This post originally appeared on the GovEvents blog
The digitization of records and processes across government increases the need for sound digital investigation tools and processes. Whether it is looking into a data breach or gathering information for litigation, organizations are spending a lot of time culling through this data to get answers to pressing issues. An IDG survey found that a vast majority of organizations conduct digital investigations on a weekly basis. These investigations range from proving regulatory compliance, security incident response (including post-event analysis), and stopping high risk employee behavior (acceptable use violations).
We sat down with Tod Ewasko, Director of Product Management at AccessData to learn more about the role of digital investigations as a part of everyday IT efforts.
Q: Who "owns" forensics? IT? Legal? HR?
A: The answer is kind of all three. Many people lump forensics in with cybersecurity, but it's really a separate entity. Yes, forensics tools are used to investigate cyber incidents, but they are not preventative. That is what you have the "hunting" tools out there for - watching firewalls and logs for anomalous behavior or activity. Once that is stopped, then the forensics tools come in to make sense of it - to see how it happened and drive the plans to make sure it does not happen again. Forensic tools look beyond the event and gather all data relevant to the systems in question.
Q: Is forensics all reactive then?
A: No. You can investigate without there having been an "event." Organizations should be using forensic tools and techniques to determine where their valuable assets are. What are the attack vectors? How likely are people to use those attack vectors? The data pulled in an investigation can be analyzed to give you these answers.
Q: In doing these investigations, what is the biggest overlooked threat that leads to data loss and breaches?
A: Insider threat - no question. Whether it is malicious or accidental, so many incidents can be traced back to a person doing something they should not have been doing. Just as people still (amazingly) give their social security number out when their "bank" calls on the phone, people are still clicking links from unknown senders and downloading sensitive data onto their machines. Once you find these trails, you can put new controls in to mitigate these "user errors."
Q: Is there a difference between forensics in the commercial market and the government market?
A: It's really the level of criticality. If a corporation gets breached and goes down, people lose jobs, the stock market might take a hit. If something similar happens to a government entity lives are at stake. Imagine the impact of DoD or intelligence systems getting breached.
Q: What are the key attributes people should look for in forensic tools.
A: First is speed. Time is critical in any investigation. You need to get to the root cause or make a connection in time to mitigate the issue. Tools should come with the ability to process big data and be able to scale to meet demand. This includes being able to account for the data sprawl of people accessing systems though mobile devices then communicating with colleagues across text, email, and phone. In being able to get at and process all this data, tools can get pretty "heavy" with big imprints on machines. Organizations should look for solutions that leave a minimal imprint on the endpoints they are pulling data from.