It’s elementary

With malware becoming more and more sophisticated, experts are advising enterprises to assume their defences will fail

Tags: AccessData Group LLC ( Networks ( Inc. ( Lab
  • E-Mail
It’s elementary
By  Tom Paye Published  April 27, 2014

With malware becoming more and more sophisticated, experts are advising enterprises to assume their defences will fail. But they can still take action by employing digital forensics teams to pick up the pieces after an attack has occurred.

A recent survey by the Economist Intelligence Unit, commissioned by Arbor Networks, asked 360 senior executives about their incidence response preparedness. Less than a fifth — only 17% — said that they feel fully prepared to deal with a security breach. And while the survey was done on a global level, Arbor said that results specific to the Middle East would be broadly similar.

It would seem, then, that organisations are not quite as well prepared for security breaches as they would like to be. This is bad news, according to security experts — with the exponentially growing number of threats out there (and the increasing sophistication of those threats), many view the threat landscape as a case of when, not if, attackers will get in.

“The days of achieving full security has gone, and today, with the evolution of advanced persistent threat (APT) attacks in size and sophistication, whatever organisations invest in security, there will still be a probability they will get attacked. That’s why companies need to start thinking about post-attack scenarios,” says Ghareeb Saad, senior security researcher at Kaspersky Lab’s global research and analysis team.

And vendors aren’t the only ones advising enterprises to assume that attacks are going to happen. Indeed, there seems to be an industry-wide consensus that budgets should, at least in part, be shifting to include incident-response capabilities as well as outright defence capabilities. Avivah Litan, vice president and distinguished analyst at Gartner, echoes Saad’s sentiments.

“Enterprises must assume that breach prevention steps will fail and that some attackers will manage to penetrate security and defences. It then becomes critical that enterprises detect the breach as quickly as possible to mitigate the extent of damage,” she says.

As organisations begin to wake up to the need for post-attack preparedness, the idea of digital forensics has gained ground. Officially, the term ‘digital forensics’ refers to the recovery and investigation of material found in digital devices. However, it is increasingly being used to refer to the means by which organisations discover how attackers have breached their systems.

Most organisations in the Middle East do not employ digital forensics teams — indeed many make do without a dedicated overall security team. But this has not stopped vendors from encouraging end-users to shift some of their budgets away from perimeter defences such as firewalls, and instead pour a little money into attack response capabilities. The advantage, they say, is that, if you know which files have been compromised, and indeed how they were compromised, then you are able to mount effective damage control.

“[Companies] need digital forensics teams able to detect malicious behaviour, do incident handling and internal corporate investigations or intrusion investigations in case of breach, and to provide valid digital evidence that can be used in court or with law enforcement. Also, digital forensics enables companies to build a complete understanding of the nature of the breaches or attacks they are facing, which will help them improve their defence and security strategies,” says Saad.

Meanwhile, Paul Wright, manager of AccessData’s professional services and investigation team, says that the advantages of having a digital forensics team extend to having legal clout in extreme scenarios.

“There are many circumstances where an unassuming dispute or information security incident may become more serious. If the evidence for these has not been collected to begin with, it will be too late to do so later in the process. Therefore, it is essential from the outset to consider the importance of digital evidence and to be ready to collect it for a wide array of events,” he says.

Unfortunately, despite the industry’s best intentions, only a small proportion of Middle Eastern businesses are aware of the benefits that a digital forensics team might bring them. And Saad says that, of the businesses that are aware, most cannot afford the expense and effort of hiring and training a digital forensics team.

Building a team
To be fair to most Middle Eastern businesses, hiring a dedicated digital forensics team from scratch is a daunting task. According to industry experts, good teams should be able to provide detailed information about any breach, and build a complete scenario of how the attack was carried out. They should be able to find out which vulnerabilities were exploited, what information was stolen and, perhaps most importantly, come up with a plan for how to completely recover from the attack. By anyone’s definition, it’s a full-time job.

It’s also pain-staking work, requiring a great deal of experience. The incident response team should have an in-depth working knowledge of the security landscape, and know the organisation’s infrastructure inside-out. And while recently launched tools for network monitoring and intrusion detection now make it much easier for forensics teams to work out where breaches take place, it still takes a competent team to get the best out of these solutions.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code