Tuesday, January 28, 2014


One of the goals of a Security Operations Center (SOC) is often incident response at the speed of business. When an incident occurs, various different stakeholders will have tough questions requiring timely, accurate answers. Network forensics provides the means through which timely, accurate answers are uncovered in the enterprise data. The "Cyclone" workflow enables network forensics by allowing the human analyst to focus on incident response, rather than serving as a "Human API". Cyclone eliminates the need for the human analyst -- the most precious resource -- to force various technologies to fit operational needs and demands that they were not designed to fit. Cyclone consists of three components:
  • Capture
  • Inspect
  • Expose
Elaborating a bit more, these components of Cyclone ensure:
  • That the network traffic was captured
  • That the meta-data from the network traffic was inspected
  • That the meta-data is exposed for analysis, network forensics, and complex event processing
It is not surprising that in order to perform network forensics, an organization requires that the network traffic data was captured. The answers to the tough questions posed by stakeholders are found in the data, and if a record of the data does not exist, those questions cannot be answered.

Once the data has been captured, it must be inspected. The inspection process allows for extraction of valuable meta-data, assembly into sessions, enrichment, and indexing for high speed search. Large enterprises see an overwhelming volume of traffic that necessitates high speed search in order to properly perform network forensics. The data can only be exploited for network forensics if searches return results at high speed.

Once the meta-data has been inspected, that meta-data needs to be exposed for analysis, network forensics, and complex event processing. In other words, answering the important questions requires crafting specific, incisive queries that extract the precise data necessary to answer those questions. This can only occur when the meta-data is exposed and can be exploited analytically.

When an incident hits, organizations need to respond quickly. Cyclone ensures that the proper workflow components are in place ahead of time and ready for when an incident occurs. With Cyclone in place, organizations can focus on carrying out a timely, effective incident response, without wasting precious time serving as the "Human API".

No comments:

Post a Comment