Forensics: Plan for Success

A Q&A with:

  • Navid Jam, director of security consulting services at Mandiant.
  • Daimon Geopfert, national leader of security and privacy consulting at RSM.
  • Darin Bielby, managing director of disputes and investigations at Navigant
  • Bill Hardin, vice president of forensics services at Charles River Associates
  • Jason Smolanoff, managing director, global practice leader of cyber security and investigations at Kroll
  • Austin Murphy, director of incident response for Crowdstrike

Forensics firms play a vital role in any data loss incident, helping the breached organization determine exactly what went wrong, assess the scope of the damage, and, in conjunction with a Breach Coach®’s efforts, take steps to remediate the problem. We spoke with leading forensics experts about dos and don’ts for an optimal forensics process.

Continue Reading

Using Big Data to Protect Against Cyber Risk

A Q&A with Lance Forbes of LemonFish Technologies
Of all Big Data’s capabilities, the means to proactively detect cyber breach events is especially intriguing. I spoke with Lance Forbes, chief scientist of LemonFish Technologies to find out more about how analytics can be used to find lost data across the internet.

Continue Reading

Breach Forensics: Preparing for an Investigation

A Q&A with Steve Visser, Managing Director at Navigant Consulting
Many types of data security incidents can require a forensic investigation to uncover the depth of the breach and how it occurred, and this process is more efficient when an organization has anticipated what’s involved. I talked to Steve Visser—national leader of Navigant Consulting’s information security incident investigation and response practice—about what risk managers can do to prepare for a successful forensic investigation.

What proactive steps can a risk manager and IT personnel take to make a future forensics investigation go more smoothly and effectively?
There are four things I recommend:

  • Prepare a data map for the company.This is a high-level summary or list of all the data systems that exist within the organization and includes platforms, data format, system architecture, where data is stored (whether it’s insourced or outsourced), and a list of the relevant subject matter experts so you know who to go to when an incident occurs. We recommend clients look at this map on a quarterly basis and revise it accordingly.
  • Assess log retention and accessibility.These are records of access or data traffic for an organization or specific system. There are many different types of logs, and an investigator will need specific ones in the case of a security incident. Your organization is encouraged to be aware of what logs exists, where they are, how long they are retained for, and how to go about extracting them as evidence for an investigation.
  • Determine in advance any outside service providers or partners needed.These might include legal, forensics and notification services. Review contracts and negotiate terms in advance if possible, so that when an incident happens, you don’t lose time processing or vetting an agreement. In an ideal world we’d be contacted immediately so we can hit the ground running and give the organization a better chance of meeting any regulatory or legal deadlines imposed, such as notification. We welcome the chance to speak with organizations in advance to let them get to know us before an incident occurs and we have a contract we can send for review before our services are needed.
  • Engage in response planning.Become familiar with the types of security incidents occurring these days and determine what you need to do internally as well as with service providers to effectively respond to such incidents. Many incidents fall into the categories of lost or stolen device; malware; or insider theft. There should be a plan for each of these key categories.

What are the typical steps involved in a data breach forensic investigation?
For all investigations, there’s information gathering and collection, forensic analysis and then data analysis in some situations to determine the impacted individuals and how to proceed with reporting and notification. Depending on the category of incident the specific steps will change to a certain degree.

In the case of malware, it’s a matter of finding the malware involved, often through a complex artifact analysis of the computer where it’s hiding. We’d then research the malware and determine its potential capabilities, and reverse-engineer and deposit it in a secure, self-contained “malware environment” so we can watch what it does next. Often, we also analyze logs to see if there are any indications of data ex-filtrations and if needed, perform data mining to figure out what PHI or PII might have been involved.

With lost and stolen devices, which could be anything from a laptop to a phone to a backup drive, we first need to know if that device has been recovered. That’s the minority of cases, but if it was recovered, there is a need to determine if the device was accessed or utilized during the unaccounted-for time period. To accomplish that, we perform a data egress analysis on the device to evaluate whether anything was accessed or potentially removed. If it’s not recovered, then steps need to be taken to determine what data was on the device, often through evaluation of a backup or proxy. Then we proceed to data mining and analysis to find out what PHI or PII is involved.

When it comes to employees engaging in unauthorized activity, we can determine who has access to what information and analyze logs to see which records were accessed by specific employees and perform a rules-based analysis to evaluate whether each access instance was appropriate. We might also conduct a peer group comparative analysis among employees with similar responsibilities to find out if access patterns are consistent. Less commonly, there are cases when we get the list of individuals whose data was compromised first and we use that to trace back to the employees who viewed and/or extracted the information through log data analysis.

There’s no one-size-fits-all approach but in all cases the work has to be done as quickly as possible.

Once a breach has occurred, how might a client or their Breach Coach engage your firm? What obstacles most often impact the outcome of an investigation?
Navigant is on what’s called a panel with most cyber risk insurers so if an organization has cyber risk insurance, one of the first things they should do is notify the insurer and they will be connected with Navigant. We also know most of the data breach coach attorneys that handle incidents in the US, so they might also retain us on behalf of their client.

