As organizations around the world and across all industries wage the never-ending fight against cybercrime, digital forensics and incident response (DFIR) is one of the most potent weapons in their arsenal. With the average cost of a data breach running in to the millions of dollars, according to a range of leading surveys, DFIR is an effective solution for helping your organization determine how, when and where a breach happened, how best to respond to it and – most importantly – how to save money.
To learn more about when organizations should consider a DFIR solution, how organizations can best use it, and what the process is like, we talked with Mark Whitehead, Global Vice President, Trustwave SpiderLabs Consulting.
What is Digital Forensics and Incident Response (DFIR)?
To begin, it helps to gain a fundamental understanding of how DFIR is generally defined, and what people mean when they say that they’re employing it.
“DFIR is really a capability that enables organizations to respond when they detect a breach – and to perform a kind of triage function,” Mark said. “It helps you figure out what type of event it is, and then helps you identify and remove threats.”
It almost helps to think of your DFIR team as smokejumpers – firefighters who jump into a raging fire and use their specialized training to create an initial response, while helping build a strategy for a larger, continued response. What’s also of critical important in these crisis situations is that DFIR can be used to help craft an effective internal messaging strategy, as you communicate with stakeholders about the occurrence of a breach. Just as smokejumpers help create calm at the scene of real-life incidents, DFIR can help security teams take control of a breach situation and create a sense of confidence – especially with internal stakeholders which might include the company board.
Using DFIR Proactively
What’s surprising to many organizations is that a DFIR team can be equally useful when engaged in a proactive way. In Mark’s experience, one of the best times for companies to bring in a team in is before an incident has even happened.
“One of the most beneficial things that an experienced DFIR professional can do, especially those from Trustwave SpiderLabs, is go in and prep the battlefield for an organization, “Mark said. “Especially if you’re a new CISO, for example, you will want to understand what your battlespace looks like. You need to understand what kind of detection mechanisms you have and what you really need to place the full picture together – when the time comes that your organizations is breached, how to prioritize your recovery, and eradication of the threat.”
For many organizations, the best proactive action to take starts with a readiness assessment, because it helps them save huge amounts of money on the back end, by spending a small amount of money upfront to assess and improve your deterrence. If certain scenarios like ransomware, data leakage, or insider threat are keeping you stakeholders up at night, a readiness assessment will proactively identify if an organization is prepared for these scenarios.
Third Party Vs. Internal
Another potentially surprising way to benefit from DFIR is to use it in addition to your existing internal incident response (IR) capabilities. A third-party DFIR service can, and should, mesh relatively seamlessly into organizations with even the most well-established internal IR capabilities.
“One of the misnomers is that, while some organizations have IR staff and some don’t, every company can benefit from it,” Mark said. “Choosing to have a third-party aspect vs. internal isn’t a binary choice.”
In fact, many organizations – even those with large and well-funded IR teams – keep multiple DFIR vendors on retainer. Since it’s impossible to predict how big a breach or an attack might be, it’s incredibly important for companies to have a kind of surge capability. A push-button third-party DFIR solution is ideal for that.
“Sometimes it’s nice just to have an expert a phone call away, even if you just need to bounce an incident off them,” Mark added. “And that’s one scenario where I’ve seen a lot of organizations not realizing the full value of their DFIR team.”
When You Might Typically Engage DFIR Teams….
There’s great variety in how organizations engage their third-party DFIR vendor, ranging from working with an existing vendor either after a breach or on a proactive level, to the “emergency” call where you might be seeking a new vendor to help handle an emergency. The results and processes flows going forward will vary widely based on how much proactive work you had already done. Organizations who had worked with DFIR teams to do tabletops exercises, conduct readiness assessments and ensure that they were properly collecting their logs will obtain much better results.
How to Maximize the Benefit of DFIR
Almost all organizations have a 100% need for DFIR – no other security solution will grant the surge capability in a time of crisis that you’re going to need, according to Mark.
“In terms of being able to respond in a timely manner, DFIR is it. But I also like to pair it up with other services, like proactive threat hunting, which is actually like the identification piece of the DFIR process. With those two services teamed up, you’ll have an incredibly experienced team of threat hunters looking into your environment – helping you find the known unknowns.”
The other service that complements DFIR perfectly is testing. Whether you’re doing a red team exercise or just doing an intense web application assessment, testing very often helps identify active breaches. So, whether you’re running your DFIR internally, externally or in a blended approach, ensuring you have testing capabilities can really pay off.
The Hassle-Free Guide to Dominating Your Next Security Incident
Not every company has a fully grown incident readiness and response (IR) process and program in place. This handbook lays the groundwork for why mature IR is so important and then delivers a step-by-step guide for prepping for and addressing a wide range of security and data-loss incidents.