Network Computingwww.networkcomputing.com

Incident Response Tools

Posted by John Sawyer on December 1, 2006

Tags: Guidance Software,  Incident-response tools,  John Sawyer,  Mandiant,  Technology Pathways,  civil investigations,  court,  criminal investigations,  disclosure,  legal,  legislation,  memory acquisition,  memory-dump analysis,  noncompliance,  regulations,  security breaches,  Custom Programming,  Customs Duties,  Data Encryption,  Data Networking & Management,  Data Protection,  Data Security ,  Database Management Services,  Enclosures,  Energy,  Enterprise Management,  Green Computing,  Hotspots,  Interactive Applications,  International,  International Organizations,  Justice and Public Safety,  Linux,  Network types,  Other,  Privacy,  Scripting,  Security Policies and Management,  Security and Privacy,  Servers,  Servers & Storage,  Software,  Software and Web Development,  State Agencies,  State Law-Enforcement Agencies,  Technology,  USB,  USB Cards,  WLAN Security,  Web Servers,  Web Standards,  Wireless

Channel: Data Protection, Green Computing, Networking & Mgmt, Other, Servers & Storage, Wireless

Incident-response tools are becoming increasingly important as new regulations and legislation stipulate disclosure after security breaches. Without established procedures, companies can be penalized for noncompliance. Well-known software companies such as Guidance Software, Mandiant and Technology Pathways are developing products to assist with live incident response and memory acquisition. Independent researchers are publishing their findings on their Web sites and producing open-source tools for incident response. Live incident response and new memory analysis techniques are providing more information than believed possible. For companies subject to rigorous legal inquiry, mature commercial tools offer benefits over open-source tools, which must undergo peer review and may be met with skepticism in a courtroom.

Regulations such as the Gramm-Leach-Bliley Act, HIPAA, Sarbanes-Oxley, PCI DSS and California SB 1386 are driving companies and government agencies to document their incident-response procedures following a security breach or other crime. How volatile data is handled is especially critical.

Stepping in to help organizations tackle this problem are incident-response tools that ease compliance with regulations. Researchers also are making tremendous progress in increasing the level of analysis that can be applied during the investigation process. With new memory-analysis techniques, incident-response teams can track down changed data and threats far more effectively than ever before.

These incident-response systems provide a structured method for gathering and analyzing evidence. Companies can use them to preserve critical data and minimize downtime following an incident, possibly preventing disclosure of sensitive data and protecting their reputation.

But because these different tools handle different functions, it's important to know what type of system makes sense for your company. At a minimum, you'll need documented incident-response procedures, which should be established based on your organization's size and industry and the function of the at-risk systems.