Building an enterprise forensics response service

(B-7)
Building an Enterprise Forensics
Response Service

Michael Legary
CIO, Seccuris Inc.

Building an Enterprise Forensic Response Service

What issues are enterprises facing that require
digital forensics?
• In-depth technical issues within the IT environment
• Complex attack/virus analysis
• Packet analysis
• Complex environment investigation coordination (VMWare)

• Separation of duties/transparency issues with IT staff
• Integrity and audit-ability issues from regulators and common due
diligence requirements

• System Audit Functionality verification
• Audit System Investigation/Recovery


digital forensics?
• Ensure systems are preserved for forensic investigation*
• Banking Standards
• Enterprise Regulations (PCI, DPA, SOX)
• NIST Standards
• US State Laws

• Legal issues such as eDiscovery
• Prepare, Preserve & Produce electronically stored information

• Privacy issues from legislation, regulation and clients
• DNA Forensics: Identification for good & evil


digital forensics?
• Records Management issues
• Historical Data Retrieval
• Data reconstruction

• Human Resources issues/employee investigations
• Inappropriate Use
• Harassment/Workplace Safety
• Loss management issues/evidence verification
• Theft/Fraud investigation support

• Sabotage


What is an Enterprise Forensics Response
Service?

• Handles investigation requests from many different parts of
the organization
• IT (Network / Applications)
• Internal Audit / Compliance
• Legal
• Privacy
• Records Management
• Human Resources / Employee Managers
• Loss Management / Physical Security


Service?

• Supports various investigation types and activities
• Civil Litigation
• Criminal Investigation
• Internal / Corporate / HR Investigations
• Incident Handling Support
• Data discovery, preservation, recovery, destruction
• Live analysis activities


Service?

• Based on the scope of the environment and EDF may:
• Handle activities complementary to IT, CSIRTs, external providers
• Support varied business units with internal / external issues
• Support internal / external Legal entities
• Support law enforcement / intelligence agencies

• Service goals often include:
• Enablement of transparency & due diligence requirements
• Facilitation & support for investigations from different int/ext entities
• Preserve and protect digital assets relevant to the business and
business owner requirements


Enterprise Forensics Response Service Overview


An Enterprise Forensics Response Service
Definition

• An Enterprise Forensics Service (EDF), enables business owners
to actively enforce corporate policy, maintain transparency of
complex processes while protecting and preserving digital assets
through the use of forensic methods.


What will we cover today?

• Identification of required forensic services
• Definition of service mechanisms and
components
• Considerations for implementation & service
management in the enterprise

Identification of requirements for an
Enterprise Digital Forensics Service


Identifying the business need for forensic
investigations

1. Identify business scenarios / incidents that
require digital evidence
2. Inventory potential sources and evidence types
3. Determine minimum evidence collection
requirements


investigations
How do I identify business scenarios that require forensic support?
• Conduct interviews and workshops with relevant business
owners and staff to determine requirements

• Business Units
• Constituents
• Communications Department
• Legal Department
• Privacy Officer
• Records Management
• Marketing Department
• Outsourced Relations
• Physical Security / Loss Management
• IT / Technology Departments


investigations
• Review common compliance risk area domains for known
scenarios (OCEG GRC Capability Model)

• Financial Assurance / Anti-Fraud
• Employment / Labor
• Anti-corruption
• Information Management
• International Dealings
• Etc.


investigations
• Review previous enterprise Threat Risk Assessments
• Security Threat & Countermeasure matrices relevant to
environment


investigations
How do I inventory potential evidence and types?
• Review identified and prioritized scenarios for transactions and
the supporting processes, applications, systems and
technologies

• Determine what data types are
involved with relevant scenarios


investigations
How do I determine minimum evidence collection requirements?
• Ask legal council
• Review relevant regulations and legislation
• Identify business owner requirements
• Review internal investigative processes
• Discuss capabilities / capacities of technical environment with IT


Define the requirements to create an EDF service

Do you have the following?
• Business needs identified and confirmed
• Basic requirements scoped by example incidents / scenarios
determined by business owners
• Types of evidence and collection requirements are outlined

Now you can define the lower level design
requirements of the EDF service…



1. Determine capability & capacity requirements
for an EDF service based on identified needs
• How are incidents / scenarios escalated to the EDF service?
• How will evidence be identified or scoped?
• What preservation and collection requirements exist?
• Is anything other than court admissible process an option?



