IBM recently announced the latest addition to its QRadar line of products: incident forensics. This adds to the existing products in this stable, which includes security information and event management (SIEM), log management, anomaly detection and configuration and vulnerability management. Together, these products aid organizations in advanced threat protection, insider threat detection and incident response.

The Need for Incident Forensics

This new product is aimed at making incident forensics easier and more effective, providing actionable information about how a breach occurred to minimize the impact to the network and prevent similar breaches from occurring in the future.

According to a recent survey by the Ponemon Institute, 73 percent of respondents said their forensic analysis tool is difficult or very difficult to use, and only 44 percent report that they are receiving actionable intelligence from the alerts that they receive. The new QRadar incident response product aims to iron out those difficulties with forensics by making it search-driven. It also provides nonspecialists with the ability to trace the steps of an incident with ease by using human intuition and logical deduction, giving practitioners the ability to learn on the job. Because of the difficulties with using many existing products, forensics is often outsourced to specialists, which is more expensive in most cases.

Forensics tools work by providing visibility into a variety of different data flows, including logs, flow data, vulnerability data, threat feeds and configuration information. Recently, they have started to incorporate full packet capture, looking at everything that flows over the wire. However, many have limitations in that they capture and store huge amounts of data, which is a drain on costs, and they generally only let analysts peek into the first set of bytes for a short period.

Read the complete Network Forensic Investigations Market Study from Ponemon Institute

Another issue is the growing use of encryption. Encryption is set to achieve a compound growth rate of more than 17 percent through 2019, and no slowdown is likely. Not only does encryption add to the overall cost of a security solution, but it can mean that organizations don’t always get access to the metadata they previously had. In many cases, organizations deploy encryption by setting up an SSL proxy at the edge of the network. But this becomes a façade for all interactions, which means that all traffic is visible once it is decrypted. It is also often difficult to get the proxy right since its location may be difficult to pinpoint and it can act as a single point of failure.

Let QRadar Help

With the QRadar incident response capabilities, encryption and decryption are made more effective and secure. All ingress traffic is collected to a point within the network where the necessary information in terms of private keys, certificates and session keys are stored. All data remains encrypted until it needs to be decrypted on demand in the course of investigating a specific incident. This provides the necessary accountability that data has not been inappropriately accessed in decrypted form.

Even for egress traffic (traffic moving across organizational boundaries), if an organization has an endpoint management solution such as IBM Big Fix, it is possible to employ incident forensics to leverage session keys to provide visibility into encrypted traffic.

There are dangers that can arise when forensics is performed in an ad hoc manner because this can lead to its being overused or potentially compromising privacy. By performing decryption strictly on demand when the cause of an incident needs to be investigated, the whole process is totally traceable, providing the audit trail that is needed to prove that no excessive actions have been taken that could expose data.

QRadar Incident Forensics helps organizations retrace all the steps taken during an incident so that events can be reconstructed to see the entire chain, which aids in the ability to respond faster and more effectively. It also allows for the number of false positives to be reduced by focusing on specific data feeds. The solution can be used by security generalists who are not specifically forensics experts, making the product applicable to a wider range of organizations that want to perform forensics in-house at reduced cost and with increased effectiveness.