 |
In the current threat-intensive operational environment, network management must include end-to-end post-breach analysis capabilities to investigate inevitable network security breaches. However, these capabilities are essential not only for postmortem analytics, but also for ongoing current and future network management. The classic definition of the term “forensics” focuses on the reactive, post-event analysis of data and facts. However, in the context of computer investigations, this scientific approach is applicable not only retrospectively, but also prospectively, to continuously collect evidence in advance of any known need. Defining Digital Forensic Investigation It is useful to examine the definition of network forensics to understand its evolution from a reactive-only science to a proactive one. In the seminal 2001 paper, A Road Map for Digital Forensic Research, post-breach digital analytics used by law enforcement for prosecution purposes are posited beside small and numerous real-time analytics for the purpose of continuity of operations. It’s also compared beside business and industry real-time analytics for the purpose of availability of service. In the latter two, prosecution is a secondary objective, as IT “managers strive to anticipate and take action to thwart anomalous activity before their mission or service is interrupted.” This paper sets the stage for the following decade until the present, during which the proactive approach saw increased acceptance and use. The Digital Forensics Research Workshop defines network forensics as “the use of scientifically proven techniques to collect, fuse, identify, examine, correlate, analyze, and document digital evidence from multiple actively processing and transmitting digital sources for the purpose of uncovering facts related to the planned intent or measured success of unauthorized activities meant to disrupt, corrupt, and/or compromise system components as well as providing information to assist in response to or recovery from these activities.” Thus, one of the goals of this analytical approach is to ascertain and thwart planned attempts at system disruption, corruption, or compromise, as well as to anticipate future attempts. Proactive analytics are being promoted in a number of state-of-the-art security processes that ultimately enhance visibility and control. Business Context-Based Security Business context, essentially the collected and unified information about users, their job roles, their accounts and entitlements, and their application activities, is one of the many intelligence-based security techniques that is increasingly being implemented. It is a proactive analytical approach that focuses on activity, access management, and access governance. As such, it promotes visibility through proactive identity and access management (IAM) that detects unauthorized network activities meant to disrupt, corrupt, and compromise system components. Transaction Monitoring Transaction monitoring is a proactive tool that identifies fraudulent activity for online transactions in real time. Any anomalous behavior is recorded and reported so that the organization can take appropriate measures, such as addressing vulnerabilities for the future. As such, transaction monitoring can be seen as a proactive forensic approach that facilitates network visibility and network security. Proactive network forensics are essential to improving network visibility. A more proactive application of these methodologies can be expected as threat response times increasingly demand deterrent and proactive defenses. The post Forensics: Reactive or Proactive? appeared first on Speaking of Security - The RSA Blog and Podcast. |
