Your SlideShare is downloading. ×
0
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Building an enterprise forensics response service
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Building an enterprise forensics response service

3,466

Published on

What issues are enterprises facing that require digital forensics? …

What issues are enterprises facing that require digital forensics?

• In-depth technical issues within the IT environment
o Complex attack / virus analysis
o Packet analysis
o Complex environment investigation coordination (VMWare)

• Separation of duties / transparency issues with IT staff
o Integrity and audit-ability issues from regulators and common due diligence requirements

• System Audit Functionality verification
o Audit System Investigation / Recovery

• Ensure systems are preserved for forensic investigation*
o Banking Standards
o NIST Standards
o PCI
o US State Laws

• Legal issues such as eDiscovery
o Prepare, Preserve & Produce electronically stored information

• Privacy issues from legislation, regulation and clients
o “DNA Forensics” – Identification for good & evil

• Records Management issues
o Historical Data Retrieval
o Data reconstruction

• Human Resources issues / employee investigations
o Inappropriate Use
o Harassment / Workplace Safety
o Loss management issues / evidence verification
o Theft / Fraud investigation support
o Sabotage
What is an Enterprise Forensics Response Service?

• Enables business owners to actively enforce corporate policy and protect and preserve digital assets through the use of forensic methods.

• Handles investigation requests from many different parts of the organization
o IT (Network / Applications)
o Internal Audit / Compliance
o Legal
o Privacy
o Records Management
o Human Resources / Employee Managers
o Loss Management / Physical Security
• An Enterprise Architectural Perspective of an EDF Service (Overview)
o Conceptual linkages to the business & information security strategy
o Logical service definition, examples of peer services
o Physical mechanisms that the EDF service is comprised of
o Examples of components that the EDF service utilizes

- What does the presentation cover?
• Identification & definition of required forensic services
• Review of common service mechanisms and components
• Considerations for implementing & service management in the enterprise

