Endpoint Police: The Forensic Investigator

Today, according to the Enterprise Strategy Group, as much as 50 per cent of corporate data is created, stored and transmitted on mobile endpoint devices. While datacentre security remains important, endpoint data protection and security is the new frontier.

In this, the second of a four-part series of articles, Andy Hardy, EMEA managing director for Code42, explores some modern day techniques IT security specialists can use to gather forensic data at the endpoint after a data breach.

So the worst has happened, a data breach has befallen an organisation - where to start, what to do and how to reduce collateral damage? These are questions that will be on the mind of every single member of the company board.

They will want all the answers quickly so they can take action and have the information they need to prepare statements to affected parties, company stakeholders and - if warranted - the media. Cue the ‘Forensic Investigator’, also known as the IT security specialist.

Donning the paper suit

The Forensic Investigator’s job is made up of many different responsibilities, but in the first instance an assessment of the situation is the first port of call. It is vital that the investigator can first recognise how the data breach has happened. They need to know if it is internal, as a result of an employee losing their laptop or installing something they should not have done, or from an external factor such as a hacker or malware.

Due to the recent propensity of high profile external hacks garnering significant media coverage, the natural conclusion many jump to now is one of looking beyond the borders of an organisation. In actual fact according to digital research firm Forrester, around 70 per cent of data breaches happen from internal factors - whether they are malicious or accidental.

With this in mind, the specialist must investigate all avenues quickly and accurately. Time is of the essence however, as once the enterprise perimeter has been breached, the flow of data out of an organisation can be pronounced - and if the information is sensitive, potentially devastating.

Examining the scene of the crime

To be effective, the investigator should use a variety of tools to identify and seal a breach. The first of these is an Intrusion Detection System (IDS). Many of these systems do a good job of identifying a compromised device. However, most IDS’ fall short in identifying specific problem files or folders. They often only provide simple registry information, and rarely go into detail about what data has been lost or stolen.

A lack of visibility such as this causes more work (and headaches) for the Forensic Investigator - especially as he or she would have to undertake the time-consuming process of trawling through a mass of periodical backups (presuming the machine was backed up in the first place) to identify what information was lost. But even then, it is no guarantee that the precise information will ever be found. Fortunately, if the organisation has taken the precedent to implement a comprehensive endpoint backup solution, then the task of identifying the leaked information becomes a lot easier.

The best of these products on the market today will allow quick identification of the data on compromised devices. It will allow the investigator to see previous version histories of a specific file or folder, along with precise access and modification records. Also, these will not just be held as registry or log files, but will actually be in the physical format they were saved in. Our product - Code42 CrashPlan, for example - provides near-continuous rolling backups so investigators get access to exactly what information was breached, as well as a trail of breadcrumbs back to the guilty party - whether that be an employee, hacker or piece of malware.

Calling for back-up

Ultimately, even the best perimeter protection will only buy organisations a certain amount of time against a data breach - and they do very little to protect from insider threats. The enterprise’s best weapon in the fight against cyber crime, whether internal or external, is visibility. A combination of an advanced endpoint backup solution and a comprehensive security programme gives security specialists the ability to monitor the flow of information through the endpoints of an organisation.

This approach provides the company board with the information it needs to take appropriate actions, whilst simultaneously acting as a deterrent for those that would happily sell off corporate information.

Forensic Investigators need their digital magnifying glass. They need the right tools so they can report to the CISO (a.k.a. the Lead Detective) who can assess a breach’s potential for damage. This not only allows the CISO to lead mitigation efforts, but also helps implement safeguards or bring guilty parties to justice.

Image source: Shutterstock/wavebreakmedia