When Google was among the companies victimized by the so called “Aurora” attack thought to originate from China (whether Chinese actors were involved or not), a number of security professionals called into question whether their focus should be largely on preventative security or on incident response? While the right answer probably lies somewhere in the middle, the technical sophistication of the marquee company involved led some to speculate that some attacks may not be defensible in their own systems’ environment, so therefore incident response and computer forensic investigation had to become a focus.
Incident response involves a large number of considerations, including how and who will be involved, if a strict computer forensics approach will be followed so that evidence collected can be used in court, utilization of outside expertise, and what tools will support the response. This week we take a brief look at the last question, which tools are enterprise security manager’s employing in their security incident response plans.
Looking at the technology roadmap above, we see that more than half, 60%, of enterprises have some monitoring and forensics capability in place; however that doesn’t equal a 60% penetration of vendor supplied offerings. This category still features both homegrown and open source tool sets, which occupy the third and fourth slots as the most popular answers to how even large enterprises are handling monitoring and forensics. Don’t expect this to change soon as only 6% of respondents currently have new monitoring and forensics solutions in their short-term plans.
The category leader is Guidance Software, makers of EnCase. Network monitoring tools, such as those from SolarWinds, and log aggregators such as Splunk also form a piece of the puzzle. Circling back to the Google incident, Mandiant, a smaller provider that was heavily involved in the investigation, has shown up with a handful of mentions as an enterprise provider in the latest round of interviews.
- Biggest Pain Point: “Really knowing if [we’re] being hacked.”
- “We have to update architecture and back-end systems, and update fielded systems to harden and provide forensics ability.”
- “Backtrack also for forensics. Mainly we will call in a third party to help us if we have a big problem.”
- “I would like to see them [IBM] hire more former hackers to keep things honest.”