August 20, 2014 By Jay Bretzmann 3 min read

Bounce the Bad Guys From Your Network With a Forensics Investigative Solution

Until fairly recently, the practice of network forensics investigations was more or less a black art practiced by highly skilled individuals.

Its origins seem to trace back to multiple development efforts, including research projects funded by the U.S. government, university graduate students writing protocol analysis tools and efforts by telephony research organizations to discover and terminate phone system abuse. These efforts have produced a range of offerings that today’s information technology (IT) security professionals can use to forensically investigate network breaches, discover the root cause of a successful attack and terminate these unauthorized activities in hours or days rather than weeks or months.

Organizations within the financial, retail and manufacturing industries — as well as government agencies — have now largely accepted that a network breach is inevitable, with many beginning to assume that it has already happened. Frustrated by the actions of their so-called “carbon elements,” perimeter defenses are quickly bypassed as users are duped into divulging their access credentials. While IT professionals in these environments are concerned about maintaining adequate defenses, they spend an increasing amount of their time looking for anomalous behaviors and incorporating new packet capture technologies in order to speed up and clarify forensics research efforts.

What Are the Top Incident Forensics and Data Capture Solutions?

Enterprise Management Associates (EMA) was recently commissioned to perform an analysis of the top data capture and network forensics offerings to help define the strengths and weaknesses of each approach. In addition to analyzing several incident forensics offerings and vendors, the report provides some interesting insights:

  • 53% of EMA research respondents understood that security analytics and network forensics tools augmented their Security Information and Event Management (SIEM) tools
  • 46% understood that security analytics and forensics tools were a natural evolution of the traditional SIEM
  • 95% of the organizations that implemented an analytics or forensics solution indicated that they received “expected or greater than expected value” from the solution
  • 90% of the respondents said that the introduction of an incident forensics solution had reduced false positives and improved their actionable alerts

Given the numerous data capture and network forensics tools available in the market place, it is not always easy to know which one is the best solution. According to the report, many consumers are confused with so many security vendors and tools that profess to deliver “actionable intelligence” or “actionable insights” to operators and analysts to improve security response.

EMA Analyst Report: Comparison of the best Data Capture and Network Forensics solutions

The analyst report evaluates some of the best network forensics offerings across six common criteria, including:

  • User interface
  • Data visualization
  • Data capture and reconstruction
  • Solution integration
  • Data search capabilities and performance
  • Skills required to operate

The report concludes that IBM Security QRadar Incident Forensics scored the highest overall rating with a score of 3.92 out of 4.0. You can see all the results in the image below or download the full report for a deeper analysis and commentary on each solution.

What I believe makes IBM Security QRadar solution unique is that it begins with a different development mentality. When users want to find something on the Internet, they use search engine technology. Why not do the same when searching inside networks?

QRadar Incident Forensics converts all that messy packet data back into recognizable things such as documents, Web pages and voice-over-IP. It does so automatically by using a right-click integration capability with QRadar SIEM, which tells users where to look in the first place.

This new element scores high marks in the area of user interface, data reconstruction and search speed, all while being among the easiest technology to use. Paired with QRadar SIEM’s high-probabilitiy offense notifications, it is the equivalent of a one-two punch for knocking out cyber criminals who breach a network. Once they’re in, it’s a race against time to find them before they find critical data.

Without a doubt there is no silver bullet when it comes to security. But if your organization is looking for a better way to identify threats and reduce risks within your environments, you should strongly consider a security analytics and network forensics solution. I hope this article and analyst report will help guide your decision-making.

More from Intelligence & Analytics

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today