How Cloud-based Network Analytics Can Enhance Network Forensics
Having a strong background in network engineering, I can really appreciate how valuable “footprints” are in network analysis and forensics. Footprints are those little data tracks left over in the world of technology as communications are occurring. From the TCP/80 session being initiated across a firewall to a web server to the HTTP/200 GET request on a particular document, there are footprints all over.
Much of the challenge lies in the scavenger hunt for these tracks that are left in various systems. While network communications can leave numerous footprints across many systems, there is a common point – the network. That cloud that sits between host A and destination X consolidates invaluable information. Deploying your own solution to capture this network activity at all your network points can be a big task, and often an afterthought. Companies like Masergy offer hosted network analytics services that provide this intelligence.
Let’s discuss a scenario where this network analyst tool can be useful. You’re the IT guy at a company and were just informed that a disgruntled employee, we’ll call him Mad Moe, may have gained access to proprietary systems before he left the company. The only information that you’re given is the private IP that Moe was using, 192.168.104.68, and the timeframe human resources is concerned, being March 27 through April 3. Mad Moe also wiped the machine he was using to cover any tracks he left locally – as if you didn’t have enough to do.
What’s the next step? Well, you could start trolling around random system logs looking for IP 192.168.104.68, or you could plug it into a cloud-based service like Masergy’s Intelligent Network Analyst and get a head start:
We searched for traffic communicating with this IP across the cloud and can see a sky-level view of network activity. This gives us a list of systems to audit that Mad Moe touched. We can also drill down to particular timeframes of interest:
Changing our perspective a bit, we may not need to analyze all those far end addresses. If we enjoy the extra work, we can peek into the protocols that were used and then determine things of interest. Our top three are listed as HTTP, GP RDS (Remote Desktop) and SMB CIFS NetBIOS (Windows Networking). Now we also know which application logs to dig into if a server IP runs multiples:
Finally, with a click of a button we can download our communication perspective into a spreadsheet. This gives a detailed checklist that you can take to the other systems to get your answers faster and easier. This is good because it gives HR some initial tasks to give Mad Moe’s replacement, Angry Andy. What could possibly go wrong?
For more information about Masergy’s cloud-based Intelligent Network Analyst service, and how it can help your organization, visit Intelligent Network Analyst.