03 December 2010

Remote Digital Forensics: OPSEC Continuous Monitoring...

What do Operational Risk Management, continuous monitoring and "Remote Digital Forensics" Intelligence have in common? The digital age is challenging the global enterprise and the speed and depth of new found transnational threats requires bold outside-of-the-box thinking. Strategic decisions to prevent incidents of data leakage, theft of trade secrets or corporate espionage are on the minds of CEO’s and the Office of the General Counsel.

An organizations ability to proactively deter, detect and defend it’s vital corporate assets requires a focused lens to view the vast digital complexities and simultaneously gain deeper insights. Effective risk management in Global 500 companies encompasses the collection, analysis and action on relevant information. Is the relevant information stored on a mobile laptop, network attached desktop or mobile PDA? Could there be a copy of the document on the server in the form of an e-mail attachment? The objective seems obvious. Think a few steps ahead in order to mitigate the quantity and size of potential loss events where and when they will happen.

In order to achieve a “Game Changing” strategy to stay one step ahead of today’s digitally equipped adversary demands an adaptive process, tools and very smart people. Timely and accurate intelligence-led investigations have historically proven to save many organizations from catastrophic impact to their reputation. That is precisely why Digital Forensics Intelligence (DFI) has been gaining tremendous momentum with the Chief Risk Officer, Chief Security Officer, Chief Information Officer and the General Counsel. One example, is the ability for an organization to add forensic intelligence to almost any investigation, to provide additional dimensions of insight and to ascertain whether an employee is a true insider threat or just in non-compliance with your latest “Acceptable Use Policy.”

Corporate Digital Forensics Intelligence provides the corporate first responders with the potential evidence required by analysts, investigators and decision makers to make more informed decisions. The ability to more effectively determine a prudent course of action, can mean the difference between detecting a simple Internet policy violation or the beginning of a prolonged investigation with a corporate espionage nexus. The legal process in your state or country and the preservation of evidence, chain of custody and even early case assessment are now a converging area of concern with the office of the General Counsel and outside retained law firms.

“Achieving A Defensible Standard of Care” in your organization requires a digital risk governance framework that will withstand the tests of local law enforcement and judicial systems, inspector generals and global federal investigations. Remote and SPEKTOR Digital Forensics Triage has been gaining momentum with corporate enterprise, law enforcement and military investigators for years.

The reason is that certain kinds of investigations can't wait for days, weeks or a month to gain insight and evidence on the digital data stored on a suspects laptop, desktop or PDA. With the legal corporate policy in place or search warrants the fast Digital Forensics Triage process allows First Responders to quickly examine and determine what digital assets need to be seized and those that do not have any major "Red Flags". This keeps the corporate Digital Forensics Lab or RCFL from being overburdened with devices that hold no relevancy to a particular case and therefore minimizes the mountain of unexamined digital evidence.

The use of both Digital Forensic Triage and Real-Time Network Forensics solutions directly addresses the compliance requirements in the US Government for "Continuous Monitoring."

How can organizations address advanced persistent cyber threats?

To address the advanced persistent cyber threat requires a multi‐pronged effort by organizations. First, it requires a major change in strategic thinking to understand that this class of threat cannot always be kept outside of the defensive perimeter of an organization. Rather, this is a threat that in all likelihood, has achieved a foothold within the organization. This situation requires that organizations employ methods to constrain such threats in order to ensure the resiliency of organizational missions and business processes. Second, it requires the development and deployment of security controls that are intended to address the new tactics, techniques and procedures (TTPs) employed by adversaries (e.g., supply chain attacks, attacks by insiders, attacks targeting critical personnel). NIST Special Publication 800‐53, Revision 3, includes many new security controls and enhancements (most not selected in any of the control baselines) that are specifically intended to address some of these TTPs. Finally, to enable cyber preparedness against the advanced persistent cyber threat, organizations must enhance risk management and information security governance in several areas.

These include, but are not limited to: (i) development of an organizational risk management and information security strategy; (ii) integration of information security requirements into the organization’s core missions and business processes, enterprise architecture, and system development life cycle processes; (iii) allocation of management, operational, and technical security controls to organizational information systems and environments of operation based on an enterprise security architecture; (iv) implementation of a robust continuous monitoring program to understand the ongoing security state of organizational information systems; and (v) development of a strategy and capability for the organization to operate while under attack, conducting critical missions and operations, if necessary, in a degraded or limited mode.

Operational Risk Management calls for a robust and smart Information Governance Framework whether you are a Global Enterprise or a National Government. As the international WikiLeaks aftermath unfolds it will finally unveil the facts about "How" this incident could have happened. What is certain today is that the answer does not lie with new technology or tools. Human Factors and social engineering will always have the upper hand.

No comments:

Post a Comment