October 28, 2015 By Vijay Dheap 3 min read

IBM recently announced the latest addition to its QRadar line of products: incident forensics. This adds to the existing products in this stable, which includes security information and event management (SIEM), log management, anomaly detection and configuration and vulnerability management. Together, these products aid organizations in advanced threat protection, insider threat detection and incident response.

The Need for Incident Forensics

This new product is aimed at making incident forensics easier and more effective, providing actionable information about how a breach occurred to minimize the impact to the network and prevent similar breaches from occurring in the future.

According to a recent survey by the Ponemon Institute, 73 percent of respondents said their forensic analysis tool is difficult or very difficult to use, and only 44 percent report that they are receiving actionable intelligence from the alerts that they receive. The new QRadar incident response product aims to iron out those difficulties with forensics by making it search-driven. It also provides nonspecialists with the ability to trace the steps of an incident with ease by using human intuition and logical deduction, giving practitioners the ability to learn on the job. Because of the difficulties with using many existing products, forensics is often outsourced to specialists, which is more expensive in most cases.

Forensics tools work by providing visibility into a variety of different data flows, including logs, flow data, vulnerability data, threat feeds and configuration information. Recently, they have started to incorporate full packet capture, looking at everything that flows over the wire. However, many have limitations in that they capture and store huge amounts of data, which is a drain on costs, and they generally only let analysts peek into the first set of bytes for a short period.

Read the complete Network Forensic Investigations Market Study from Ponemon Institute

Another issue is the growing use of encryption. Encryption is set to achieve a compound growth rate of more than 17 percent through 2019, and no slowdown is likely. Not only does encryption add to the overall cost of a security solution, but it can mean that organizations don’t always get access to the metadata they previously had. In many cases, organizations deploy encryption by setting up an SSL proxy at the edge of the network. But this becomes a façade for all interactions, which means that all traffic is visible once it is decrypted. It is also often difficult to get the proxy right since its location may be difficult to pinpoint and it can act as a single point of failure.

Let QRadar Help

With the QRadar incident response capabilities, encryption and decryption are made more effective and secure. All ingress traffic is collected to a point within the network where the necessary information in terms of private keys, certificates and session keys are stored. All data remains encrypted until it needs to be decrypted on demand in the course of investigating a specific incident. This provides the necessary accountability that data has not been inappropriately accessed in decrypted form.

Even for egress traffic (traffic moving across organizational boundaries), if an organization has an endpoint management solution such as IBM Big Fix, it is possible to employ incident forensics to leverage session keys to provide visibility into encrypted traffic.

There are dangers that can arise when forensics is performed in an ad hoc manner because this can lead to its being overused or potentially compromising privacy. By performing decryption strictly on demand when the cause of an incident needs to be investigated, the whole process is totally traceable, providing the audit trail that is needed to prove that no excessive actions have been taken that could expose data.

QRadar Incident Forensics helps organizations retrace all the steps taken during an incident so that events can be reconstructed to see the entire chain, which aids in the ability to respond faster and more effectively. It also allows for the number of false positives to be reduced by focusing on specific data feeds. The solution can be used by security generalists who are not specifically forensics experts, making the product applicable to a wider range of organizations that want to perform forensics in-house at reduced cost and with increased effectiveness.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today