Network Forensic Analysis

The Challenge

Forensic analysis is the process of using event logs and vulnerability data to figure out what happened, when it happened, how it happened, and who was involved. Forensic analysis of log data can help a security professional identify unusual network activity or suspicious user behavior.

An incident response plan should include detailed forensic analysis to determine the root cause and the extent of the security incident, including:

  • The start and end time of the activity
  • The systems affected by the incident
  • The inbound and outbound activity of those systems
  • Known system vulnerabilities that may have been exploited
  • Ports and protocols used
  • Possible data exfiltration
  • Source and destination of activity

Why Does Forensic Analysis Matter?

Many of today’s cyber attacks are designed to evade signature- and rule-based defenses, such as anti-virus and intrusion detection systems (IDS). Audit logs are often the only evidence of a successful data breach. Forensic analysis is critical to the detection and prevention of cyber attacks, and is also important in any dispute where evidence is stored digitally.

Key applications of forensic analysis include:

  • Analyzing the root cause of failed or compromised computer systems
  • Identifying who is responsible for policy violations or improper use of the network
  • Detecting advanced persistent attacks (APTs) in progress
  • Determining how far malware has spread in order to quarantine and clean affected systems
  • Providing evidence in a legal case that involves the use or misuse of computer systems

How Does EiQ Help?

SOCVue Security Monitoring is a managed Log Management and SIEM service that provides incident detection, forensic analysis, and remediation guidance backed by a 24/7/365 security operations center. SOCVue Security Monitoring service helps collect and index thousands of log events per day from your servers, network devices, and applications. EiQ SOCVue security analysts can perform forensic analysis on your behalf to deliver actionable guidance in understanding suspicious behavior or activity.

SOCVue Vulnerability Management is a managed service utilizing Qualys Cloud technology and delivered through the integrated SOCVue Portal. Including vulnerability data in forensic analysis adds context to understand whether the affected systems are at risk for specific exploits.

Learn More About SOCVue Security as a Service

Let's Talk
We needed to constantly monitoring our network 24/7 and consolidate our security team’s investigative toolset. There were too many systems and even with a log management server we still had to go to individual systems to investigate an alert if manually found. Now we can quickly investigate alerts or possible breaches to analyze our threat landscape with minimal security resources.
Jeremy Mio Security and Research Manager, County of Cuyahoga