The New Forensics - And Your SIEM Solution Part 1

Monday, January 25, 2010 by Pam Casale

Fully capable SIEM solutions play many roles in enterprise security management. Rob Ayoub with Frost & Sullivan thinks there's a role for your SIEM solution during preliminary investigation.  

WELCOME ROB AYOUB - GUEST BLOGGER!

From the desk of Rob Ayoub:  A recent conversation at an ISSA meeting went something like this
 
“Rob, I don’t know what to do. I have a guy that might be stealing my customer lists and reselling them but I don’t really know.  Part of me wants to grab his computer and image the drive, but my guys aren’t really trained to do a real forensic investigation. Also, I’m afraid that if I imaged his machine, it would leak out and our employees would suspect that we were watching their every move.” 

 

Wow!  Talk about a situation with no easy solution. I think that many enterprises, especially mid-size ones are struggling with similar issues these days. 

Do you grab an employees computer one night and use a tool like EnCase to try and find the information? Maybe you just grab the computer and tell the employee they’re under investigation – raising alarm amongst all employees that they’re being monitored. How do you justify the time needed to perform an investigation. What if you’re wrong and the employee is innocent?

 

One of my favorite books is Cliff Stole’s classic novel The Cuckoo’s Egg. That was an unquestionable example of an intrusion that required a full-blown investigation and intervention by authorities. However, you don't want to subject your organization to something like that unless absolutely necessary.

 

Digital forensics used to be solely the realm of the FBI and other government agencies. Even today, most forensics tools focus on cleanup and investigation. It’s a lengthy process:

 

         Traditional forensic tools require imaging a hard drive. In addition to that, the exploratory process is complex and finding information is analogous to finding a needle in a stack of needles.  

 

         If a forensic investigation turns into a legal proceeding, then the investigation comes into question. This means that IT needs to be trained on the proper handling of a forensics investigation.

 

         Many enterprises just want the flag raised, alerting them to possible problems. They don’t want to dive into employees personal machines. 
 

Tomorrow, Part 2 of the New Forensics. We'll continue this discussion and include some practical advice on using a SIEM for preliminary investigation of a potential insider attack or policy breach.
Listen or share Rob's podcast on the New Forensics that extracts more value from the Intellitactics SIEM solution.

Comments for The New Forensics - And Your SIEM Solution Part 1

Leave a comment





Captcha