SIA Solution – Forensics Investigations

Forensics Investigations is a primary driver behind the need to keep more data for longer time periods. To battle the costs of storing more and more data many organizations are turning to Security Data Lakes as the most economical means of storing this information. System Soft Technologies’ (SST) Security Intelligence and Analytics (SIA) Solution includes a full featured, operationalized Security Data Lake and rich user interface to enable comprehensive forensics investigations.

How Much Data Do I Need to Keep? For How Long Do I Need to Keep it?

Most commercial SIEM products have difficulty retaining data for more than 30 days, even less for larger organizations. And storing more data in a SIEM typically means more licensing costs. Yet data shows that over two thirds of security incidents required over 30 days to discover. Looking at some recent well-known examples, the Home Depot breach took 5 months to discover, PF Chang’s 11 months, and Sony, Office of Personnel Management (OPM), and Trump Hotels took about a year to discover.

Clearly SIEMs alone are not enough for large organizations and longer-term repositories are needed to retain more data. Here are some of the features of System Soft Technologies’ SIA Solution that support a Forensics Investigation:

Rich User Interface

Most Security Analysts, Incident Responders, and Forensics Investigators do not want to deal with complicated systems intended for developers or data scientists. Investigators need to be able to quickly find information related to a specific query and discover related information.

For this reason, System Soft Technologies includes both the Kibana interface as well as a structured reporting tool interface as part of the data forensics solution. In Kibana, investigations begin with a simple “full text” search that quickly surfaces all related records. Records can then be filtered by time range and other important criteria. Investigators can easily see geographically where the information is tied to, provided the data has gone through standard enrichment processes upon loading (see integrations below).

Finally, Investigators can see the full details of any specific record with a complete breakdown of each field and its value. Just as important, investigators can use standard reporting tools such as Zeppelin or Tableau. Here, investigations start with pre-defined reports that surface relevant information. Then investigators can “drill down” and “drill across” to discover more details in other pre-defined reports that will help focus the root cause of the incident.

Data Ingestion of Common Sources

The variety of sources required for cybersecurity can be overwhelming. It may be easy to load all data into one common bucket for full text search, but to enable structured reporting tools and advanced analytics the data must be “understood” by the system. This means data must be properly parsed, categorized, and classified.

That’s why the System Soft Technologies solution comes with several pre-built parsers for most common IT sources.

  • Windows
  • BlueCoat
  • Cisco ASA
  • Syslog
  • WatchGuard Proxy
  • WatchGuard DHCP

Even more importantly, System Soft Technologies excels at creating new parsing routines for new sources, especially custom sources that you may have in house that no one has seen.

Big Data Operationalization

Here’s where System Soft Technologies’ years of experience implementing and managing Big Data solutions brings value to the ready-to-deploy solution. The challenge isn’t just getting an environment up and running, but sustaining that environment with reasonable amounts of system administration. For this, System Soft Technologies has integrated two key open technologies - Ambari and Kylo.

The Ambari interface makes it easy for administrators to see which services are up and running on which computers, and easily start and stop the services – even concurrently across the cluster when needed. This same interface is used to expand the cluster, add new services to the cluster, or move services to specific computers in the cluster.

The Kylo interface makes it easy to manage the loading of data sources. The application administrator can easily see the status of each sources stream and loading queue. Sources can easily be started, stopped, or paused. Any loading errors are quickly surfaced.

Pre-built Integrations

The solution also has integrations pre-built with OpenTAXI threat intelligence platform, geo-location services, and DNS systems.

The OpenTAXI integration enriches data as it is loaded with intelligence about any known bad sites, URLs, domains, or IP addresses.

Integration with geo-location services enables security analysts to visualize information related to specific incidents on a physical map of a region.

Integration with DNS information helps security analysts tie events to specific physical and virtual assets a company has in its environment.

Open Solution

All of System Soft Technologies’ solutions are built entirely from readily available open source technologies. This means that customers have complete access to all the code that makes up the solution as well as visibility of all analytics provided with the solution. Customers are free to copy, augment, or re-use any analytics provided. System Soft Technologies also offers training for customers to extend the solution if requested.

Critical Thinking. Collaboration. Success.

Copyright ©2019 System Soft Technologies. All rights reserved.