Digital forensics tools take on big role in prosecuting cyber crimes

With breaches becoming common, spending must shift from detection, protection to response

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

I recent­ly had a chance to chat with Guid­ance Soft­ware CEO Patrick Den­nis at Enfuse, the company’s annu­al cyber­se­cu­ri­ty con­fer­ence held at Caesar’s Palace in Las Vegas. Guid­ance is among the longest-estab­lished ven­dors in the cyber­se­cu­ri­ty sec­tor. The Pasade­na, Cal­i­for­nia-based com­pa­ny got its start in 1997 by pio­neer­ing dig­i­tal foren­sics soft­ware for law enforce­ment agen­cies seek­ing to extract evi­dence from com­put­er hard drives—evidence that would stand up in court.

Today that core com­pe­ten­cy remains at the heart of prod­ucts and ser­vices Guid­ance sup­plies to gov­ern­ment, law enforce­ment and cor­po­rate cus­tomers in the Unit­ed States, Europe, Africa and the Mid­dle East.  Here are a few provoca­tive take­aways from our discussion:

Stop fear­ing the breach. Den­nis issued this call to arms to open Enfuse 2017. His point was that the ten­den­cy to hyper­fo­cus on perime­ter defense is wrong-head­ed. Bet­ter to acknowl­edge that, in today’s envi­ron­ment, net­work com­pro­mis­es are con­tin­u­ous. The de fac­to dai­ly strug­gle, for most orga­ni­za­tions, is main­ly about mit­i­gat­ing a vari­ety of insid­er, exter­nal and asym­met­ric threats, he says, not to men­tion improp­er use of tech­nol­o­gy by com­pa­ny employ­ees. Lega­cy detec­tion and pre­ven­tion sys­tems aren’t stop­ping these threats con­sis­tent­ly enough, he argues.

Secu­ri­ty exec­u­tives fear this idea that there is going to be a bug breach, and that fear pro­duces unin­tend­ed con­se­quences,” Den­nis says. “You end up build­ing high­er walls and deep­er pre­ven­tion sys­tems. But con­tin­u­ous com­pro­mise is the way busi­ness­es oper­ate today. So you also need the abil­i­ty to rapid­ly detect and respond to those things day in and day out.”

Spend­ing shift. A good bench­mark is that com­pa­nies spend 10 per­cent of their oper­at­ing bud­get on IT and then 10 per­cent of the IT bud­get, in turn, gets spent on net­work secu­ri­ty. Of the por­tion that gets spent on secu­ri­ty, the skew tra­di­tion­al­ly has been toward detec­tion and pre­ven­tion sys­tems. Den­nis argues that many orga­ni­za­tions would be bet­ter pro­tect­ed if they would shift some of that spend­ing to breach response technologies.

Relat­ed video: How does your data breach response plan mea­sure up?

Patrick Den­nis, Guid­ance Soft­ware CEO

The first ques­tion to ask is how mature is our pre­ven­tion capa­bil­i­ty, and how mature is our response capa­bil­i­ty?” he says. “You should have some lev­el of both, not one or the oth­er. Then you can make some deci­sions about how to shift spend­ing, and how you begin to build, frankly, a more robust operation.”

Wors­en­ing land­scape. With reliance on cloud com­put­ing ser­vices deep­en­ing and the Inter­net of Things on the verge of mush­room­ing, there are more oppor­tu­ni­ties than ever for net­work intrud­ers with mali­cious intent to exploit. Mean­while, the risk of get­ting caught, much less pros­e­cut­ed, is com­par­a­tive­ly minuscule.

The Inter­net of Things by 2020 will be some­where in the order of mag­ni­tude of 20 bil­lion devices, and that’s going to rad­i­cal­ly increase our attack sur­face area,” Den­nis says.

And the release of nation-state grade mal­ware into the pub­lic domain is not going to work in our favor.

If your rob a bank, you take a risk, and there is a con­se­quence for mak­ing that attempt,” he says. “But there aren’t very many cyber crim­i­nals today that wind up in jail. The con­se­quences aren’t so high with cyber crime because we don’t have poli­cies and infra­struc­ture built yet to pros­e­cute these crimes.”

Den­nis says wider use of foren­sics tools capa­ble of gath­er­ing court­room-qual­i­ty evi­dence while respond­ing to breach­es could have a halo effect, beyond hard­en­ing cor­po­rate networks.

We believe that we need to gath­er evi­dence for cyber crimes in the same way that we’ve been gath­er­ing evi­dence to sup­port the pros­e­cu­tion of phys­i­cal crimes for almost 20 years now,” he says. “That’s the under­pin­ning of the rule of law; chain of cus­tody, high-qual­i­ty evi­dence brought into a court­room for some­one to be proven guilty or inno­cent. We need to bring that same think­ing and method­ol­o­gy to cyber crime.”

For a deep­er dive, please lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to data breach response:
Com­pa­nies must have an inci­dent response plan to counter cyber reality
With breach­es near­ly cer­tain, com­pa­nies shift cyber­se­cu­ri­ty spending
Why data breach response needs to improve