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,466
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. (B-7) Building an Enterprise Forensics Response Service Michael Legary CIO, Seccuris Inc.
  • 2. Building an Enterprise Forensic Response Service What issues are enterprises facing that require digital forensics? • In-depth technical issues within the IT environment • Complex attack/virus analysis • Packet analysis • Complex environment investigation coordination (VMWare) • Separation of duties/transparency issues with IT staff • Integrity and audit-ability issues from regulators and common due diligence requirements • System Audit Functionality verification • Audit System Investigation/Recovery
  • 3. Building an Enterprise Forensic Response Service What issues are enterprises facing that require digital forensics? • Ensure systems are preserved for forensic investigation* • Banking Standards • Enterprise Regulations (PCI, DPA, SOX) • NIST Standards • US State Laws • Legal issues such as eDiscovery • Prepare, Preserve & Produce electronically stored information • Privacy issues from legislation, regulation and clients • DNA Forensics: Identification for good & evil
  • 4. Building an Enterprise Forensic Response Service What issues are enterprises facing that require digital forensics? • Records Management issues • Historical Data Retrieval • Data reconstruction • Human Resources issues/employee investigations • Inappropriate Use • Harassment/Workplace Safety • Loss management issues/evidence verification • Theft/Fraud investigation support • Sabotage
  • 5. Building an Enterprise Forensic Response Service What is an Enterprise Forensics Response Service? • Handles investigation requests from many different parts of the organization • IT (Network / Applications) • Internal Audit / Compliance • Legal • Privacy • Records Management • Human Resources / Employee Managers • Loss Management / Physical Security
  • 6. Building an Enterprise Forensic Response Service What is an Enterprise Forensics Response Service? • Supports various investigation types and activities • Civil Litigation • Criminal Investigation • Internal / Corporate / HR Investigations • Incident Handling Support • Data discovery, preservation, recovery, destruction • Live analysis activities
  • 7. Building an Enterprise Forensic Response Service What is an Enterprise Forensics Response Service? • Based on the scope of the environment and EDF may: • Handle activities complementary to IT, CSIRTs, external providers • Support varied business units with internal / external issues • Support internal / external Legal entities • Support law enforcement / intelligence agencies • Service goals often include: • Enablement of transparency & due diligence requirements • Facilitation & support for investigations from different int/ext entities • Preserve and protect digital assets relevant to the business and business owner requirements
  • 8. Building an Enterprise Forensic Response Service Enterprise Forensics Response Service Overview
  • 9. Building an Enterprise Forensic Response Service An Enterprise Forensics Response Service Definition • An Enterprise Forensics Service (EDF), enables business owners to actively enforce corporate policy, maintain transparency of complex processes while protecting and preserving digital assets through the use of forensic methods.
  • 10. Building an Enterprise Forensic Response Service What will we cover today? • Identification of required forensic services • Definition of service mechanisms and components • Considerations for implementation & service management in the enterprise
  • 11. Identification of requirements for an Enterprise Digital Forensics Service
  • 12. Building an Enterprise Forensic Response Service Identifying the business need for forensic investigations 1. Identify business scenarios / incidents that require digital evidence 2. Inventory potential sources and evidence types 3. Determine minimum evidence collection requirements
  • 13. Building an Enterprise Forensic Response Service Identifying the business need for forensic investigations How do I identify business scenarios that require forensic support? • Conduct interviews and workshops with relevant business owners and staff to determine requirements • Business Units • Constituents • Communications Department • Legal Department • Privacy Officer • Records Management • Marketing Department • Outsourced Relations • Physical Security / Loss Management • IT / Technology Departments
  • 14. Building an Enterprise Forensic Response Service Identifying the business need for forensic investigations How do I identify business scenarios that require forensic support? • Review common compliance risk area domains for known scenarios (OCEG GRC Capability Model) • Financial Assurance / Anti-Fraud • Employment / Labor • Anti-corruption • Information Management • International Dealings • Etc.
  • 15. Building an Enterprise Forensic Response Service Identifying the business need for forensic investigations How do I identify business scenarios that require forensic support? • Review previous enterprise Threat Risk Assessments • Security Threat & Countermeasure matrices relevant to environment
  • 16. Building an Enterprise Forensic Response Service Identifying the business need for forensic investigations How do I inventory potential evidence and types? • Review identified and prioritized scenarios for transactions and the supporting processes, applications, systems and technologies • Determine what data types are involved with relevant scenarios
  • 17. Building an Enterprise Forensic Response Service Identifying the business need for forensic investigations How do I determine minimum evidence collection requirements? • Ask legal council • Review relevant regulations and legislation • Identify business owner requirements • Review internal investigative processes • Discuss capabilities / capacities of technical environment with IT
