Infosec incident investigation and forensics
It’s not just analytics
When investigating a security incident, the goal is to track all the steps of a malicious activity. We need to identify provable evidence to:
- stop the current activity
- do damage control
- prevent these and similar activities in the future.
It is pretty obvious that the first of these is a highly time-critical task. This is what makes infosec incident analysis different from other analytics.
The bad guys enter through the balcony
Analysing and searching logs is not that simple. Yes, best practices tell you to set up log collection from different appliances, hosts and services. Most often, only some logs are collected because specialist resources, storage, network bandwidth and budget do not grow on trees. Sometimes there is no collection at all.
Which ones should you collect? The business critical ones? Yes, but there’s a catch: the bad guys don’t bother with the closely monitored front door. They come through the balcony - i.e your secondary (and less hardened) systems, such as forums, customer support, web, email, etc. Chances are you don't have logs collected from these systems. The result is a slow pain of retrieving logs from live environments and feeding them into the analytics system.
Next, there’s data from third parties. Open source intelligence, CERT alerts, etc. This also needs to be transformed to a suitable format before incorporating it into the analysis. All that under the heaviest time pressure.
Tracking down blasts from the past
To prevent similar attacks happening in the future, you need to study the past in detail. Attacks continue over long time periods, weeks, months and sometimes even years (e.g. see Ponemon 2017 Cost of Data Breach study: it takes an average of 206 days for US companies to detect a data breach
). To get to the bottom of these, you need to analyse countless amounts of logs and go beyond urgent issues, studying reconnaissance, weaponization, delivery - a scope far wider than available in traditional log management workflows (see best practices from Lockheed Martin
or the Gartner Adaptive Security Architecture
). The problem is, stretching beyond the traditional log analysis time window is either expensive (commercial tools) or technically complex (free tools).
SpectX helps you combat time (now and as far back as you need)
SpectX gives you unprecedented precision and quality in results when investigating incidents. The key here is a lightning fast access to all your semi- and unstructured logs from different environments and the ability join them with data from third parties
for complex analytics. No matter where your log repositories are located or how large their volumes are, there’s no need for time-consuming preparation or data import (see the product architecture on why and how this works
). You can immediately dig to the bottom of the incident(s).
The investigation can concentrate on any time period as lengthy as you like and include data in unlimited amounts. Making occasional mistakes in the preparation phase no longer causes you to start everything over, you can fix all errors in a flick.
SpectX makes a difference in incident analysis. After all, its design is based on 50 years of combined experience in infosec.
Back to solutions