[1]Why you need a digital forensics team (and the skills to look for)
  by Karen Epper Hoffman:

    In a world where enterprises are embracing the fact that breaches
    are not a matter of 'if, but when,' it is becoming increasingly
    important to develop internal and external resources to investigate
    and oversee the impact of attacks after they have happened.

  Yes. This is where my opinion diverges.

    Digital forensics is a relatively recent skills concentration

  It's not. I took a digital forensics class with SANS about 10 years
  ago. And when I hired someone for that role in Canada about 9 years ago
  I had many qualified candidates with experience to choose from.

    one that does not necessarily require the same talents, expertise or
    background as other cybersecurity positions.

  Also wrong. While forensics requires its own skill set, thinking it is
  divorced from the rest of security is absurd. Context is important, and
  not understanding security will make analysis ineffectual.

    And while more enterprises are recognizing that they need such
    talent on the back-end, as it were, there are still holdouts that
    are entirely focused on detection and prevention, to their
    detriment.

  Wrong. Just wrong. That's like not getting checkups or taking
  medication and then, when illness happens, spending time and money to
  track down who in your family tree made you prone to the heart disease
  you need major surgery to fix.

    "I think this is actually a misconception [that] organizations do
    not necessarily need to build out digital forensics teams in-house,"
    says Sean Mason, director of incident response for Cisco Security
    Services, adding that Cisco is building out its ownforensic
    capability via its incident response services team. A key problem,
    Mason says, is "there is not enough talent to go around and,
    generally speaking, most organizations don't have enough demand to
    require a full-time team on staff."

  Some companies and organizations absolutely should have this capability
  in house - large financial, energy, and government organizations leap
  to mind - but the bulk of companies either don't need the capability as
  it would take resources away from higher ROI functions or could make no
  use of the data. Also, digital forensics is almost begging to be done
  as-a-Service. (Full disclosure: IBM employs me, offers this function as
  a service, and I consult with companies about this. My views on this
  are mine and not my employer's. Cisco is an IBM partner btw.)

  As I said, most companies aren't mature enough to make use of the
  information even if they have it. If your security posture is already
  weak, what counter measures can you hope to employ with such data?

    Munish Walther-Puri, chief research officer at [2]dark web
    monitoring company Terbium Labs, points out that digital forensics
    requires a combination of "investigation, intelligence, and
    innovation."
    Digital forensics teams are a complement to any IT team "because
    they figure out the who, when, when, where and why a bad actor came
    into the system, says Avani Desai, president of audit and accounting
    firm Schellman & Co. "They help paint a picture of the incident and
    provide guidance on how to mitigate the risk of that happening
    again." The forensics teams also take past data and processes and
    builds upon it to make sure they have the tools to handle issues
    that are getting significantly tougher to solve, Desai adds.

  Let's say you figure out the "who, when, when (sic), where and why a
  bad actor came into the system". The where bit might be actionable, but
  the rest? As an understaffed and underfunded IT or Security team, how
  will the knowledge that Russian organized crime attacked your company
  on a Tuesday a year ago change anything for you?

    Darien Kindlund, vice president of technology for Insight Engines, a
    provider of natural language search technology, points out that
    digital forensics is "an important pillar in any security operations
    team, in order to assess and understand tools, tactics, and
    procedures (TTPs) used by attackers to compromise a firm. That way,
    the firm can stop future breaches using these same TTPs by new
    attackers. A firm's ability to understand how these attacks work is
    directly tied to how effective their digital forensics team is."

  Again, in some contexts digital forensics can be useful, even valuable.
  But 99% of organizations and companies are better off hiring it out
  as-a-Service.

  Time is not addressed here: digital forensics takes time. Time is not a
  security practitioner's friend. By the time an in-house team provides
  actionable intelligence, it is probably too late. A service provider
  might be faster as they leverage what they see across multiple clients,
  but still requires time.

  My digital forensics criticisms also apply to a lesser extent to threat
  intelligence. What use are Indicators of Compromise (IOC) if you're
  unable to act on them?

  There is still too much focus on attribution. Better security hygiene
  returns more value.

  Here is a good guide: if you can't make use of threat intelligence then
  digital forensics is nothing but show.

  Also, I disagree with the article's implied definition of digital
  forensics. It is more than just outsider attack attribution. It is very
  valuable for dealing with malicious insiders, again after the fact. If
  your organization is litigious, such a team is invaluable.

  Regardless, forensics plays a valuable role. As an internal team, a
  managed service, or an organizational goal, digital forensics can
  enrich a security team's intelligence.
  Also on:

  [3]Twitter
    __________________________________________________________________

  My original entry is here: [4]Does Your Org Need A Digital Forensics
  Team? Probably Not (CSO Online disagrees). It posted Sat, 12 Jan 2019
  07:39:06 +0000.
  Filed under: business,

References

  1. https://www.csoonline.com/article/3332020/investigations-forensics/why-you-need-a-digital-forensics-team-and-the-skills-to-look-for.html#tk.rss_all
  2. https://www.csoonline.com/article/3249765/data-breach/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html
  3. https://twitter.com/prjorgensen/status/1084010070780846082
  4. https://www.prjorgensen.com/?p=2501

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.