In a recent interview, IBM Security QRadar Incident Forensics Product Manager Vijay Dheap discussed the changing nature of security investigations and how software has evolved to be easier to use, resulting in a more efficient and proactive approach to security cyber forensics.

Question: Incident forensics software has a reputation for being a product that you buy after you’ve had a breach or attack. Is that when most clients call, or are you seeing forward-thinking organizations build this capability into their overall security plan?

Answer: When we first introduced incident forensics to the market, we thought it would shine mainly in situations where there has been an exploit because these are the organizations that understand the cost of a true breach. But we’re also seeing interest from clients who want to use the capability in a more proactive fashion.

In addition, it can help with backlogs. For example, while our clients are skilled at offense investigations, an average day may still present a security team with up to 15 required investigations. Realistically, they may be able to resolve up to four, and the rest create a backlog. IBM QRadar Incident Forensics can help reduce that backlog as it becomes the vehicle to quickly conduct investigations using incremental, packet capture network data.

But we’ve also noticed clients are gaining the ability to be proactive. As they perform investigations, they start to recognize gaps in their security posture and learn about new behaviors inside the organization. So not only is forensics a post-exploit solution, it’s becoming a diagnostic solution, as well. For example, teams start to see which new cloud-based services are being used, whether there are new mobile users and even whether people are accessing internal applications differently than anticipated. This insight helps them proactively enhance their correlation rule building blocks and improve operational best practices.

The forensics area of security analytics seems to require highly specialized skills. Can the software address the skill shortage while it delivers these productivity gains?

Absolutely. So let’s step back and look at why these skills are rare and in demand. In the very recent past, forensics required the use of numerous tools, each specialized in a specific data set and specific type of analytics. Each of the tools had a learning curve, and then you needed the experience to understand which tool to use when, which required very deep data skills, technical skills and security knowledge. Finding skills in any one of those pillars is hard. Imagine finding a person that overlapped across those three pillars? And if you wait until you are in a crisis situation and need help, you’re willing to pay whatever it takes, which further raises demand.

We’ve designed our solution to solve this in two ways. First, we deliver a single platform where you have all the tools at your disposal. Out of the box, you get a platform that provides the core set of tools an experienced forensics analyst would require. Second, the product has built-in intelligence to lower skill barriers by using industry best practices to highlight known patterns of malicious behaviors. This intelligence acts as “guideposts” in the data so that a newer security analyst can gain some of the efficiencies of a practiced forensics investigator.

We put our solution to the test in the recent DEFCON Network Forensics Puzzle Contest, where our team of security generalists (Team Blue) completed all rounds of the challenge and successfully solved the puzzle using IBM QRadar Incident Forensics.

What are some of the limitations of previously available forensics solutions?

Some vendors offer forensics capabilities that are essentially rudimentary packet capture solutions. Packet capture and forensics are very different things. Packet capture solutions simply sit on the network and collect packet data, which becomes very expensive to store, especially if you have no way to analyze it.

Other solutions include tools to expose the network metadata, and some even do deep packet inspection to reveal the packet “payload.” But if you are only indexing metadata, you can only search on the same. This becomes very costly since in order to look into the content you have to chronologically inspect one file after another, after another. It can take days and weeks, and that’s not productive for any organization — it’s like linearly searching through log events. Older forensics tools required people to essentially go on a hunting expedition, and when you’re collecting packet data, even on a 1 GB link, you amass tens of terabytes of data.

What are a few of the ways that IBM Security QRadar Incident Forensics helps improve analyst productivity?

First, we’ve provided out-of-the-box “right-click” integration with QRadar, which continues to improve. This provides access to a significant amount of security context for initiating a forensics investigation and improves the productivity of the security analyst. Second, we now have the option to deploy on a stand-alone basis, so organizations with an older-generation security information and event management (SIEM) product installed now have the choice to use this product to investigate alerts. And finally, many organizations have deployed it in a day. It’s very intuitive to use — if you can use an Internet search engine like Google, you will be able to use our incident forensics product.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read