Why we need digital security forensic analysis
Basic common sense tells us you can’t fix what you don’t know is broken. Knowing the “who”, “what”, “why”, “when” and “where” is paramount, when you think about processes that are capable to generate information and, more importantly, are able to learn and act upon the accumulated knowledge.
When mitigating the risk of information security breaches, enterprises often turn into several “flavors” of available tools that promise ways to maximize the efficiency and effectiveness of the basic concept of turning data into information and, subsequently, into knowledge. Whether deployed for continuous real-time monitoring, rapid incident response, a security operations center (SOC), or for executives who need a view of business risk, these tools promise the flexibility to customize correlation searches, alerts, reports and dashboards to know and reason over the “W”s.
Digital security forensic analysis has proven to be a valuable way to identify the source of a data breach, by providing a visual path to see the links between individual users and specific actions. Such technologies provide insights into the programs, functions, or technology that someone or something used to perform the actions that resulted in the breach. Simply stated, it provides the answer to “who done it” and how it was done. While there is significant value in this information, the problem is if you are asking these questions the damage has already been done: you have been breached.
Data must be looked upon as a living organism – it grows and evolves, becomes more intellectual, moves, and rests, – therefore, it must be dealt as such. So the question resides on how to tackle the risk of information security breaches by implementing measures that enable the control of the data upstream. I.e. from the moment is it “born”, until the end of its lifecycle, when it needs to be disposed.
Whenever someone drafts an email message or prints a document, data that just may be of sensitive nature, is born. And, while data can live for a very long time, knowing the “who”, “where”, “when”, and “what” as soon as data is being created or accessed is key. This real-time information tracking critical capability derives from setting in place an information security policy which allows to identify, classify, protect and track data that is prone to be loss, leaked or breached.
When you’re able to have a solid knowledge of the present and past, you’re then able to reintroduce into the security workflows and policies the appropriate mechanisms that will make your enterprise better equipped and prepared to, not only deal, but prevent a security breach from putting you on the headlines of tomorrow’s newspaper.
The answers then seems to reside in combining, digital security forensic analysis, with real-time information tracking, so that you can have a comprehensive way to tackle the risk of being breach.
It is only after these key elements are addressed that data becomes truly protected and the days of having to act in incident response with forensic analysis will end.