Incident response (IR) for many IT shops traditionally has been accomplished by cobbling together tools from various sources with a script-based tool that automates the collection of data from the suspect system. All manual incident response is slow response, says Kevin Mandia, president and CEO of Mandiant. A key driver for organizations dealing with incidents, especially those in the financial sector, Mandia says, is speed and minimizing exposure: The IR team must be able to quickly grab information about the incident, determine what’s happening, and respond appropriately to minimize collateral damage. And as industry regulations and legislation now require disclosure of data breaches, it’s increasingly important to handle incidents and internal investigations as quickly as possible.
Guidance Software, thanks to its success as a forensic software company, has been the major player in the enterprise incident response (IR) market for several years. Its Encase Enterprise product integrates IR and traditional forensic capabilities into one interface that’s familiar to users of the company’s standalone Encase Forensic product.
There are network event-focused tools arriving as well: Startup Packet Analytics, for instance, on Tuesday will emerge from stealth mode and roll out its new Net/FSE Network Forensic Search Engine software, which collects and organizes Cisco NetFlow and syslog log data into a searchable format, helping analysts to investigate breaches as soon as they occur.
Key features to consider in enterprise IR tools are the breadth of operating system support, what information can be collected, and whether it will complement current internal processes and tools. Collecting volatile data such as open ports, running processes, and contents of memory, is one key thing to consider when searching for an IR solution. If you conduct small internal investigations and computer forensics, most IR solutions can collect information in a way that can be easily analyzed by existing forensic products, or within the IR solution itself.
Chet Hosmer, senior vice president and chief scientist for WetStone Technologies, says that is one of the key features of WetStone’s LiveWire Investigator: quickly and accurately capturing volatile information, as well as performing acquisition in such a way that can be analyzed within its product, or plugged into other vendors’ tools.
Brian Karney, chief operating officer for AccessData, says internal investigations are a primary driver for companies researching, or that already have purchased, enterprise IR tools.
http://www.darkreading.com/document.asp?doc_id=143629&WT.svl=news2_1