Forensic: Bracing for the Unknown
It's the call no security professional ever wants to get, but inevitably does: we need to investigate something that happened. Maybe the target is an unusual incident that triggered a series of alerts caught by an astute analyst. Perhaps it is unusual activity by an employee or contractor that may be the precursor to an insider attack. Or, in the worst case, the organization gets a call from law enforcement, a bank, or a government agency, needing to know a detailed trail of information around specific people or data.
Now the security professional must spring into action. There are a number of key questions to answer: How did it happen? What users or accounts were involved? Did it originate from inside or outside the network? Was any sensitive data taken? What other systems and data are exposed? Are my systems owned? More importantly, the right remediation activities need to take place to ensure that it doesn't happen again.
In this time of crisis, security professionals need data in order to piece together what happened and why quickly. While it's clear that any data that isn't captured can't be used to assist in a forensic investigation, what is often less clear is the fact that most security forensic investigations require access to a broad range of security data. While logs and events from operating systems, network and security devices, applications, and databases can point an analyst in the general direction of what happened, they don't give the clarity necessary to fully enumerate a forensic investigation on their own. Instead, log and event data must be correlated with other information - configuration and asset changes, known vulnerabilities, performance metrics, and network flows - to provide a truly comprehensive understanding of exposure.
SecureVue: Comprehensive Support for Forensic Investigations
SecureVue from eIQnetworks facilitates forensic investigations by providing full data capture and forensically clean data to ensure the right data is collected and stored enabling full and complete investigations:
 Stores pristine, unmodified data in a NIST FIPS-140-2 compliant, fully encrypted (AES-192 cipher) database to ensure a clean chain of custody for legal investigations
Captures, stores, and provides end-to-end correlation and analysis of full stream security data across the enterprise: OS, network device, application, and database logs; host and network device configurations and asset data; known vulnerabilities; performance metrics; and network flow data
SecureVue's integrated QuickVue component presents all current and historical security data related to a specific asset on a single screen in seconds, providing analysts with a comprehensive view of its role in the incident
3D visualization eliminates the "needle in the haystack" by showing the relationship between managed assets and all events, network flows, vulnerabilities, and configuration changes across the enterprise in one screen
With the fastest and most secure database in the industry, coupled with built-in support for hundreds of operating systems, network and security devices, applications, and databases, SecureVue from eIQnetworks provides the complete solution to address comprehensive security forensic investigations.
|
