Securing the Digital World

Forensics Meets Continuous Security Monitoring to Achieve Optimal Visibility

Dec 08, 2016 | by RSA |

Digital forensics is estimated to be a $3.2 billion industry by 2020, according to research from RnR Market Research summarized by WhaTech. The industry has grown due to the virtually ubiquitous use of IT systems in personal, corporate, and governmental settings. The need for the IT department to "see" from the network command center out to the furthest attached device is essential to maintaining the safety and security of a company, its employees, its customers, and its mission-critical data. Post-event analytics play an instrumental role in achieving that visibility.

Forensics and Incident Response: A Secure Pair

In a National Institute of Standards and Technology (NIST) guide to using forensic techniques in incident response, the importance of applying science to the identification, collection, examination, and analysis of data while still preserving the data is brought to the fore. The containment of incidents and damages is as essential as the post-analytic purposes of attribution of the incident and mitigation of effects. Accordingly, all the tasks that comprise this analysis are also part of and beneficial to incident response.

Thus, by integrating forensic techniques within the incident response process, overall security is improved both during and after the event. Importantly, the data collected during incident response can and should be used to improve the system by informing it of which types of incidents are occurring and permitting security personnel to make more informed decisions about the implementation of stronger and/or different security measures. This helps optimize visibility going forward.

Continuous Security Monitoring and Forensics

Information security continuous monitoring, also known as continuous security monitoring (CSM), is defined by NIST as "maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions." NIST notes that CSM "helps to maintain visibility into the security of the assets," among other key benefits.

CSM can be seen as a front-end view of security design and operations, for which the complementary back end is post-event analytics. While not precisely mirror images of each other, CSM reflects the manner in which forensics will be performed due to the design of the monitoring and recording system. Forensics imprints its image on the proactive security monitoring, since the design of what to monitor and how to monitor it must account for what evidence needs to be collected to adequately inform the company, law enforcement, and/or triers of fact.

Because forensic analysis is an integral part of incident response, it can be holistically integrated within a company's incident response procedures. In turn, those can become part of an intelligent CSM system with optimal visibility of vulnerabilities and threats, resulting in overall security cognizance. While this integration of symbiotic approaches may not lead to omniscience, it certainly will promote visibility, which is the next closest thing to omniscience in the context of information security, design, and operations.

Regulatory Drivers

Aside from the cost and efficiency benefits forensic analysis provides to achieving visibility and enhanced security, another benefit of these key security tools is meeting regulatory demands. Industries in all sectors have increasingly implemented cybersecurity regulatory requirements. For example, in reports from management, the US Securities and Exchange Commission (SEC) requires the disclosure of significant cyber events that affect financial customers and listed securities data. Without both forensic analysis and visibility, management is unable to make a fully informed disclosure as required by the SEC.

In conclusion, forensic analysis has benefits not only for providing strengthened security, but also helping companies meet regulatory requirements.