SIEM Turbocharger

Victor LimongelliWell, since no compressed air is involved, perhaps it is not technically a turbocharger, but EnCase® Cybersecurity now makes SIEM tools much more effective, by automating the digital forensics capture and analysis activity required as part of incident response.

As Martin Kuppinger has observed, the “art of SIEM is to – at best – identify exactly the critical situations which need to be handled. Not more, not less.” The problem is, no organization can do that perfectly – no SIEM is ever tuned to such a fine degree of precision so that only the “critical situations which need to be handled” are immediately presented to the incident response team. Often, there are too many “situations,” or, the critical nature of certain “situations” is not apparent until a later time, when perhaps more related data points are correlated by the SIEM. Determining what happened, whether critical data was exfiltrated from the organization, or whether the attack spread to other computing assets, is crucial. In order to do so, the data around the critical situations needs to be captured, either for immediate response, or for later analysis. As NIST has noted in its Guide to Computer Security Log Management, “data regarding a particular event could be needed weeks or months after the event occurred.” What’s more, when one of these critical situations occurs, you may want to assess a broader set of machines, even a subnet, as part of the analysis.

EnCase® Cybersecurity now facilitates this data capture and analysis in three ways. First, if an analyst sees a highly critical situation identified in the organization’s SIEM tool, he or she can now, right from the SIEM, perform an EnCase collection.  Second, an organization, in its tuning of its SIEM, can establish rules so that for critical events, forensic collection occurs automatically. Third, an assessment can be automatically run on a broad set of endpoints to determine the extent of the problem – by way of example, assessing what binaries are running that are not part of the organization’s approved builds.

The user can view the analysis results right from the SIEM console. The following video demonstrates how it works:



The result is a turbocharged SIEM – more power, more effectiveness, and a better response to critical incidents when they occur.

Victor Limongelli is president and chief executive officer of Guidance Software.