In a recent interview, IBM Security QRadar Incident Forensics Product Manager Vijay Dheap discussed the changing nature of security investigations and how software has evolved to be easier to use, resulting in a more efficient and proactive approach to security cyber forensics.
Question: Incident forensics software has a reputation for being a product that you buy after you’ve had a breach or attack. Is that when most clients call, or are you seeing forward-thinking organizations build this capability into their overall security plan?
Answer: When we first introduced incident forensics to the market, we thought it would shine mainly in situations where there has been an exploit because these are the organizations that understand the cost of a true breach. But we’re also seeing interest from clients who want to use the capability in a more proactive fashion.
In addition, it can help with backlogs. For example, while our clients are skilled at offense investigations, an average day may still present a security team with up to 15 required investigations. Realistically, they may be able to resolve up to four, and the rest create a backlog. IBM QRadar Incident Forensics can help reduce that backlog as it becomes the vehicle to quickly conduct investigations using incremental, packet capture network data.
But we’ve also noticed clients are gaining the ability to be proactive. As they perform investigations, they start to recognize gaps in their security posture and learn about new behaviors inside the organization. So not only is forensics a post-exploit solution, it’s becoming a diagnostic solution, as well. For example, teams start to see which new cloud-based services are being used, whether there are new mobile users and even whether people are accessing internal applications differently than anticipated. This insight helps them proactively enhance their correlation rule building blocks and improve operational best practices.
The forensics area of security analytics seems to require highly specialized skills. Can the software address the skill shortage while it delivers these productivity gains?
Absolutely. So let’s step back and look at why these skills are rare and in demand. In the very recent past, forensics required the use of numerous tools, each specialized in a specific data set and specific type of analytics. Each of the tools had a learning curve, and then you needed the experience to understand which tool to use when, which required very deep data skills, technical skills and security knowledge. Finding skills in any one of those pillars is hard. Imagine finding a person that overlapped across those three pillars? And if you wait until you are in a crisis situation and need help, you’re willing to pay whatever it takes, which further raises demand.
We’ve designed our solution to solve this in two ways. First, we deliver a single platform where you have all the tools at your disposal. Out of the box, you get a platform that provides the core set of tools an experienced forensics analyst would require. Second, the product has built-in intelligence to lower skill barriers by using industry best practices to highlight known patterns of malicious behaviors. This intelligence acts as “guideposts” in the data so that a newer security analyst can gain some of the efficiencies of a practiced forensics investigator.
We put our solution to the test in the recent DEFCON Network Forensics Puzzle Contest, where our team of security generalists (Team Blue) completed all rounds of the challenge and successfully solved the puzzle using IBM QRadar Incident Forensics.
What are some of the limitations of previously available forensics solutions?
Some vendors offer forensics capabilities that are essentially rudimentary packet capture solutions. Packet capture and forensics are very different things. Packet capture solutions simply sit on the network and collect packet data, which becomes very expensive to store, especially if you have no way to analyze it.
Other solutions include tools to expose the network metadata, and some even do deep packet inspection to reveal the packet “payload.” But if you are only indexing metadata, you can only search on the same. This becomes very costly since in order to look into the content you have to chronologically inspect one file after another, after another. It can take days and weeks, and that’s not productive for any organization — it’s like linearly searching through log events. Older forensics tools required people to essentially go on a hunting expedition, and when you’re collecting packet data, even on a 1 GB link, you amass tens of terabytes of data.
What are a few of the ways that IBM Security QRadar Incident Forensics helps improve analyst productivity?
First, we’ve provided out-of-the-box “right-click” integration with QRadar, which continues to improve. This provides access to a significant amount of security context for initiating a forensics investigation and improves the productivity of the security analyst. Second, we now have the option to deploy on a stand-alone basis, so organizations with an older-generation security information and event management (SIEM) product installed now have the choice to use this product to investigate alerts. And finally, many organizations have deployed it in a day. It’s very intuitive to use — if you can use an Internet search engine like Google, you will be able to use our incident forensics product.