October 28, 2015 By Vijay Dheap 3 min read

IBM recently announced the latest addition to its QRadar line of products: incident forensics. This adds to the existing products in this stable, which includes security information and event management (SIEM), log management, anomaly detection and configuration and vulnerability management. Together, these products aid organizations in advanced threat protection, insider threat detection and incident response.

The Need for Incident Forensics

This new product is aimed at making incident forensics easier and more effective, providing actionable information about how a breach occurred to minimize the impact to the network and prevent similar breaches from occurring in the future.

According to a recent survey by the Ponemon Institute, 73 percent of respondents said their forensic analysis tool is difficult or very difficult to use, and only 44 percent report that they are receiving actionable intelligence from the alerts that they receive. The new QRadar incident response product aims to iron out those difficulties with forensics by making it search-driven. It also provides nonspecialists with the ability to trace the steps of an incident with ease by using human intuition and logical deduction, giving practitioners the ability to learn on the job. Because of the difficulties with using many existing products, forensics is often outsourced to specialists, which is more expensive in most cases.

Forensics tools work by providing visibility into a variety of different data flows, including logs, flow data, vulnerability data, threat feeds and configuration information. Recently, they have started to incorporate full packet capture, looking at everything that flows over the wire. However, many have limitations in that they capture and store huge amounts of data, which is a drain on costs, and they generally only let analysts peek into the first set of bytes for a short period.

Read the complete Network Forensic Investigations Market Study from Ponemon Institute

Another issue is the growing use of encryption. Encryption is set to achieve a compound growth rate of more than 17 percent through 2019, and no slowdown is likely. Not only does encryption add to the overall cost of a security solution, but it can mean that organizations don’t always get access to the metadata they previously had. In many cases, organizations deploy encryption by setting up an SSL proxy at the edge of the network. But this becomes a façade for all interactions, which means that all traffic is visible once it is decrypted. It is also often difficult to get the proxy right since its location may be difficult to pinpoint and it can act as a single point of failure.

Let QRadar Help

With the QRadar incident response capabilities, encryption and decryption are made more effective and secure. All ingress traffic is collected to a point within the network where the necessary information in terms of private keys, certificates and session keys are stored. All data remains encrypted until it needs to be decrypted on demand in the course of investigating a specific incident. This provides the necessary accountability that data has not been inappropriately accessed in decrypted form.

Even for egress traffic (traffic moving across organizational boundaries), if an organization has an endpoint management solution such as IBM Big Fix, it is possible to employ incident forensics to leverage session keys to provide visibility into encrypted traffic.

There are dangers that can arise when forensics is performed in an ad hoc manner because this can lead to its being overused or potentially compromising privacy. By performing decryption strictly on demand when the cause of an incident needs to be investigated, the whole process is totally traceable, providing the audit trail that is needed to prove that no excessive actions have been taken that could expose data.

QRadar Incident Forensics helps organizations retrace all the steps taken during an incident so that events can be reconstructed to see the entire chain, which aids in the ability to respond faster and more effectively. It also allows for the number of false positives to be reduced by focusing on specific data feeds. The solution can be used by security generalists who are not specifically forensics experts, making the product applicable to a wider range of organizations that want to perform forensics in-house at reduced cost and with increased effectiveness.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today