application and see all the different users who interact with that application, or even look at a location to see what has happened.
DB: Does the system monitor client server applications too?
SS: Absolutely. It sees everything within the packets. The question really comes down to whether or not we have an application adaptor already built to automatically reconstruct and replay the application back. Of course, if a customer needs to support a certain IP-based application, we can add custom adaptors for their specific needs. And as new adaptors become available for common applications, all clients get access to them.
DB: How much time do you figure investigators will save here?
SS: Well, as we deploy the solution in real networks, we’ll have some real proof-points to show. But I think it’s reasonable to expect about 70 percent to 90 percent faster time to analysis, which would dramatically speed up fraud and security investigations.
DB: Sounds like the biggest limitation is probably storage.
SS: Yes, storage is the factor that gates how far back you can look for investigations. This is where our nGenius InfiniStream appliance really makes a difference. Not only do we capture all network traffic and store the packets to disk, the system generates alarms and detects anomalies that could identify an emerging incident.
Since the InfiniStream appliance is in the network traffic path, it captures every packet that flows across it, reliably and consistently. So, the key to strategic instrumentation like this is selecting where you put it. If I have 10,000 users sitting downstream from the data center, you can see everything they did. Also, we are passive and invisible, so a hacker or bad guy won‘t know where they are monitoring, which means there’s no attempt to go around us: It is all there and recorded.
The only issue you have is the historical time horizon. If your traffic volume is high and your storage capacity is low, this will limit how much you will be able to see. As an example, if you can only store two days worth of data, then so be it. After two days, the data is gone.
Now an appliance with 96 terabytes in an enterprise environment is probably going to give you days to weeks in a high-performance environment. In a service-provider production/revenue network environment, it may be less, so you might only get hours to days. Many organizations are using these appliances to track performance related data, so the benefit here is you are using the appliance for multiple purposes, which means you can often justify a higher capacity storage device.
Plus you can adapt the appliance and the analysis module to more precisely track what you want. You can filter out certain kind of traffic. In addition, for one application you can record all the packets and for others only pieces of the packet. All these techniques improve storage management, which also gives you more historical data to analyze.
And much like the law enforcement folks would do, you can always dedicate an appliance for targeted monitoring of a particular person or group of people.
DB: Is setting up what you want to look at ahead of time the best strategy?
SS: For years actually, this is the way things in security were done. Typically an enterprise would buy multiple appliances, each with a limited capacity of say 16 to 20 terabytes.
We think that our approach changes the paradigm. With our 96 terabytes monitoring capacity, we’ve got a product that can sit in the network and be always on, always there.
Not only that, we have been deploying InfiniStream appliances to telecoms and enterprises for performance and application management for many years. And in the past year we also acquired cybersecurity expertise.
For the Forensic Intelligence product, we acquired a group called Fox Replay about seven months ago. Fox Replay originally built its packets-to-event translator capability for “lawful intercept" by law enforcement agencies. NetScout has taken that expertise and leveraged it toward the larger cybersecurity market.
DB: The product suite sounds very promising, Steve, especially if the fraud, security and operations departments can pool their money together to buy something in common. But where does NetScout make its money on the nGenius platform?
SS: Actually our monitoring instrumentation platform, the InfiniStream appliance, is really the heart of our solution overall. We deploy the appliance in distributed fashion across the customer’s network to capture network traffic and turn it into intelligence, whether it is the native packets or how we analyze the packets to generate the metadata, from all of the key monitoring points. The vast majority of a customer’s investment is all about instrumentation — this is the key to pervasive visibility.
Of course, the instrumentation is only as good as the ways you can exploit or make use of that big instrumentation investment. So that’s our aim: Enable an enterprise to do surveillance on its entire service delivery chain by investing in one instrumentation infrastructure. In that way, we take away the need to buy multiple cybersecurity or service assurance platforms/products. So the cost savings, lower footprint, and longer storage times add up, we think, to a great value.
In the end, we think we can enable investigators to gain rapid access to the intelligence they need to take action. And the other bonus is to help the enterprise or telco consolidate and simplify their operating environments.
Steven Shalita is vice president, marketing at NetScout Systems, and leads their global marketing activities. Steve returned to NetScout in July of 2008, having been director, product marketing at NetScout from 1997 through 1999. During his time away, he held marketing leadership positions at Alcatel-Lucent, Redback Networks, Hewlett-Packard and Cisco Systems.
Dan Baker is research director of Technology Research Institute (TRI) and has been a B/OSS market synthesizer since 1994. Today, he focuses most of his research in the telecom business assurance practice where TRI has recently published a 635-page analysis report .