2. Identify impacted enterprise domains and
determine control requirements for the secure
storage and handling of potential evidence
• What requirements do impacted business areas have
regarding information protection, disclosure and
management?
• What approvals are required before handling an incident in
a particular business unit?
(Legal notice, Union Acknowledgements…)



3. Inspect audit record creation, logging and
monitoring of applications, systems and
networks for in-scope environments
• Are applications, systems networks monitored in such a
manner that incidents / scenarios can be detected,
mitigated or prevented?
• Do enterprise security services such as a centralized SIM or
Incident Handling capacity already detect or respond to any
known incidents?



4. Specify the criteria for when an incident /
scenario should be escalated to a forensic
investigation
• Articulating Incident / Scenario differences
• Clearly identify governance structure & authority to act
• Determine communication and review processes for
escalated incidents / scenarios



5. Specify training & awareness requirements for
relevant staff
• Make business owners aware of their accountability
• Educate managers & custodians of their responsibility
• Train & certify incident handlers, forensic investigators



6. Document investigation response to scenarios /
incidents and the outcomes for the business
• Highlight the evidence management lifecycle mapping
accountable and responsible parties required actions
throughout the investigation
• Detail evidence that exists in each scenario and the required
identification, preservation, collection, storage actions by
role
• Discuss potential communication and presentation
outcomes and the associated decisions to be made



7. Ensure an appropriate legal review of
developed procedures is conducted
• Ensure requirements & liabilities are understood
• Validate accountable parties are aware and understand their
responsibilities
• Show due diligence



8. Determine governance changes and approvals
required to finalize design, implement,
maintain and improve
• Several scenarios may have never occurred in the past which
require new or unknown decisions or actions
• Document and prioritize governance issues
• Get buy-in from business owners, remove liability from
yourself and your team when possible


EDF and other security services alignment

• How does an EDF, as defined in this presentation, align to
common enterprise security services like SIM/SIEM and
Incident Handling/Response?



• The EDF Service should align and support the
strategic goals of the company & the IT/Security
Strategies

• Use Enterprise Architecture / Frameworks such as SABSA to
define and align the service to defined strategies
• Document the supporting linkages the service has to
corporate policy enablement and/or defined compliance
documentation

Defining Service Mechanisms and
Components for an


Digital Forensic Methodologies

• Where should I start when trying to define EDF service
components?

• Several models & best practices for digital investigations exist

• None are accepted consistently across the world

• FORZA Framework aligns with accepted business and IT
architectures; making it easy to justify & explain


Digital Forensics – FORZA Core Principles
• Reconnaissance
• Collect, recover, decode, discover, extract, analyze
and convert data kept on different media to
usable evidence

• Reliability
• Preservation of the Chain of custody during the investigation
• The Chain of custody, time, integrity and the relationships with the
evidence enable non-repudiation of the evidence

• Relevancy
• Even though evidence could be admissible, relevancy of the evidence
with the investigation affects the weight and usefulness of the
evidence


Digital Forensics – FORZA Core Roles


Digital Forensics – FORZA Framework


Digital Forensics – FORZA Matrix Example
Contextual Layer: Case Leader
Why What How Where Who When
Motivation Data Function Network People Time
Investigation Event Nature Requested Initial Investigation Initial Participants Investigation
Objectives Investigation Geography Timeline
•What is the nature of •Who reported the
•What is the purpose the reported event? •What needs to be •The geographical case? •When event is
of the investigation? performed in this location of the reported reported
•IT systems are:
investigation event •Who are the suspects
•What is the potential
Objects of crime? and victims? •Any other similar
incident?
•What preliminary event reported?
Subjects of crime?
•What are the needs of investigation should be •Who is the owner of
the requester? Tools for conducting performed the system? •When to call for
or planning a crime? action?
•What information •Who should be in the
•Symbol of computer
should be collected operation team for this
used to intimidate or
case?
deceive?
•IT system as major •What other resources
source/minor source of are required?
evidence?
•What functions have
been disrupted?