  • 18. Building an Enterprise Forensic Response Service Define the requirements to create an EDF service Do you have the following? • Business needs identified and confirmed • Basic requirements scoped by example incidents / scenarios determined by business owners • Types of evidence and collection requirements are outlined Now you can define the lower level design requirements of the EDF service…
  • 19. Building an Enterprise Forensic Response Service Define the requirements to create an EDF service 1. Determine capability & capacity requirements for an EDF service based on identified needs • How are incidents / scenarios escalated to the EDF service? • How will evidence be identified or scoped? • What preservation and collection requirements exist? • Is anything other than court admissible process an option?
  • 20. Building an Enterprise Forensic Response Service Define the requirements to create an EDF service 2. Identify impacted enterprise domains and determine control requirements for the secure storage and handling of potential evidence • What requirements do impacted business areas have regarding information protection, disclosure and management? • What approvals are required before handling an incident in a particular business unit? (Legal notice, Union Acknowledgements…)
  • 21. Building an Enterprise Forensic Response Service Define the requirements to create an EDF service 3. Inspect audit record creation, logging and monitoring of applications, systems and networks for in-scope environments • Are applications, systems networks monitored in such a manner that incidents / scenarios can be detected, mitigated or prevented? • Do enterprise security services such as a centralized SIM or Incident Handling capacity already detect or respond to any known incidents?
  • 22. Building an Enterprise Forensic Response Service Define the requirements to create an EDF service 4. Specify the criteria for when an incident / scenario should be escalated to a forensic investigation • Articulating Incident / Scenario differences • Clearly identify governance structure & authority to act • Determine communication and review processes for escalated incidents / scenarios
  • 23. Building an Enterprise Forensic Response Service Define the requirements to create an EDF service 5. Specify training & awareness requirements for relevant staff • Make business owners aware of their accountability • Educate managers & custodians of their responsibility • Train & certify incident handlers, forensic investigators
  • 24. Building an Enterprise Forensic Response Service Define the requirements to create an EDF service 6. Document investigation response to scenarios / incidents and the outcomes for the business • Highlight the evidence management lifecycle mapping accountable and responsible parties required actions throughout the investigation • Detail evidence that exists in each scenario and the required identification, preservation, collection, storage actions by role • Discuss potential communication and presentation outcomes and the associated decisions to be made
  • 25. Building an Enterprise Forensic Response Service Define the requirements to create an EDF service 7. Ensure an appropriate legal review of developed procedures is conducted • Ensure requirements & liabilities are understood • Validate accountable parties are aware and understand their responsibilities • Show due diligence
  • 26. Building an Enterprise Forensic Response Service Define the requirements to create an EDF service 8. Determine governance changes and approvals required to finalize design, implement, maintain and improve • Several scenarios may have never occurred in the past which require new or unknown decisions or actions • Document and prioritize governance issues • Get buy-in from business owners, remove liability from yourself and your team when possible
  • 27. Building an Enterprise Forensic Response Service EDF and other security services alignment • How does an EDF, as defined in this presentation, align to common enterprise security services like SIM/SIEM and Incident Handling/Response?
  • 28. Building an Enterprise Forensic Response Service EDF and other security services alignment
  • 29. Building an Enterprise Forensic Response Service EDF and other security services alignment • The EDF Service should align and support the strategic goals of the company & the IT/Security Strategies • Use Enterprise Architecture / Frameworks such as SABSA to define and align the service to defined strategies • Document the supporting linkages the service has to corporate policy enablement and/or defined compliance documentation
  • 30. Defining Service Mechanisms and Components for an Enterprise Digital Forensics Service
  • 31. Building an Enterprise Forensic Response Service Digital Forensic Methodologies • Where should I start when trying to define EDF service components? • Several models & best practices for digital investigations exist • None are accepted consistently across the world • FORZA Framework aligns with accepted business and IT architectures; making it easy to justify & explain
  • 32. Building an Enterprise Forensic Response Service Digital Forensics – FORZA Core Principles • Reconnaissance • Collect, recover, decode, discover, extract, analyze and convert data kept on different media to usable evidence • Reliability • Preservation of the Chain of custody during the investigation • The Chain of custody, time, integrity and the relationships with the evidence enable non-repudiation of the evidence • Relevancy • Even though evidence could be admissible, relevancy of the evidence with the investigation affects the weight and usefulness of the evidence
  • 33. Building an Enterprise Forensic Response Service Digital Forensics – FORZA Core Roles
  • 34. Building an Enterprise Forensic Response Service Digital Forensics – FORZA Framework
