Bounce the Bad Guys From Your Network With a Forensics Investigative Solution

Until fairly recently, the practice of network forensics investigations was more or less a black art practiced by highly skilled individuals.

Its origins seem to trace back to multiple development efforts, including research projects funded by the U.S. government, university graduate students writing protocol analysis tools and efforts by telephony research organizations to discover and terminate phone system abuse. These efforts have produced a range of offerings that today’s information technology (IT) security professionals can use to forensically investigate network breaches, discover the root cause of a successful attack and terminate these unauthorized activities in hours or days rather than weeks or months.

Organizations within the financial, retail and manufacturing industries — as well as government agencies — have now largely accepted that a network breach is inevitable, with many beginning to assume that it has already happened. Frustrated by the actions of their so-called “carbon elements,” perimeter defenses are quickly bypassed as users are duped into divulging their access credentials. While IT professionals in these environments are concerned about maintaining adequate defenses, they spend an increasing amount of their time looking for anomalous behaviors and incorporating new packet capture technologies in order to speed up and clarify forensics research efforts.

What Are the Top Incident Forensics and Data Capture Solutions?

Enterprise Management Associates (EMA) was recently commissioned to perform an analysis of the top data capture and network forensics offerings to help define the strengths and weaknesses of each approach. In addition to analyzing several incident forensics offerings and vendors, the report provides some interesting insights:

  • 53% of EMA research respondents understood that security analytics and network forensics tools augmented their Security Information and Event Management (SIEM) tools
  • 46% understood that security analytics and forensics tools were a natural evolution of the traditional SIEM
  • 95% of the organizations that implemented an analytics or forensics solution indicated that they received “expected or greater than expected value” from the solution
  • 90% of the respondents said that the introduction of an incident forensics solution had reduced false positives and improved their actionable alerts

Given the numerous data capture and network forensics tools available in the market place, it is not always easy to know which one is the best solution. According to the report, many consumers are confused with so many security vendors and tools that profess to deliver “actionable intelligence” or “actionable insights” to operators and analysts to improve security response.

EMA Analyst Report: Comparison of the best Data Capture and Network Forensics solutions

The analyst report evaluates some of the best network forensics offerings across six common criteria, including:

  • User interface
  • Data visualization
  • Data capture and reconstruction
  • Solution integration
  • Data search capabilities and performance
  • Skills required to operate

The report concludes that IBM Security QRadar Incident Forensics scored the highest overall rating with a score of 3.92 out of 4.0. You can see all the results in the image below or download the full report for a deeper analysis and commentary on each solution.

What I believe makes IBM Security QRadar solution unique is that it begins with a different development mentality. When users want to find something on the Internet, they use search engine technology. Why not do the same when searching inside networks?

QRadar Incident Forensics converts all that messy packet data back into recognizable things such as documents, Web pages and voice-over-IP. It does so automatically by using a right-click integration capability with QRadar SIEM, which tells users where to look in the first place.

This new element scores high marks in the area of user interface, data reconstruction and search speed, all while being among the easiest technology to use. Paired with QRadar SIEM’s high-probabilitiy offense notifications, it is the equivalent of a one-two punch for knocking out cyber criminals who breach a network. Once they’re in, it’s a race against time to find them before they find critical data.

Without a doubt there is no silver bullet when it comes to security. But if your organization is looking for a better way to identify threats and reduce risks within your environments, you should strongly consider a security analytics and network forensics solution. I hope this article and analyst report will help guide your decision-making.

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…