eIQnetworks, Inc., a provider of unified situational awareness solutions, announced the launch of ForensicVue, a real-time forensic search engine designed to provide enterprise security analysts with the ability to search every piece of security data on their network. ForensicVue is offered as a component of SecureVue, the vendor's situational awareness platform, and is intended to help organizations rapidly get to the root cause of incidents.
ForensicVue introduces greater automation to the process of identifying incidents, which typically has been handled manually by administrators who are often overwhelmed by the amount of data coming in from systems, John Linkous, chief security and compliance officer at eIQnetworks, tells 5 Minute Briefing. "One of the more difficult aspects of IT compliance management is that compliance is not about one particular type of data. The reality is that event-based information is only one small piece of what is required to address compliance. Organizations must have access to - and be able to report completely and accurately on - a broad range of security data, including detailed asset information and configuration data, known vulnerabilities, network traffic, system performance metrics, and file integrity monitoring."
ForensicVue enables analysts to search large amounts of security data in all formats, including log events, vulnerabilities, configurations, performance, availability, net flow, file integrity, USB monitoring and system compliance data and correlate it via a single console. ForensicVue can also be used on data aggregated from third-party applications such as ePO, SEP and SIEM.
The tool enables more rapid turnaround of information on critical incidents because security data is correlated together within a single query, Linkous explains. "For example, a large organization might see a large number of failed logons to a critical ERP application on a Monday morning - say, 500 failed logons across 200 different user IDs. How does the organization distinguish between legitimate activity - users who simply fat-fingered their password - and a real attack? Even the largest organizations lack the number of security personnel it would take to manually track down each and every one of these failed logons. A ForensicVue user can ask the question, 'How many of those failed logons occurred on a workstation that had an unauthorized Windows registry change, and is missing critical OS patches, and has been sending traffic onto the network using unauthorized protocols, such as peer-to-peer, all within the last 30 days?' This kind of query allows security analysts to quickly cut down those 500 failed logons to the two to three actual ones that represent a real threat, and act on them."
ForensicVue also helps capture and store common queries in a library so that historic data can be applied to any data set in the past, present or future. The tool also incorporates the ability to run multiple investigations across every data type, including log events, asset and configuration, vulnerability, net flow, integrity, removable media, vulnerabilities, system compliance and third-party application data.
The tool is also designed to assist in addressing multiple types of audits that may occur against the same data, Linkous adds. "Another issue with compliance audits is that auditing criteria will often differ between auditors," he explains. "For example, one assessor may require an organization to provide current and historical configurations of routers and firewalls in the PCI environment in order to show evidence of compliance with PCI DSS requirements. However, 6 months later, another assessor may come into the organization and also require the actual list of all ingress and egress traffic into and out of the PCI environment, including network ports, protocols, and sessions. ForensicVue provides the ability to deal with these variations in auditing criteria on-the-fly, by allowing users to quickly generate reports across any and all data needed to meet an auditor's requirements."
For more information, go here.