Vista will force need for network forensics

It is an understandable yet curious characteristic of the information security space that the current 'big thing' relates not to the latest big threat, but to the newest threat.

The column inches dedicated to mobile malware bear little relation to the threat posed. All IT security personnel are aware of the reality of this situation, which is that the risk posed by internal threats has always outweighed the risk from external threats. Employee fraud, sloppy exposure of passwords and malicious damage from within the security perimeter cost businesses millions more every year than losses from viruses or spyware.

Most organisations have policies and processes in place to try and counter the internal threat, but two industry developments are making these threats — and the ability to investigate them — a timely and significant concern. First, it has become increasingly difficult for a company that has suffered a security breach to sweep the fact under the carpet. Not only have we witnessed numerous significant and public ID theft breaches, we also have legislation either in effect or being planned that will force companies to 'come clean' regarding their security failures, and to investigate the source of the failure.

Second, Microsoft will soon launch the Microsoft Vista platform, which will encrypt systems at the disk level by default. If successful investigation of a security breach relies on the data on a computer's drive being accessible to an investigator, then locking out that investigator by encrypting the data means all bets are off. While encryption has been a capability for years, most people doing bad things don't take the steps necessary to cover their tracks. Encryption by default means that without user credentials it will no longer be possible to investigate user behaviour at a disk level.

The result? Network forensics is rapidly becoming the next big thing in IT security.

Network forensics is the ability to investigate, at a network level, things taking place or that have taken place across an IT system. Network forensics software provides the tools to conduct this investigation in a correct, sound and thorough manner.

Network forensics overcomes the problem of disk-based encryption locking out the investigator by investigating at a network level. Material that is encrypted while sitting on the disk would be readable as text while passing over the network. Even if the user took the time to encrypt the document, evidence about where communications are coming from and going to, as well as information about the size of attachments and so on, could be enough to identify a sales manager sending confidential client information to a competitor, for example.

IT forensics is not a new invention. Some large organisations, particularly in the financial services sector, have had dedicated forensics departments for years, investigating activity such as employee fraud. Within the conventional law-enforcement community, the lack of expertise and resources for investigating computer crimes has meant private organisations have to take it upon themselves to investigate suspected cases of IT fraud or misuse, gathering the necessary evidence to take action against employees or hand over for prosecution.

While organisations should take all the proactive action they can to investigate employee fraud or security breaches, it is human nature to do only what we have to do, not what we ought to do. It has taken compliance requirements and Microsoft Vista to take network forensics from an 'ought to do' to a 'have to do'.

I'm not suggesting that every organisation will soon have its own forensics department and be running network forensics in-house. For many, there simply wouldn't be the daily requirement to warrant employing the people with the correct investigative skills to make use of the software. In most cases, services will be provided by companies that will use their software and expertise to conduct investigations on a client's network. However, persistent incidents such as security breaches, employee fraud and the exploitation of HR and security policies have led to the emergence of such services.

I anticipate that network forensics will be an area of significant investment and development for security vendors, and I wouldn't be surprised to see the few niche vendors in this area quickly acquired by larger players. The threat may be old but the reasons for dealing with it differently are new and that could be all it takes to make network forensics the 'next big thing'.