Bounce the Bad Guys From Your Network With a Forensics Investigative Solution

Until fairly recently, the practice of network forensics investigations was more or less a black art practiced by highly skilled individuals.

Its origins seem to trace back to multiple development efforts, including research projects funded by the U.S. government, university graduate students writing protocol analysis tools and efforts by telephony research organizations to discover and terminate phone system abuse. These efforts have produced a range of offerings that today’s information technology (IT) security professionals can use to forensically investigate network breaches, discover the root cause of a successful attack and terminate these unauthorized activities in hours or days rather than weeks or months.

Organizations within the financial, retail and manufacturing industries — as well as government agencies — have now largely accepted that a network breach is inevitable, with many beginning to assume that it has already happened. Frustrated by the actions of their so-called “carbon elements,” perimeter defenses are quickly bypassed as users are duped into divulging their access credentials. While IT professionals in these environments are concerned about maintaining adequate defenses, they spend an increasing amount of their time looking for anomalous behaviors and incorporating new packet capture technologies in order to speed up and clarify forensics research efforts.

What Are the Top Incident Forensics and Data Capture Solutions?

Enterprise Management Associates (EMA) was recently commissioned to perform an analysis of the top data capture and network forensics offerings to help define the strengths and weaknesses of each approach. In addition to analyzing several incident forensics offerings and vendors, the report provides some interesting insights:

53% of EMA research respondents understood that security analytics and network forensics tools augmented their Security Information and Event Management (SIEM) tools

46% understood that security analytics and forensics tools were a natural evolution of the traditional SIEM

95% of the organizations that implemented an analytics or forensics solution indicated that they received “expected or greater than expected value” from the solution

90% of the respondents said that the introduction of an incident forensics solution had reduced false positives and improved their actionable alerts

Given the numerous data capture and network forensics tools available in the market place, it is not always easy to know which one is the best solution. According to the report, many consumers are confused with so many security vendors and tools that profess to deliver “actionable intelligence” or “actionable insights” to operators and analysts to improve security response.

EMA Analyst Report: Comparison of the best Data Capture and Network Forensics solutions

The analyst report evaluates some of the best network forensics offerings across six common criteria, including:

User interface

Data visualization

Data capture and reconstruction

Solution integration

Data search capabilities and performance

Skills required to operate

The report concludes that IBM Security QRadar Incident Forensics scored the highest overall rating with a score of 3.92 out of 4.0. You can see all the results in the image below or download the full report for a deeper analysis and commentary on each solution.

What I believe makes IBM Security QRadar solution unique is that it begins with a different development mentality. When users want to find something on the Internet, they use search engine technology. Why not do the same when searching inside networks?

QRadar Incident Forensics converts all that messy packet data back into recognizable things such as documents, Web pages and voice-over-IP. It does so automatically by using a right-click integration capability with QRadar SIEM, which tells users where to look in the first place.

This new element scores high marks in the area of user interface, data reconstruction and search speed, all while being among the easiest technology to use. Paired with QRadar SIEM’s high-probabilitiy offense notifications, it is the equivalent of a one-two punch for knocking out cyber criminals who breach a network. Once they’re in, it’s a race against time to find them before they find critical data.

Without a doubt there is no silver bullet when it comes to security. But if your organization is looking for a better way to identify threats and reduce risks within your environments, you should strongly consider a security analytics and network forensics solution. I hope this article and analyst report will help guide your decision-making.