Even a solid security infrastructure can sometimes be compromised, at which point it takes a security forensics effort to get to the bottom of a break-in. But that forensics effort will be only as good as the data experts have available to mine. The more skilled the intruder is at covering his tracks, the less chance he will leave behind valuable clues and ultimately be caught.
Unless, of course, the intruder is being watched.
That's the idea behind NIKSUN Inc.'s NetDetector, a network surveillance appliance that can capture and record every bit that passes in and out of an enterprise network. The tool also comes with a Web-based graphical user interface intended to make it easy to mine the vast amounts of data collected to determine not only the source of a break-in, but the damage done.
"Wherever there is physical security, such as locks on a bank vault, there are other types of security to make sure there's no compromise of the physical security. Typically that's a security camera," says Parag Pruthi, NIKSUN's CEO and president. "That's our approach. You need a surveillance camera for the network."
Pruthi and other NIKSUN executives, notably Jayne Fitzgerald, VP business development and operations, are parlaying their experience in managing telephone company networks to their current three-year-old venture. Pruthi worked with several RBOCs and other telcos on network monitoring and related technologies, while Fitzgerald was previously VP of global operations for AT&T's Data Services unit.
NIKSUN differentiates itself on the ability to process huge streams of data, handling heavy packet streams across all four 100M bps Ethernet LAN connections. The device also supports T-1/E-1 wide-area links.
"We're pushing the limits of the technology here," Pruthi says. "Our expertise from the Bell system, being able to monitor a carrier environment, really has helped us get to the point we're at right now."
For the majority of users that don't want to record every bit, NetDetector includes filters that can be configured to watch for any sort of event, such as when the number of ports being scanned from the same IP address exceeds a certain threshold. That would help you detect a slow port scan.
The system likewise can detect patterns that indicate a denial of service attack, immediately alert administrators, and archive data for a specified period prior to the attack. Examining that data will help administrators quickly determine the source of the attack and shut it down, Pruthi says. Improvements to the GUI enable users to access all NetDetector capabilities from a single drop-down menu, instead of scrolling through multiple screens to drill into a problem.
NetDetector also comes with tools that allow users to reconstruct an attack, allowing them to determine the exact keystrokes an intruder used to break in and what was compromised. The same data can be used to prosecute intruders.
The product can archive up to 730G byte of data internally, or 1 terabyte using external storage. The previous limit was 144G byte.
NIKSUN, which is named after Pruthi's sons, Nikheel and Sunil, has about 150 employees now and expects to grow to 250 by the end of the year. The company is focusing on just a couple of vertical markets: government agencies and financial institutions.
Pricing for NetDetector ranges from less than $20,000 to about $70,000, depending on configuration, such as the amount of disk space required.