Digital Forensics – Using FORZA in your service

• The FORZA framework & role definitions provide an effective
starting point for defining the physical mechanisms and
required components of your EDF service
• Use the FORZA role matrices to validate governance, policies
and determine processes and workflows


Case Management & Investigation Workflows

• Key steps in any forensic investigation workflow
1. Evidence Collection
2. Evidence Preservation
3. Evidence Analysis
4. Evidence Presentation

• What steps need to be added to make a service?
• Request Handling / Approval Management
• Case Management / Prioritization
• Evidence Management over long durations / Destruction


Case Management & Investigation Workflows

• Key steps in an EDF Service investigation workflow
1. Engagement Planning
2. Evidence Identification
3. Evidence Preservation
4. Evidence Collection
5. Evidence Examination
6. Evidence Analysis
7. Evidence Presentation
8. Evidence Storage
9. Evidence Destruction


Key elements to define & consider
• Service Request Management
• Ensure there is a clear understanding of service throughput, bottlenecks
and dependencies' in order to manage expectations of multiple audiences

• Forensic Triage Processes
• Ensure prioritization polices are defined early on to prevent issues or
tension

• Ensure flexibility in the process
• Workflows should be able to handle new and unknown situations or
technologies in an approved and managed manner

• Complete a process optimization review
• Ensure to minimize costs while meeting contractual requirements

Considerations for
implementation & service management
of an


Forensic Laboratory Policies
Policies should ensure
alignment, achievement and
compliance with:
• Organizational Policies
• Regulations & Standards
• Industry Best Practices

Standards Directly applicable to
forensic laboratories:
• ILAC G19:2002
• ISO 17025:2005


Forensic Laboratory Processes
Processes should be:
• Specific to the enterprise
• Simple to read & use
• Regularly reviewed
• Approved by accountable
business (Impact) owners


How do I implement these concepts to build a
service?
• Identify the business need for forensic investigations
• Define the requirements to create an EDF service
• Ensure the EDF Service align with the strategy and goals of
the business and key related services
• Define key components of the service by using example
frameworks such as FORZA and Enterprise Architecture
Methodologies such as SABSA
• Ensure an appropriate legal review is conducted
• Confirm and maintain buy-in of business owners through
good governance
• Get a budget, reset expectations and get going…


How should I sell this service to the organization?

• Gain confirmation from key business owners justifying value of
service in supporting their requirements (Audit, HR, IT, Legal…)

• Show incidents / scenarios that can be detected and responded
to with an EDF capability; link to business value

• Show impact reductions that can be achieved when responding
to common incidents / scenarios

• Show linkages to compliance & regulatory requirements


Recommended / Referenced Resources
OCEG Capability Model “Red Book” 2.0
By: Open Compliance & Ethics Group
Pub. Date: 2009
URL: http://www.dfrws.org/2006/proceedings/4-Ieong.pdf

Enterprise Security Architecture: A Business-Driven Approach
By: John Sherwood, Andrew Clark, David Lynas
Publisher: CMP
Pub. Date: 2005
ISBN-13: 978-1578203185

FORZA – Digital forensics investigation framework that
incorporate legal issues
By: Ricci S.C. Ieong*
Publisher: Science Direct
Pub. Date: 2006

Building a Digital Forensic Laboratory:
Establishing and Managing a Successful Facility
By: Andrew Jones; Craig Valli
Publisher: Butterworth-Heinemann
Pub. Date: October 02, 2008
eISBN-13: 978-0-08-094953-6


This presentation contains reference
Questions? material and direct content from
multiple copyright holders.

References available on request /
within presentation slide notes.
Michael Legary,
CSA-SCM, CISSP, CISM, CISA, CGEIT, CRISC, Recommendations offered should
CSSLP, CRMP, CPP, GCIH, PCI-QSA, CEH, CCSA not be considered complete or
Chief Innovation Officer accurate for your specific
organizations requirements

mlegary@seccuris.com No warranty offered or implied ☺
204-255-4490
Recommended / Referenced Resources
OCEG Capability Model “Red Book” 2.0

Enterprise Security Architecture: A Business-Driven
Approach
ISBN-13: 978-1578203185

FORZA – Digital forensics investigation framework
that incorporate legal issues
Building a Digital Forensic Laboratory:
Establishing and Managing a Successful Facility
eISBN-13: 978-0-08-094953-6

Building an enterprise forensics response service

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Building an enterprise forensics response service

Similar a Building an enterprise forensics response service (20)

Más de Seccuris Inc.

Más de Seccuris Inc. (11)

Último

Último (20)

Building an enterprise forensics response service