In a world where enterprises are embracing the fact that breaches are not a matter of ‘if, but when,’ it is becoming increasingly important to develop internal and external resources to investigate and oversee the impact of attacks after they have happened.
Digital forensics is a relatively recent skills concentration—one that does not necessarily require the same talents, expertise or background as other cybersecurity positions. And while more enterprises are recognizing that they need such talent on the back-end, as it were, there are still holdouts that are entirely focused on detection and prevention, to their detriment.
“I think this is actually a misconception [that] organizations do not necessarily need to build out digital forensics teams in-house,” says Sean Mason, director of incident response for Cisco Security Services, adding that Cisco is building out its ownforensic capability via its incident response services team. A key problem, Mason says, is “there is not enough talent to go around and, generally speaking, most organizations don’t have enough demand to require a full-time team on staff.”
Munish Walther-Puri, chief research officer at dark web monitoring company Terbium Labs, points out that digital forensics requires a combination of “investigation, intelligence, and innovation.”
Digital forensics teams are a complement to any IT team “because they figure out the who, when, when, where and why a bad actor came into the system, says Avani Desai, president of audit and accounting firm Schellman & Co. “They help paint a picture of the incident and provide guidance on how to mitigate the risk of that happening again.” The forensics teams also take past data and processes and builds upon it to make sure they have the tools to handle issues that are getting significantly tougher to solve, Desai adds.
Darien Kindlund, vice president of technology for Insight Engines, a provider of natural language search technology, points out that digital forensics is “an important pillar in any security operations team, in order to assess and understand tools, tactics, and procedures (TTPs) used by attackers to compromise a firm. That way, the firm can stop future breaches using these same TTPs by new attackers. A firm’s ability to understand how these attacks work is directly tied to how effective their digital forensics team is.”