Figuring out what happened

Analysis is a major piece of what we do today in information assurance. We are analyzing changes that we make to our security architecture constantly to ensure that they do what we intend and that they don't introduce new vulnerabilities. That is the proactive side of our analysis duties. However, there is, of necessity, a reactive side and that is the topic of this month's product reviews.

We cover analysis from two angles: the network and the device. On the network side, SC Lab Manager Mike Stephenson put several security information and event management (SIEM) tools through their paces. SIEMs are becoming a very interesting product type. In past years, we had to pick nits to separate the network forensic tools, network security analysis tools and log managers from each other. This year, we saw that the various tasks that the SIEM is expected to perform have converged into a single product. In this regard, the SIEM has taken the path of almost all system-level devices. We can include the SIEM, UTM and other gateway devices together when we think about product development strategy.

The ability for a single analytic device to take in almost all types of network and log information, organize it, correlate it and develop a picture that the analyst can use is becoming the core benefit of this type of device. So that set of capabilities is what we looked for this month as we tested SIEMs. I'll have more about that in the run-up to the reviews.

On the device side, this was our annual forensic tools review issue. And, in keeping with an emerging tradition, I turned over the tools to my digital forensics class at Norwich University for their capstone project. As usual, the students – all of whom graduated this spring – did a thorough job of putting the tools through their paces. They were led by Keith Gilbert, my lab assistant for three years. Keith graduated as well and he will certainly be missed in the forensics lab at the university. We'll hear from him again when the second edition of my digital investigation text, which he is co-authoring with me, comes out this winter.

Forensic tools, as Keith tells us in his opening column, can take a number of forms. In earlier years, we handled those product types separately but, like most security tools, forensic tools have begun to converge. However, the convergence is more complementary than overlapping. Forensic tools still keep their individual capabilities and should be considered part of a larger tool kit.

While some of the mainstream computer forensic tools have a few of the capabilities of the more specialized products, in most cases you will benefit from adding the specialized tools to your collection. The result of this month's reviews, I think, is a good set of recommendations for a complete suite of forensic tools, especially if we consider both product groups in this month's reviews.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.