How to Use Forensic Data to Improve Cybersecurity

March 14, 2019 Eric Dosal Eric Dosal

What’s the first thing you think of when you hear the word “forensics?” Odds are, if you’re like most Americans, the first thing you thought about was a crime & mystery show like NCIS, CSI, or Law & Order. However, forensics plays a role in cybersecurity, too. Many network security experts use forensic data to improve cybersecurity.

What is forensic data? And, how can you use it to improve cybersecurity for your organization?

Defining Forensic Data for Cybersecurity

In defining what forensic data is and how it’s used, let’s compare it to how forensic analysis is used in crime dramas such as Law & Order. In forensics, detectives, medical examiners, and crime scene analysts attempt to identify and analyze evidence at a crime scene or on a body to establish the series of events. Each piece of evidence provides a data point that helps to clarify the sequence of events and, hopefully, reveal the culprit so they can be stopped from committing future crimes and be brought to justice.

Forensic data, for cybersecurity experts, is like the evidence that law enforcement analyzes when investigating a crime. Network security pros will analyze the forensic data they find to discover how a cyberattack was carried out, uncovering the sequence of events leading to a cybersecurity breach—such as:

  • The attack method used to breach the defenses,
  • What the attacker did once they acquired access to the network, and
  • Where the attack originated from.

This forensic data analysis can prove to be crucial for improving an organization’s network security against specific cyber threats.

How Does Forensic Data Analysis Help Improve Cybersecurity?

By studying past attacks, particularly ones that succeeded in breaching your security, it is possible to adapt your cybersecurity strategies to close the security gaps those attacks relied on.

For example, say that an attacker leveraged a vulnerability in a customer-facing application which allowed them to bypass your perimeter network security. Without forensic data analysis, you might not know that it was the customer-facing application which had the vulnerability. However, with forensic data analysis, you can establish the method of the attack and isolate that application as the cause of the breach. From there, you can disable the application until the vulnerability is fixed, contact the app developer to alert them to the vulnerability so they can patch it, or replace the app with a different one—eliminating the vulnerability and prevent future attacks that rely on the same methods.

Forensic data can also be used to identify the IP address (or addresses) behind a cyberattack. In this case, you can blacklist the offending IP address to keep that attacker from trying again—or share that information with authorities so they can find the person (or persons) behind the attack.

How Can You Capture Forensic Data to Improve Cybersecurity?

Naturally, to study forensic data and make cybersecurity improvements based on it, you need to capture that data in the first place. The easiest way to capture forensic data for study is to use a security information and event management (SIEM) solution. These tools collect information about various events on the network for later analysis—or, they can be integrated with other network security solutions to generate automated alerts and trigger countermeasures if they detect an attack in progress.

However, the challenge with using SIEM tools to capture forensic data for later analysis is the sheer amount of data that these tools may record. Without expert SIEM management, the tool can produce oceans of “noise,” or junk data that has no impact on your organization’s network security. Here, having expert cybersecurity team help you manage your SIEM tools and data can be invaluable for getting the best results.

Think of it this way: The SIEM tool is like a studious lab tech—taking apart the entire crime scene to assemble the most objective catalog of the circumstances surrounding the crime. However, because they’re so dedicated to documenting everything, it would be difficult to sort out what’s important from what’s unnecessary. The cybersecurity team, in this instance, would be the seasoned detectives using their years of experience to identify the most important evidence for identifying the culprit and the modus operandi behind the crime.

As the show Law & Order always said: “In the criminal justice system, the people are represented by two separate but equally important groups: The police, who investigate crime, and the district attorneys, who prosecute the offenders.” Well, to improve cybersecurity, you have two separate, but equally important, tasks: 1) to investigate the methods of past attacks, and 2) to use that data to make changes that keep future attacks from succeeding.

Curious about how you can better investigate network security incidents to improve cybersecurity throughout your organization? Reach out to the experts at Compuquip Cybersecurity to learn more!

back-to-cybersecurity-basics

cdo-guide-to-omnichannel-security