Just as I did with SIEM and DLP, I wanted to explore the process (practice, procedure, workflow) side of network forensics tooling. So, my question is the same: what processes/practices are absolutely essential for an effective use of a network forensics tool?
I can think of a few off the top of my head:
- incident response process (and, yes, I cringe as I am writing this as it is so painfully obvious)
- indicator analysis process which essentially means investigating a clue reported by a 3rd party, logs, NIPS alerts, etc
- process for defining and refining capture policies
- process for defining and refining detection alerts (if the tools is utilized for monitoring)
- data exploration process aimed at understanding what is going on, was going on, which may be based on a threat hypothesis or other suspicions (see additional details on this here)
Other ideas!? Do you think #5 is the same as #2 perhaps?
P.S. BTW, check out this great piece called “The Security Processes You Must Get Right.”
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.