  • 35. Building an Enterprise Forensic Response Service Digital Forensics – FORZA Matrix Example Contextual Layer: Case Leader Why What How Where Who When Motivation Data Function Network People Time Investigation Event Nature Requested Initial Investigation Initial Participants Investigation Objectives Investigation Geography Timeline •What is the nature of •Who reported the •What is the purpose the reported event? •What needs to be •The geographical case? •When event is of the investigation? performed in this location of the reported reported •IT systems are: investigation event •Who are the suspects •What is the potential Objects of crime? and victims? •Any other similar incident? •What preliminary event reported? Subjects of crime? •What are the needs of investigation should be •Who is the owner of the requester? Tools for conducting performed the system? •When to call for or planning a crime? action? •What information •Who should be in the •Symbol of computer should be collected operation team for this used to intimidate or case? deceive? •IT system as major •What other resources source/minor source of are required? evidence? •What functions have been disrupted?
  • 36. Building an Enterprise Forensic Response Service Digital Forensics – Using FORZA in your service • The FORZA framework & role definitions provide an effective starting point for defining the physical mechanisms and required components of your EDF service • Use the FORZA role matrices to validate governance, policies and determine processes and workflows
  • 37. Building an Enterprise Forensic Response Service Case Management & Investigation Workflows • Key steps in any forensic investigation workflow 1. Evidence Collection 2. Evidence Preservation 3. Evidence Analysis 4. Evidence Presentation • What steps need to be added to make a service? • Request Handling / Approval Management • Case Management / Prioritization • Evidence Management over long durations / Destruction
  • 38. Building an Enterprise Forensic Response Service Case Management & Investigation Workflows • Key steps in an EDF Service investigation workflow 1. Engagement Planning 2. Evidence Identification 3. Evidence Preservation 4. Evidence Collection 5. Evidence Examination 6. Evidence Analysis 7. Evidence Presentation 8. Evidence Storage 9. Evidence Destruction
  • 39. Building an Enterprise Forensic Response Service Key elements to define & consider • Service Request Management • Ensure there is a clear understanding of service throughput, bottlenecks and dependencies' in order to manage expectations of multiple audiences • Forensic Triage Processes • Ensure prioritization polices are defined early on to prevent issues or tension • Ensure flexibility in the process • Workflows should be able to handle new and unknown situations or technologies in an approved and managed manner • Complete a process optimization review • Ensure to minimize costs while meeting contractual requirements
  • 40. Considerations for implementation & service management of an Enterprise Digital Forensics Service
  • 41. Building an Enterprise Forensic Response Service Forensic Laboratory Policies Policies should ensure alignment, achievement and compliance with: • Organizational Policies • Regulations & Standards • Industry Best Practices Standards Directly applicable to forensic laboratories: • ILAC G19:2002 • ISO 17025:2005
  • 42. Building an Enterprise Forensic Response Service Forensic Laboratory Processes Processes should be: • Specific to the enterprise • Simple to read & use • Regularly reviewed • Approved by accountable business (Impact) owners
  • 43. Review & Conclusions
  • 44. Building an Enterprise Forensic Response Service How do I implement these concepts to build a service? • Identify the business need for forensic investigations • Define the requirements to create an EDF service • Ensure the EDF Service align with the strategy and goals of the business and key related services • Define key components of the service by using example frameworks such as FORZA and Enterprise Architecture Methodologies such as SABSA • Ensure an appropriate legal review is conducted • Confirm and maintain buy-in of business owners through good governance • Get a budget, reset expectations and get going…
  • 45. Building an Enterprise Forensic Response Service How should I sell this service to the organization? • Gain confirmation from key business owners justifying value of service in supporting their requirements (Audit, HR, IT, Legal…) • Show incidents / scenarios that can be detected and responded to with an EDF capability; link to business value • Show impact reductions that can be achieved when responding to common incidents / scenarios • Show linkages to compliance & regulatory requirements
  • 46. Building an Enterprise Forensic Response Service Recommended / Referenced Resources OCEG Capability Model “Red Book” 2.0 By: Open Compliance & Ethics Group Pub. Date: 2009 URL: http://www.dfrws.org/2006/proceedings/4-Ieong.pdf Enterprise Security Architecture: A Business-Driven Approach By: John Sherwood, Andrew Clark, David Lynas Publisher: CMP Pub. Date: 2005 ISBN-13: 978-1578203185 FORZA – Digital forensics investigation framework that incorporate legal issues By: Ricci S.C. Ieong* Publisher: Science Direct Pub. Date: 2006 URL: http://www.dfrws.org/2006/proceedings/4-Ieong.pdf Building a Digital Forensic Laboratory: Establishing and Managing a Successful Facility By: Andrew Jones; Craig Valli Publisher: Butterworth-Heinemann Pub. Date: October 02, 2008 eISBN-13: 978-0-08-094953-6
  • 47. Building an Enterprise Forensic Response Service This presentation contains reference Questions? material and direct content from multiple copyright holders. References available on request / within presentation slide notes. Michael Legary, CSA-SCM, CISSP, CISM, CISA, CGEIT, CRISC, Recommendations offered should CSSLP, CRMP, CPP, GCIH, PCI-QSA, CEH, CCSA not be considered complete or Chief Innovation Officer accurate for your specific organizations requirements mlegary@seccuris.com No warranty offered or implied ☺ 204-255-4490 Recommended / Referenced Resources OCEG Capability Model “Red Book” 2.0 URL: http://www.dfrws.org/2006/proceedings/4-Ieong.pdf Enterprise Security Architecture: A Business-Driven Approach ISBN-13: 978-1578203185 FORZA – Digital forensics investigation framework that incorporate legal issues URL: http://www.dfrws.org/2006/proceedings/4-Ieong.pdf Building a Digital Forensic Laboratory: Establishing and Managing a Successful Facility eISBN-13: 978-0-08-094953-6

×