Digital forensics tools take on big role in prosecuting cyber crimes
With breaches becoming common, spending must shift from detection, protection to response
By Byron Acohido, ThirdCertainty
I recently had a chance to chat with Guidance Software CEO Patrick Dennis at Enfuse, the company’s annual cybersecurity conference held at Caesar’s Palace in Las Vegas. Guidance is among the longest-established vendors in the cybersecurity sector. The Pasadena, California-based company got its start in 1997 by pioneering digital forensics software for law enforcement agencies seeking to extract evidence from computer hard drives—evidence that would stand up in court.
Today that core competency remains at the heart of products and services Guidance supplies to government, law enforcement and corporate customers in the United States, Europe, Africa and the Middle East. Here are a few provocative takeaways from our discussion:
Stop fearing the breach. Dennis issued this call to arms to open Enfuse 2017. His point was that the tendency to hyperfocus on perimeter defense is wrong-headed. Better to acknowledge that, in today’s environment, network compromises are continuous. The de facto daily struggle, for most organizations, is mainly about mitigating a variety of insider, external and asymmetric threats, he says, not to mention improper use of technology by company employees. Legacy detection and prevention systems aren’t stopping these threats consistently enough, he argues.
“Security executives fear this idea that there is going to be a bug breach, and that fear produces unintended consequences,” Dennis says. “You end up building higher walls and deeper prevention systems. But continuous compromise is the way businesses operate today. So you also need the ability to rapidly detect and respond to those things day in and day out.”
Spending shift. A good benchmark is that companies spend 10 percent of their operating budget on IT and then 10 percent of the IT budget, in turn, gets spent on network security. Of the portion that gets spent on security, the skew traditionally has been toward detection and prevention systems. Dennis argues that many organizations would be better protected if they would shift some of that spending to breach response technologies.
Related video: How does your data breach response plan measure up?
“The first question to ask is how mature is our prevention capability, and how mature is our response capability?” he says. “You should have some level of both, not one or the other. Then you can make some decisions about how to shift spending, and how you begin to build, frankly, a more robust operation.”
Worsening landscape. With reliance on cloud computing services deepening and the Internet of Things on the verge of mushrooming, there are more opportunities than ever for network intruders with malicious intent to exploit. Meanwhile, the risk of getting caught, much less prosecuted, is comparatively minuscule.
“The Internet of Things by 2020 will be somewhere in the order of magnitude of 20 billion devices, and that’s going to radically increase our attack surface area,” Dennis says.
“And the release of nation-state grade malware into the public domain is not going to work in our favor.
“If your rob a bank, you take a risk, and there is a consequence for making that attempt,” he says. “But there aren’t very many cyber criminals today that wind up in jail. The consequences aren’t so high with cyber crime because we don’t have policies and infrastructure built yet to prosecute these crimes.”
Dennis says wider use of forensics tools capable of gathering courtroom-quality evidence while responding to breaches could have a halo effect, beyond hardening corporate networks.
“We believe that we need to gather evidence for cyber crimes in the same way that we’ve been gathering evidence to support the prosecution of physical crimes for almost 20 years now,” he says. “That’s the underpinning of the rule of law; chain of custody, high-quality evidence brought into a courtroom for someone to be proven guilty or innocent. We need to bring that same thinking and methodology to cyber crime.”
For a deeper dive, please listen to the accompanying podcast.
More stories related to data breach response:
Companies must have an incident response plan to counter cyber reality
With breaches nearly certain, companies shift cybersecurity spending
Why data breach response needs to improve