Wednesday, April 26, 2006

Forensics Warnings from CIO Magazine

The April 2006 issue of CIO Magazine features an article called CSI for the Enterprise?. It addresses the rise of electronic data discovery (eDiscovery in some quarters) tools. For a management magazine, the article makes several useful points:

Beware the Forensics Label

Many salespeople attach the label "forensics" to their security and compliance analysis tools, and that can be very misleading. In law enforcement circles, "forensics" means a well-defined set of discovery and investigative processes that hold up in court for civil or criminal proceedings. An enterprise that relies on these tools' records or analysis in, for example, a wrongful termination suit, is probably in for an unpleasant surprise. "It may not hold up in court," says Schwalm, a former Secret Service agent. "Very few vendors have an idea of what the requirements [are for proof, from a legal perspective]. They're really providing just a paper trail. You should challenge what the vendor means by ‘forensics capability,'" he adds.

One gotcha of using EDD tools for legal purposes is proving the inviolability of the data. Tools that keep or aggregate event logs may not provide access control that lets the enterprise prove that the underlying data is unaltered and accurate.

This issue is particularly critical because most vendors pitch their EDD tools as a way of detecting internal threats. Yet an insider is in the best position to access and alter data to cover his tracks or deflect blame to someone else, making truly secure access control and data management policies a must to even consider relying on EDD tools in a legal case. To thwart insider manipulations, critical functions such as setting up new vendors or changing payment destinations should require multiple levels of approval. "One person shouldn't be minding the whole store," says 2Checkout's Denman.

A related concern is being able to go back to the original raw data, since most EDD tools alter the original data to put it into a searchable database and to make formats from different types of monitoring appliances consistent. Such regularization is necessary to analyze the records, but to be legally effective, there must be a defensible way to show that it didn't distort the original data, says Gartner's Litan.
(emphasis added)

Amen. Since we're talking about centralized logs, has anyone tried Splunk? This "Google for system logs" seems like a really neat idea.

To hear a vendor's take on the important of electronic data discovery tools, John Patzakis from Guidance Software wrote a good article called Why the eDiscovery Revolution is Important to InfoSec (.pdf, ISSA membership required). It's basically a cost-avoidance argument, like everything else should be with security. (There is no return on security investment.) John states:

In 2006, companies will spend $2 billion on eDiscovery services, and that figure is expected to climb to $3 billion in 2007... corporate information security can play a very key role in solving this critical problem by dramatically reducing costs and improving compliance... According to standard price lists from top eDiscovery providers, a company can expect to pay $11,000 to $15,000 for the processing of a single hard drive...

A key reason for these high costs involves the traditional role of outside counsels who represent the company and typically oversee and manage the eDiscovery process on a per-case basis. These law firms habitually rely on their own consultants to handle the eDiscovery needs of the case at hand, and both the law firm and their consultants typically approach the issue as a case-specific litigation support project. Thus, the focus is on addressing the immediate case, and not on solving the end client’s long-term problems by establishing a systematic methodology...

When a company transitions from outsourced eDiscovery to establishing a largely in-house process, the cost savings are dramatic. Many major organizations are now saving tens of millions of dollars in “hard” out-of-pocket costs annually when they turn to their internal resources and enterprise class computer investigation technology to collect, search and process computer data for eDiscovery.

In other words, buy Encase and do it yourself! Learn how to use Encase at the 2006 Computer and Enterprise Investigations Conference in Lake Las Vegas, NV. I am speaking there on Thursday, 4 May 2006 from 1400-1530 on Network Forensics.


Chris Walsh said...

And while you are learning forensics, make sure to get your private investigator's license!

for details.

This blog post and Rasch's article are great complements to each other.

Chris Koutras said...

I have tried Splunk. Works great on Pix, Linux, Solaris, Apache and Windows logs. The searches are really fast. They have just recently released the current Freebsd version. It was a few versions behind last week. I read one post on their forum about issues with Freebsd 6.0 but it should work fine on 5.x. The folks at Splunk are great and very interested in working / talking to the community. The free version will index 500mb per day.

Anonymous said...

Now that you tried Splunk, try LogLogic. It does everything what splunk does plus reports, anomaly detection, etc