Just as I did with SIEM and DLP, I wanted to explore the process (practice, procedure, workflow) side of network forensics tooling. So, my question is the same: what processes/practices are absolutely essential for an effective use of a network forensics tool?
I can think of a few off the top of my head:
- incident response process (and, yes, I cringe as I am writing this as it is so painfully obvious)
- indicator analysis process which essentially means investigating a clue reported by a 3rd party, logs, NIPS alerts, etc
- process for defining and refining capture policies
- process for defining and refining detection alerts (if the tools is utilized for monitoring)
- data exploration process aimed at understanding what is going on, was going on, which may be based on a threat hypothesis or other suspicions (see additional details on this here)
Other ideas!? Do you think #5 is the same as #2 perhaps?
P.S. BTW, check out this great piece called “The Security Processes You Must Get Right.”
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.