Tech Insight: Incident Response
IR tools speed up response time to a security breach and help minimize the damage
Ever gotten a call from a user who saw a strange black box pop up on his screen with text that seemed to write itself , and only to then disappear?
That type of an event is not as far out as it sounds. But what is unusual is for security professionals to have a solution in place that lets them quickly respond to incidents and to see what’s going on throughout the entire enterprise to understand the scope of the security event.
Incident response (IR) for many IT shops traditionally has been accomplished by cobbling together tools from various sources with a script-based tool that automates the collection of data from the suspect system. An IR team member or help desk technician is sent to investigate a problem, with a USB thumb drive in hand that contains the collection of tools. The tools are then run, and the output analyzed to detect the source of the suspicious behavior. It’s neither a quick nor efficient process.
All manual incident response is slow response, says Kevin Mandia, president and CEO of Mandiant. A key driver for organizations dealing with incidents, especially those in the financial sector, Mandia says, is speed and minimizing exposure: The IR team must be able to quickly grab information about the incident, determine what’s happening, and respond appropriately to minimize collateral damage.
And as industry regulations and legislation now require disclosure of data breaches, it’s increasingly important to handle incidents and internal investigations as quickly as possible.
That's where enterprise IR tools come in. These are products designed to speed up response time so that organizations can quickly get a handle on a breach and minimize additional damage
Guidance Software, thanks to its success as a forensic software company, has been the major player in the enterprise incident response (IR) market for several years. Its Encase Enterprise product integrates IR and traditional forensic capabilities into one interface that's familiar to users of the company’s standalone Encase Forensic product. It gathers volatile data and helps IT move to a more focused, traditional forensic investigation if the incident calls for it.
Other vendors are joining the market now with new products or adding features to existing IR products. There are network event-focused tools arriving as well: Startup Packet Analytics, for instance, on Tuesday will emerge from stealth mode and roll out its new Net/FSE Network Forensic Search Engine software, which collects and organizes Cisco NetFlow and syslog log data into a searchable format, helping analysts to investigate breaches as soon as they occur. The founders are former security experts from Los Alamos National Laboratory, where they first developed the technology. (See Los Alamos Labs Vets Launch Forensics Company.)
With new products on the horizon, IT groups looking to streamline their current IR practices or to simply start an IR program for the first time, should keep an eye on evolving products and new releases due out in within the next month. Key features to consider in enterprise IR tools are the breadth of operating system support, what information can be collected, and whether it will complement current internal processes and tools.
Collecting volatile data such as open ports, running processes, and contents of memory, is one key thing to consider when searching for an IR solution. If you conduct small internal investigations and computer forensics, most IR solutions can collect information in a way that can be easily analyzed by existing forensic products, or within the IR solution itself.
If your security or investigative team has multiple investigators working on a single case, collaboration and auditing capabilities need to be built in. Investigators can share notes, point each other to areas of interest, and don’t need to huddle over one screen. And adding auditing prevents any issues that come about if an investigator forgets to takes notes of each action he or she takes.
And for enterprise IR solutions to be most effective, agents should be installed on all hosts throughout the enterprise. Why? Because if you wait until after an incident to install the agent, you could inadvertently destroy volatile data. All of these enterprise IR solutions -- including AccessData Enterprise, which will be released on February 18 -- support Windows.
And enterprise IR tools do vary in how thoroughly they collect data. Remember that it's better to collect too much data than not enough, especially when dealing with volatile data like memory, network activity, and running processes.
And if you've already invested in traditional disk-based forensic tools, your enterprise IR solution should support your current tools' file and evidence container formats.
Chet Hosmer, senior vice president and chief scientist for WetStone Technologies, says that is one of the key features of WetStone's LiveWire Investigator: quickly and accurately capturing volatile information, as well as performing acquisition in such a way that can be analyzed within its product, or plugged into other vendors' tools.
And IR products aren't just for security incidents -- many vendors are extending their products to handle focused, disk-based forensics, and e-discovery as well. Brian Karney, chief operating officer for AccessData, says internal investigations are a primary driver for companies researching, or that already have purchased, enterprise IR tools. AccessData will add e-discovery support in March to its AccessData Enterprise product.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like