IBM recently announced the latest addition to its QRadar line of products: incident forensics. This adds to the existing products in this stable, which includes security information and event management (SIEM), log management, anomaly detection and configuration and vulnerability management. Together, these products aid organizations in advanced threat protection, insider threat detection and incident response.

The Need for Incident Forensics

This new product is aimed at making incident forensics easier and more effective, providing actionable information about how a breach occurred to minimize the impact to the network and prevent similar breaches from occurring in the future.

According to a recent survey by the Ponemon Institute, 73 percent of respondents said their forensic analysis tool is difficult or very difficult to use, and only 44 percent report that they are receiving actionable intelligence from the alerts that they receive. The new QRadar incident response product aims to iron out those difficulties with forensics by making it search-driven. It also provides nonspecialists with the ability to trace the steps of an incident with ease by using human intuition and logical deduction, giving practitioners the ability to learn on the job. Because of the difficulties with using many existing products, forensics is often outsourced to specialists, which is more expensive in most cases.

Forensics tools work by providing visibility into a variety of different data flows, including logs, flow data, vulnerability data, threat feeds and configuration information. Recently, they have started to incorporate full packet capture, looking at everything that flows over the wire. However, many have limitations in that they capture and store huge amounts of data, which is a drain on costs, and they generally only let analysts peek into the first set of bytes for a short period.

Read the complete Network Forensic Investigations Market Study from Ponemon Institute

Another issue is the growing use of encryption. Encryption is set to achieve a compound growth rate of more than 17 percent through 2019, and no slowdown is likely. Not only does encryption add to the overall cost of a security solution, but it can mean that organizations don’t always get access to the metadata they previously had. In many cases, organizations deploy encryption by setting up an SSL proxy at the edge of the network. But this becomes a façade for all interactions, which means that all traffic is visible once it is decrypted. It is also often difficult to get the proxy right since its location may be difficult to pinpoint and it can act as a single point of failure.

Let QRadar Help

With the QRadar incident response capabilities, encryption and decryption are made more effective and secure. All ingress traffic is collected to a point within the network where the necessary information in terms of private keys, certificates and session keys are stored. All data remains encrypted until it needs to be decrypted on demand in the course of investigating a specific incident. This provides the necessary accountability that data has not been inappropriately accessed in decrypted form.

Even for egress traffic (traffic moving across organizational boundaries), if an organization has an endpoint management solution such as IBM Big Fix, it is possible to employ incident forensics to leverage session keys to provide visibility into encrypted traffic.

There are dangers that can arise when forensics is performed in an ad hoc manner because this can lead to its being overused or potentially compromising privacy. By performing decryption strictly on demand when the cause of an incident needs to be investigated, the whole process is totally traceable, providing the audit trail that is needed to prove that no excessive actions have been taken that could expose data.

QRadar Incident Forensics helps organizations retrace all the steps taken during an incident so that events can be reconstructed to see the entire chain, which aids in the ability to respond faster and more effectively. It also allows for the number of false positives to be reduced by focusing on specific data feeds. The solution can be used by security generalists who are not specifically forensics experts, making the product applicable to a wider range of organizations that want to perform forensics in-house at reduced cost and with increased effectiveness.

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…