How quickly could you solve a crime if you had at your fingertips a comprehensive index of all activities occurring at a crime scene before, during, and after the crime? Security professionals have spent considerable amounts of time determining the sequence and timing of events in order to determine how security incidents occurred (e.g., how did attackers obtain access?) and whether data was stolen.
A new technology is emerging that offers a broad picture of a security “crime scene.” This technology, defined by NSS Labs as continuous forensic analytics (CFA), provides an enterprise the ability to record and extract the traffic records for multiple areas within a network – and this gives incident responders a comprehensive forensic database from which they can conduct their queries.
Leveraging concepts long used in the network performance monitoring market, security companies have incorporated new technologies into existing packet capture and indexing systems to assist with alerting and investigation activities. Today’s CFA systems are utilized both within security operations teams and more broadly across organization infrastructures.
Although these packet forensic systems are not explicitly a security technology, their ability to quickly provide retrospective maps of both inbound and outbound traffic as well as information about malicious payloads provides security researchers with a powerful new tool. The CFA segment strongly complements the breach detection and advanced threat technologies markets.
More and more, organizations are seeking answers to the questions “What just happened?”’ “When did it happen?”’ and “How bad is it?”. CFA systems provide fast, accurate answers to these questions, which is why I believe they are set to become one of the fastest growing segments in the security market.