In the event of a data security breach from an outside attack or internal threat, an organization’s incident response (IR) team has one primary objective: to limit all potential damage and to do so quickly. Data breaches cost a corporation fiscal and reputational harm, as well as potentially paralyzing business operations.
With stakes this high, it’s crucial to handle a data security incident in a way that minimizes risk, reduces recovery time and minimizes costs. Unfortunately, 65% of corporations are attempting to do so with a shortage of skilled personnel, according to the 2016 SANS Incident Response Survey.
This human resource challenge makes it all the more important that corporate IR teams are leveraging technology as much as possible, to help them more efficiently monitor their networks and respond to digital investigation requests in order to minimize the impact on their business.
One of our clients is a multibillion-dollar international energy company with business interests in virtually every region on the globe. We recently spoke with the professional who helps lead their cybersecurity, incident response and digital forensics team to better understand the role of technology in aiding their incident response and digital investigation efforts.
(NOTE: The name of the customer has been withheld due to confidentiality requirements. This is often the case in light of the highly sensitive matters for which our digital forensics and e-Discovery software products are used. We are always happy to respect that confidentiality.)
In his role at the energy company, the customer is often asked to investigate the following types of incidents or reports of potential suspicious activity:
- Network irregularities – his team identifies and monitors suspicious activity on the company’s Citrix server network;
- Employee conduct – the team is occasionally asked to investigate potential employee misconduct, such as inappropriate internet content viewed on a company computer; and
- Malware – when there are indications of possible malware in the corporate IT environment, the internal corporate team launches rapid response investigations in order to isolate the problem and reduces recovery time.
“These use cases are commonplace in any large corporation, so it’s essential that corporate incident response teams have the proper tools at their fingertips to support their aggressive investigations,” he told us.
To support their IR processes with leading-edge technology, the company selected FTK, a court-cited digital investigations platform built for speed, stability and ease of use. It provides comprehensive processing and indexing up front, so filtering and searching is faster than with any other product. This means investigators can quickly “zero-in” on the relevant evidence, dramatically increasing their speed of analysis. Furthermore, FTK can be set-up for distributed processing, which speeds up the processing time, and has web review and analysis capabilities to provide an easy way for non-technical users to review and comment on the data.
The customer identified a number of important benefits that his team has realized as a result of deploying FTK for corporate incident response and digital forensics investigations, and agreed to let us share his insight with other companies that are considering adding a tool to their incident response workflow.
(1) Scale processing
“First, the ability to quickly scale the processing power of the software is crucial,” he said. “By adding processors at any given time, we can dramatically increase the speed and capability of FTK to handle larger investigations at a moment’s notice.”
(2) Access controls
The customer also noted the benefit of FTK’s access controls. These controls enable the system administrator to distribute access to multiple users in various specialty areas as the circumstances of an investigation require. This maintains the integrity of system controls but provides flexibility to enable access as needed when a need unexpectedly arises.
“FTK’s timeline feature is a tremendous aid to us as we investigate the sequence of events in a potential security incident,” he told us. “This enables us to quickly trace to the beginning of a breech and follow it step-by-step to the end.”
“Perhaps the most underrated benefit from using FTK is the training that we receive from AccessData,” he said. “The company is really committed to delivering valuable training that is customized to the needs of corporate incident response professionals, as well as providing that training at times and in formats that are convenient for corporate users. This is a substantial benefit because, in the end, a software tool is only as helpful as the customer’s ability to use it efficiently and effectively.”
“FTK is widely viewed as the premier digital forensics tool available to law enforcement professionals, but I would say to my colleagues in corporate IT, we can learn a lot about how to conduct our corporate incident response and digital forensics investigations by relying on the software tool that law enforcement agencies have used for many years,” he concluded. “FTK is a powerful platform that corporate digital forensics professionals should consider for their toolbox.”