Taking a deep dive into network events
Over the years we have looked at several network forensic appliances and applications. All seem to do the job, and now there is one more that can be added to the list of applicable tools. The idea of taking a deeper look at network activity than might be provided by a SIEM or log correlator is very attractive. Tools designed particularly for network forensics have some important capabilities not shared by tools whose job is solely to alert on a policy violation picked up by one of the devices that feeds the tool.
First, we need to make an important distinction. As simple as this distinction is, it seems to cause a bit of trouble from time to time. So in the spirit of ensuring that we are using a common vocabulary, let's distinguish between a network forensic tool and an over-the-network forensic tool. The difference is very important.
A network forensic tool analyzes traffic in motion over the network. An over-the-network tool allows access to a computer forensic application that is looking at devices on the network. So, as an example, suppose that we have an agent sitting in a desktop computer. The agent is communicating with a computer forensic application on a server somewhere. The analyst sitting at the server can take a forensic snapshot of each of the computers with such an agent as if it was analyzing the target's hard disk locally.
A network forensic tool, on the other hand, is concerned about traffic that is passing on the network. Usually, the tool does its own monitoring, rather than depend on extracting log data from network devices, such as an IDS and firewall. The Solera OS 5 appliance provides just such a window into the network, and it does this without sitting in-line and acting as a choke point for network traffic.
Solera OS 5 is available as either a hardware appliance or a virtual appliance. Having started up in 2005, Solera Networks is not a new entry in the forensics market. The company started off offering a packet capture application and then evolved its network forensics analysis capabilities. The current release, which came out in June, according to the vendor, offers an additional 200 features.
Solera does not think of its product as a network forensics tool, however. Its position is that OS 5 does “security analytics.” I'm not sure that I fully understand the implications given that forensics has a specific meaning both in common parlance and in legal and law enforcement circles. A deeper look at the product does reveal that some of the functions – such as chain of custody – may not be as strong in this product as it perhaps should be. However, that is a weakness shared almost universally in the genre.
The tool is a solid contender in most areas, and has such expected capabilities as session reconstruction, inputs from third-party products, and the ability to output captures as pcap [packet capture] files. Drill-down, a critical function in this type of device, is intuitive and the reporting is very good. Like most similar products, OS 5 has geolocation and it does this neatly using Google Earth. Session reconstruction allows replay, so once the capture is complete, the captured session can be played back extracting the details of an attack, for example, from the reconstruction.One particularly neat feature is the API. Using the product's API one can access any function on the device. That allows integration of the OS 5 into the infrastructure of the enterprise and its other security tools. I liked the dashboard with its “mini-reports.”
There is no network stack, so there is no IP address for an attacker to detect, making the forensic tool pretty much impervious to outside interference.
Overall, we like this. However, it does show evidence of its newness. While we would not call it immature at this point, we can see lots of opportunities for growth over time. Generally, this is an excellent start and it is well worth consideration.
Product: OS 5
Price: Starts at $10,000
What it does: Network forensic tool.
What we liked: Clean user interface and good functionality.
What we didn't like: While this is an effective product, there are a few areas where it needs a bit of maturity. But don't let that stop you from checking it out.