The Essential Role of Forensics in Computer Security

Mar 31, 2016 | by RSA

Every organization, no matter its size or line of business, should assume it has either been or will be breached. When it comes to responding to an incident, organizations need to realize that time is of the essence.

For this reason, forensics in computer security is a growing discipline. However, according to a survey by the SANS Institute, 59 percent of organizations lack the personnel and dedicated resources to efficiently discover and follow up on attacks. Many respondents also reported dissatisfaction with traditional security tools and techniques, since they often do not provide the necessary visibility over what is happening on networks. So, what can organizations do to respond quickly and effectively to inevitable data breaches?

Making Forensics in Computer Security More Effective

To enhance their ability to respond to attacks, organizations need modern tools. These help organizations with the core forensics tasks of collecting and preserving information from across the network and analyzing it to uncover exactly what happened. Every intrusion leaves traces of activity, and when strung together, these pieces form a digital chain of evidence. Analytics tools can sift through that evidence, looking for indicators of compromise that reveal the tools, techniques, and procedures used by attackers. The tools can also provide indications of how far an attack spread and which systems were compromised. Every part of the network and all connected endpoints should be comprehensively monitored using techniques that include full-packet capture and inspection that provides deep, granular visibility. Used effectively, this type of tool will uncover user behaviors that differ from what is expected.

Prioritizing Incident Response Efforts

After analytics have determined which parts of the network were compromised, unaffected systems can be isolated from the investigation. At this point, prioritizing incident response is challenging, but it is made easier by having a smaller subset of systems on which to concentrate investigative efforts.

Forensics personnel should look to add context to the information that has been collected, including the type of event that occurred, information on which devices were affected, vulnerability data from assessments, and the criticality of the affected systems. Information should be correlated with threat intelligence feeds from internal and external sources that provide detailed, timely information about the latest industry threats.

Moving Toward Better Threat Detection

Because modern breaches are so damaging, organizations need to shift from using only prevention strategies-trying to keep security incidents from occurring-to also being better able to detect threats and vulnerabilities that have affected the network. This way, the forensics team can respond in the most efficient manner and limit the damage as much as possible. They must take a proactive stance on threat detection, actively hunting for intruders through continuous monitoring with sophisticated tools and using advanced analytics techniques to gather actionable intelligence on how best to respond.

The right tools will provide the visibility over networks that many organizations currently lack. With an accurate picture available, they will be able to prioritize where to direct precious resources during their attack response. Through continuous monitoring and effective analysis of unusual events, organizations will be better able to hone their defense and response capabilities, making their efforts to detect and investigate future attacks more effective. Analytics and response tools will enable security personnel to spend less time on routine tasks that could be better automated, making the entire incident response process easier and more streamlined.

Author: RSA

Category: RSA Fundamentals, Blog Post

Keywords: Forensics