Listen to or download the 6:05 minute podcast below:
What follows is a transcript of my podcast with two people from Packet Analytics, Andy Alsop, President and CEO, and Ben Uphoff, the Vice President of Research, where we discuss Packet Analytics' Network Forensic Search Engine, how to tool was developed at Los Alamos National Laboratory, what the Network Forensic Search Engine does, how it would have helped with an access breach like Societe Generale, and, finally, what they see for the future of security.
Packet Analytics recently announced the launch of a Network Forensics Search Engine, give me a brief overview of both your company and what the announcement entails.
So essentially, what we’ve done is we have developed technologies that has been licensed exclusively out of Los Alamos National Laboratory and we have commercialized the software that was developed by Ben and developed it and are selling it as product called 'Net/FSE' or the Network Forensics Search Engine.
It allows security analytics to do deep dives into network alerts using all that voluminous network data (IP-based data) that exists on the network and allowing them to dig down deep into those alerts and put contexts around those alerts far beyond any of the other solutions that exists in the marketplace today.
As you mentioned, it was with an agreement with Los Alamos National Laboratory. I find that fascinating so tell me a little bit more about that.
Well, the technology was developed at Los Alamos based on the needs of the network engineering group there, specifically, the network security team. And what we were faced with was millions and millions of events being generate by the network every day that all had really interesting information in them but we didn’t really have the technology to quickly search and efficiently store that data so we set out to solve that problem by developing Net/FSE and that technology allows the security analyst at Los Alamos to, in a single web interface, access all the network log data that’s important in their day-to-day operations to get down to the bottom of security incidents, intrusion detection, system alerts, or just kind of, you know, user troubleshooting questions.
So now tell me a little bit more about how the search engine works and exactly what does it tell you.
The search engine is designed and optimized to quickly search through IP-based network information. One 'sweet spot' of the search engine is NetFlow data and that was a real driver of the technology. At Los Alamos they were generating over a hundred million NetFlow events from routers alone off the network, that’s not even including firewall data, IDS data. We’re looking at potentially hundreds of millions of network events and the search engine was designed to be optimized for that situation and to quickly put the data at the fingertips at security analyst and work as a tool for them to do their analysis and incident response.
How would a tool like this have stopped what happened to the bank in France, Societe Generale, where the rogue trader essentially traded away $7 billion.
Well, what I would say is that essentially it’s not going to stop an event from happening but what it allows the security analyst to do is to be able to recover much more quickly. Currently, what ends up happening is that there is no way to have visibility -- significant visibility into all of that network data as it exists today and many organizations aren’t even collecting it.
But if the bank were to have been collecting this type of data, what it would allow them to do is to look into the activity of that trader to put more contexts around his activity and what he was doing. So as soon as the alert or something triggered his behavior that something had been going on. And they need to do the forensic investigation beyond just what he was doing in his trading system, it would allow the analyst within the organization to determine maybe what his motivation was or what websites he was visiting, looking at his email traffic, looking at his network traffic to be able to put context around all this trade activity.
And as you’re seeing in the, you know, in a lot of the news reports, that’s one of the -- one of the pieces they’re still digging down into is what was all the motivation behind this and all the trades that he did.
Now, what do you see for the future of both security and your company?
Well, what we’re seeing is there are trends in the industry and they’re already starting. There’s a -- if you consider the whole security -- the IT security piece as being a pie, a large segment, maybe 90 percent of the pie right now, if not more, is being focused on the -- what we call the “protection and detection” side and that is securing perimeters and looking at what intrusions might be coming in and trying to block those intrusions.
We expect that companies have to and will continue to invest in those technologies. But there’s a piece that’s missing and that’s the piece we’re bringing to the table as well and that is the incident response side that -- the ability to respond when something happens. Because you can just see in 2007 was really an awful year and there were a lot of companies that found themselves with situations they weren’t expecting and didn’t have the opportunity to quickly recover and respond.
I mean TJX is probably the bellwether example of having to take months to figure out what happened. There really has to be an incident response plan that is proactively put in place. And that -- I see that as being a growing piece of the pie for IT security spending.