The 411 on Digital Forensics: Page 2
"Security Dashboards" and Threat Scoring
Yet another group of products -- also sometimes labeled as "forensic" -- deals with vulnerability threat analysis and/or risk assessment. "These are security dashboards," Pescatore said. "Are we 'OK' or 'not OK?' Are we meeting our security policies?"
Vendors moving into this territory include RealSecure, IBM Tivoli, Computer Associates, Internet Security Systems (ISS), and Symantec with its NetRecon product.
Industry conversion in the software tools market has further muddied the waters. OpenService and netForensics are a couple of vendors now straddling the line between data filtering and threat analysis/risk assessment.
"We do threat scoring already, too," said netForensics' Oliphant. "In the future, we're going to do more with risk assessment, letting companies understand the risks and prioritize more quickly."
In January, OpenService launched a product called Security Threat Manager Suite, which integrates its earlier SystemWatch and NerveCenter software.
OpenService's new suite also adds "new threat and forensic reporting, [as well as] new management and risk assessment Web interfaces," according to Hollows.
Guidance Software, too, has been extending its reach. The new "enterprise" version of Encase runs on distributed systems. "In the past, when companies conducted forensic investigations, someone from 'legal' usually needed to go directly to the location to see what had been comprised. This was expensive, given air travel costs and lost productivity time," according to director of Guidance Software Robert Shields.
Encase Enterprise Edition consists of three main components: a "safe" server for authentication and encryption, servlet software, and a GUI-based "examiner" client interface. "There are various permissions and roles -- so you can control who has access to what files," said Shields.
Guidance claims about 30 current customers for its enterprise product, most of them in the Fortune 50. Ernst & Young has also integrated the technology into its lineup.
Some of Guidance's enterprise customers are using the product to help protect against "hostile workplace" types of lawsuits -- to prove, perhaps, that an accuser willingly downloaded porn from the Internet, rather than receiving the porn involuntarily through e-mail.
Lack of Expertise and Training Limit Widespread Use
Some analysts, though, hardly see a huge market yet for investigatory forensics tools within the enterprise. For one thing, these types of products are almost impossible to use effectively without proper training. Instead, many companies interested in pursuing an incident still tend to work with consultants, often bringing in outside law enforcement agencies, too.
"(Investigatory) forensics products are becoming easier to use, with graphical displays. We do see some of the larger companies making investments in them. But most companies don't use these kinds of products enough to 'stay expert' with them. Also, 'non-expert' network managers are very unlikely be asked to use these tools. You need a lot of skills to be able to be able to preserve evidence," according to Pescatore.
Many, but not all, of the forensics experts at enterprises are former law enforcement officers, as opposed to computer security wizards or network administrators, according to Shields. "Some of the law enforcement people aren't that computer literate."
Training in investigative forensics is available through vendors and consultancies. Many observers, though, note a dearth of university-level programs. For people interested in expanding their skill sets, NTI is now holding a series of three-day forensics courses in Gresham, Oregon.
Grads get three credit hours, plus a professional certificate of completion from Oregon State University. Elsewhere, a company called CompuForensics is running courses through accredited colleges and universities in Pennsylvania, Ohio, Tennessee, and Texas.