Published: 17 Jul 2008
| INVESTIGATION MANAGEMENT
Investigations are a considerable challenge. Complexity, evidence management, tracking resources and even data correlation pose serious issues. Vantos V-Flex not only manages an investigation, but nearly completes it.
Setup was almost too easy. Vantos delivered a preconfigured appliance based on information we provided about our network. You can start centralizing the management of your investigations immediately through the intuitive Web interface. To fully realize the benefit of the product, however, you'll need to do some additional work.
This is where having Vantos onsite, at no extra cost, is extremely helpful. One of V-Flex's most useful features is that you can automatically query thousands of different systems across the organization for case-related data, as long as you set them up as a data source. Any system that supports a JDBC connection is able to feed into the V-Flex platform.
There are three types of accounts: administrator, investigation management and various investigator accounts. Individuals cannot have more than one role, though an investigator can be assigned to more than one probe by investigation managers.
One of the most difficult issues in investigation management is that no two companies have the same policies and procedures. This is where Vantos really hit the jackpot. Using "playbooks," each company can create an investigation lifecycle that is unique for each type of investigation it handles: insider security breach, HR violation, physical intrusion, external hack, and more. This means your investigations will be consistent.
As you follow a particular playbook, each step is completed, each type of evidence is centrally stored, and each report will look the same, no matter who investigates.
When the investigation manager assigns a new case, the analyst is notified and a list is created based on the playbook defined for that type of investigation. The analyst follows each step, delegating or closing them until the investigation is complete. You can create blank investigations or customize playbooks.
V-Flex's effectiveness is defined by its combination of unique features. A walkthrough of a simple data loss investigation in our lab will illustrate.
The manager assigns the case, which is pushed to the investigator. The investigator logs in, opens the playbook and begins working. The relevant database sends its logs to a log management system that has been integrated with V-Flex, so the investigator retrieves information via a simple query. The suspect is identified through these logs and integration with LDAP. The suspect's badge access history, phone call logs and CCTV surveillance are retrieved via simple queries to each respective system. Within 45 minutes you know who they are, what data they took, where it went, on what brand of USB flash drive it was stored, and--using V-Flex's correlation and analytics engine--whom they were working with.
V-Flex reporting is everything you would want it to be, with nine canned reports. We found the Evidence Integrity Report especially interesting. You choose a hash, such as SHA1, and the report lists each item in the evidence locker for that case, and its associated hash. This is invaluable for audits or establishing and verifying chain of custody. Unlimited custom reports can be created using XSLT through the Web interface.
V-Flex is an outstanding product for an underserved market. Your investigations will be consistent, thorough, centrally managed and less resource-intensive. Vantos has hit this one out of the park.
Testing methodology: Our lab included a mock-up of an enterprise organization. This included a central logging system, VoIP phones, CCTV and a Windows domain with various resources. Sample investigations were used to walk through playbooks and evaluate the product.