One of the biggest obstacles to an investigation is to wait too long to bring in appropriate service providers. The second obstacle would be not providing access to the right information, either by not connecting us with the right people internally or not having the right retention protocols to ensure sufficient data for the forensic analyses. It’s definitely an advantage to retain counsel first granting your organization attorney-client privilege and then have the counsel retain us. An attorney will be able to help determine whether it’s necessary to report the incident as a breach—in some situations we have been able to perform a forensic analysis and conclude low probability of risk of harm. We come to this from a technical perspective where the attorneys come from a regulatory and legal perspective, and together we can help determine the implications of an incident.

Mr. Visser’s contact information is as follows:

Steve Visser
Managing Director | Disputes & Investigations
Navigant Consulting, Inc.
1331 17th St. Suite 808
Denver, CO 80202
Office: (303) 383-7305 | Mobile: (303) 888-5822

In summary…
Mr. Visser did a nice job of outlining some of the key issues pertaining to a data breach incident that may also involve cyber liability insurance coverage. Network security event logs are especially critical to any claims investigation so the insurer can understand “who, what, when, where and how” for proper claims adjustment. For example, the insurance carrier might want to confirm that the breach event occurred and/or was discovered during the insurance policy term. It can get complicated if the insured business has not retained this evidence. Or, maybe the forensic investigator discovers that a third- party vendor caused the loss. In that event, the insurer has a possible subrogation target to recoup their payout (see Junto on Cyber Liability and Subrogation with Kenneth Levin, Esq, partner at Nelson, Levine, de Luca & Hamilton, LLC.)

Crisis Data Breach Response: Computer Forensic Services

A Q&A with Chris Novak, Managing Principal at Verizon Business
As part of an ongoing series of posts, I’m talking to experts in the field about the true costs associated with “crisis” data breach response services. Today we’re looking at computer forensics, and I spoke with Chris Novak, managing principal at Verizon Business.

When and how do clients engage with your services?
Generally, we get the call from the IT security department or a CSO, and that usually depends on how mature the organization’s security practice is. They almost always find us through word of mouth unless the company already engages our services through our rapid response retainer. What we typically hear on that call is, “I believe we’ve had an incident but I need help understanding what happened exactly.”

What happens after the call?
That depends on whether this is a client using our services for the first time or whether they have us on rapid response retainer. If you think of an emergency room as an analogy, an organization calling us for the first time is treated as quickly as we can as we triage the situation along with our other clients’. The rapid response retainer means we already have an agreement and a plan in place and a good understanding of where and how to mobilize our resources, so that gets handled more quickly. Either way, the goal is to mobilize investigators to necessary locations. After that, the first step is getting the forensic acquisition—a duplicate copy of the relevant or suspect systems so that we can analyze them. Then we follow the timeline back from there. For a mom and pop type of business, the whole process might only take a week, but for, say, a major financial institution, we may be contracted out for six months or more with a dozen investigators on the case in London, Hong Kong, Singapore, Los Angeles and New York.

What problems or hurdles do you typically encounter?
One of the biggest hurdles we face is something that we call the “unknown unknowns”—essentially, these are the things people don’t realize that they don’t know, which makes it difficult to account for them. Think of it this way: If you don’t know where your sensitive data is, then where do you start the investigation? If you don’t know who has access to the data, but suspect insider involvement, how do you narrow down the investigative field? If your environment is purely designed for function and doesn’t easily accommodate forensic data collection, then even if we have the greatest hunches in the world as to what happened, we will have little to no evidence that can help prove the case. All of these have the potential to be non-starters for an investigation or otherwise dramatically increase the cost. Another issue is that sometimes organizations share resources without realizing it—their website or ecommerce site might be hosted in a data center with 19 other customers—so when we go to investigate the facility we run into roadblocks getting permission to access it. That can slow down the process.

What are the approximate costs for forensic services for a data breach?
We always shy away from giving dollar amounts because they can vary wildly. You might see a credit card company with millions of records but a very low per-record cost or an industrial company that has lost three or four records with intellectual property that could be worth a billion dollars of revenue. So not every record is the same and it is very hard to quantify the cost. I would say that your larger and more complicated breach investigations can easily range into the millions of dollars, while your smaller situations may run in the USD $20-50,000 range. I answer it this way not to be difficult, but rather to avoid giving anyone the misperception that all breach investigations are similar and/or similar costs. The only other thing I can say is that if you are prepared for the data breach event, things will move more fluidly and it will ultimately cost less.

In conclusion…
Thanks, Chris, for these insights from the field. Computer forensics is an important part of the overall roadmap to recovery from a data breach incident. This service is vital to ascertaining the digital facts (who, what, when, where and how) following a post-data breach analysis. Defense lawyers representing the breached company need to understand compliance duties and negligence factors, and insurance companies need to ascertain damages for insurance coverage payouts—all of which rely on forensic evidence. As Chris discussed, the cost can have a wide range (e.g., small incidents might amount to $20k-$50k; while large events could potentially cost several million dollars) based on various factors. However, when compiling the NetDiligence® 2011 Cyber Liability & Data Breach Insurance Claims study, we found the average cost for an insurance claim to be approximately $200,000 for the forensic expense component alone.

No more posts.