IBM recently announced the latest addition to its QRadar line of products: incident forensics. This adds to the existing products in this stable, which includes security information and event management (SIEM), log management, anomaly detection and configuration and vulnerability management. Together, these products aid organizations in advanced threat protection, insider threat detection and incident response.

The Need for Incident Forensics

This new product is aimed at making incident forensics easier and more effective, providing actionable information about how a breach occurred to minimize the impact to the network and prevent similar breaches from occurring in the future.

According to a recent survey by the Ponemon Institute, 73 percent of respondents said their forensic analysis tool is difficult or very difficult to use, and only 44 percent report that they are receiving actionable intelligence from the alerts that they receive. The new QRadar incident response product aims to iron out those difficulties with forensics by making it search-driven. It also provides nonspecialists with the ability to trace the steps of an incident with ease by using human intuition and logical deduction, giving practitioners the ability to learn on the job. Because of the difficulties with using many existing products, forensics is often outsourced to specialists, which is more expensive in most cases.

Forensics tools work by providing visibility into a variety of different data flows, including logs, flow data, vulnerability data, threat feeds and configuration information. Recently, they have started to incorporate full packet capture, looking at everything that flows over the wire. However, many have limitations in that they capture and store huge amounts of data, which is a drain on costs, and they generally only let analysts peek into the first set of bytes for a short period.

Read the complete Network Forensic Investigations Market Study from Ponemon Institute

Another issue is the growing use of encryption. Encryption is set to achieve a compound growth rate of more than 17 percent through 2019, and no slowdown is likely. Not only does encryption add to the overall cost of a security solution, but it can mean that organizations don’t always get access to the metadata they previously had. In many cases, organizations deploy encryption by setting up an SSL proxy at the edge of the network. But this becomes a façade for all interactions, which means that all traffic is visible once it is decrypted. It is also often difficult to get the proxy right since its location may be difficult to pinpoint and it can act as a single point of failure.

Let QRadar Help

With the QRadar incident response capabilities, encryption and decryption are made more effective and secure. All ingress traffic is collected to a point within the network where the necessary information in terms of private keys, certificates and session keys are stored. All data remains encrypted until it needs to be decrypted on demand in the course of investigating a specific incident. This provides the necessary accountability that data has not been inappropriately accessed in decrypted form.

Even for egress traffic (traffic moving across organizational boundaries), if an organization has an endpoint management solution such as IBM Big Fix, it is possible to employ incident forensics to leverage session keys to provide visibility into encrypted traffic.

There are dangers that can arise when forensics is performed in an ad hoc manner because this can lead to its being overused or potentially compromising privacy. By performing decryption strictly on demand when the cause of an incident needs to be investigated, the whole process is totally traceable, providing the audit trail that is needed to prove that no excessive actions have been taken that could expose data.

QRadar Incident Forensics helps organizations retrace all the steps taken during an incident so that events can be reconstructed to see the entire chain, which aids in the ability to respond faster and more effectively. It also allows for the number of false positives to be reduced by focusing on specific data feeds. The solution can be used by security generalists who are not specifically forensics experts, making the product applicable to a wider range of organizations that want to perform forensics in-house at reduced cost and with increased effectiveness.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…