In this context, the benefits of network recording are twofold: Not only does it reduce the time it takes for an engineer to investigate and respond to an alarm (ask any Tier 2 NetOps or SecOps engineer what would make his life better and he'll say "a perfectly accurate packet trace for every ticket in my queue"), but it also enables engineers to be more definitive in their actions.

Integration between your SIM/net management system and a pervasive network visibility/recording fabric is an effective way to improve the efficiency of engineers and enhance the value of your SIM/management investments. The added benefits (in the case of SIM) is the dramatic effect it can have your containment strategy, helping you to not only diagnose and find root cause, and the absolute clarity regarding exactly what was taken.

Both network operations and security groups need to use network history data. These groups generally have the right skills to operate network recording equipment and there have been successful deployments by both groups. But should network recording and flow collector tools be operated by the security team or by the network operations team? The cop-out answer is "it depends on the organization."

There is a clear trend here: Network history is becoming a core network service, and the best practice in most organizations is for it to be owned by the network operations group. Forward-looking network operations teams are keeping network history for their own purposes -- to respond to difficult issues and understand network traffic patterns -- and they are providing appropriate access to security teams and cooperating with them to deal with security incidents.