My regular readers know that I love forensics and I love innovation. Give me both in a single product and you have my attention. With its new CIRT (Cyber Intelligence and Response Technology), AccessData Group has knocked one out of the ballpark. The framework contains everything needed to perform digital forensic incident response (DFIR). This is a full lifecycle – from detecting to analyzing to remediating – and it's all in a single package.
If we stop and think about the forensic process, we see that there are some key aspects from a DFIR perspective. First, we want to know that an incident is occurring/has occurred. Second, we want to know the nature of the incident. Third, we want to perform detailed analysis, even if our environment is thousands or tens of thousands of computers. And finally, having found the root cause, we want to clean up the network and get on with business. And, we want to do all of that with minimal disruption to our users. CIRT provides all of that.
Beginning with detection, CIRT integrates with a SIEM. There is a lot happening on the network and the SIEM is the device most likely to see it all. We also get removable media monitoring and analyst-in-the-middle decryption of SSL data streams. Once we know that something is going on, we need to figure out what it is. That's where the network- and host-based packet capture and IOCs (indicators of compromise) come into the picture.
This all is bolstered by ongoing threats and indicators of compromise (IOC) feeds to keep the detection piece current. Finally, CIRT remediates problems automatically and saves anything needed saving for further analysis. A user has detected the incident, analyzed it and remediated damage – all with a single suite of tools operating in a single pane of glass.
Visualization is solid. This is a critical issue when there is so much data. Like most similar systems, hosts on the network report back using data collected by agents. These can be persistent or volatile (dissolvable), and the persistent agents do the analysis locally, sending results only back to the central control point. This lessens network impact significantly.
An important aspect of CIRT is project management. The project is the paradigm that CIRT uses, and setting up a project is straightforward. There are places in the project definition forms to establish who is in each of many roles and project flows, including such functions as legal and outside consultants, as well as all of those other functions that one would expect.
Overall, I have not seen a more complete approach to managing security from the forensic perspective. Indeed, this is the first I've seen that really addresses that – or responds to cyber incidents, especially in large environments, a milieu for which this is very well suited. If one really wants to integrate security management and digital forensic response in a single system that can help address compliance and the other issues that devolve around information security, this is not only your best choice, today it is your only choice.
At a glanceProduct: CIRT (Cyber Intelligence and Response Technology)