It's elementary [ITP.net (United Arab Emirates)]
(ITP.net (United Arab Emirates) Via Acquire Media NewsEdge) With malware becoming more and more sophisticated, experts are advising enterprises to assume their defences will fail. But they can still take action by employing digital forensics teams to pick up the pieces after an attack has occurred.
A recent survey by the Economist Intelligence Unit, commissioned by Arbor Networks, asked 360 senior executives about their incidence response preparedness. Less than a fifth — only 17% — said that they feel fully prepared to deal with a security breach. And while the survey was done on a global level, Arbor said that results specific to the Middle East would be broadly similar.
It would seem, then, that organisations are not quite as well prepared for security breaches as they would like to be. This is bad news, according to security experts — with the exponentially growing number of threats out there (and the increasing sophistication of those threats), many view the threat landscape as a case of when, not if, attackers will get in.
"The days of achieving full security has gone, and today, with the evolution of advanced persistent threat (APT) attacks in size and sophistication, whatever organisations invest in security, there will still be a probability they will get attacked. That's why companies need to start thinking about post-attack scenarios," says Ghareeb Saad, senior security researcher at Kaspersky Lab's global research and analysis team.
And vendors aren't the only ones advising enterprises to assume that attacks are going to happen. Indeed, there seems to be an industry-wide consensus that budgets should, at least in part, be shifting to include incident-response capabilities as well as outright defence capabilities. Avivah Litan, vice president and distinguished analyst at Gartner, echoes Saad's sentiments.
"Enterprises must assume that breach prevention steps will fail and that some attackers will manage to penetrate security and defences. It then becomes critical that enterprises detect the breach as quickly as possible to mitigate the extent of damage," she says.
As organisations begin to wake up to the need for post-attack preparedness, the idea of digital forensics has gained ground. Officially, the term 'digital forensics' refers to the recovery and investigation of material found in digital devices. However, it is increasingly being used to refer to the means by which organisations discover how attackers have breached their systems.
Most organisations in the Middle East do not employ digital forensics teams — indeed many make do without a dedicated overall security team. But this has not stopped vendors from encouraging end-users to shift some of their budgets away from perimeter defences such as firewalls, and instead pour a little money into attack response capabilities. The advantage, they say, is that, if you know which files have been compromised, and indeed how they were compromised, then you are able to mount effective damage control.
"[Companies] need digital forensics teams able to detect malicious behaviour, do incident handling and internal corporate investigations or intrusion investigations in case of breach, and to provide valid digital evidence that can be used in court or with law enforcement. Also, digital forensics enables companies to build a complete understanding of the nature of the breaches or attacks they are facing, which will help them improve their defence and security strategies," says Saad.
Meanwhile, Paul Wright, manager of AccessData's professional services and investigation team, says that the advantages of having a digital forensics team extend to having legal clout in extreme scenarios.
"There are many circumstances where an unassuming dispute or information security incident may become more serious. If the evidence for these has not been collected to begin with, it will be too late to do so later in the process. Therefore, it is essential from the outset to consider the importance of digital evidence and to be ready to collect it for a wide array of events," he says.
Unfortunately, despite the industry's best intentions, only a small proportion of Middle Eastern businesses are aware of the benefits that a digital forensics team might bring them. And Saad says that, of the businesses that are aware, most cannot afford the expense and effort of hiring and training a digital forensics team.
Building a team
To be fair to most Middle Eastern businesses, hiring a dedicated digital forensics team from scratch is a daunting task. According to industry experts, good teams should be able to provide detailed information about any breach, and build a complete scenario of how the attack was carried out. They should be able to find out which vulnerabilities were exploited, what information was stolen and, perhaps most importantly, come up with a plan for how to completely recover from the attack. By anyone's definition, it's a full-time job.
It's also pain-staking work, requiring a great deal of experience. The incident response team should have an in-depth working knowledge of the security landscape, and know the organisation's infrastructure inside-out. And while recently launched tools for network monitoring and intrusion detection now make it much easier for forensics teams to work out where breaches take place, it still takes a competent team to get the best out of these solutions.
The tools available broadly fall into three categories — network forensics tools, system forensics tools and software and file analysis tools. Network forensics tools are used to monitor, capture, analyse and extract information from network traffic. System forensics tools, meanwhile, are used to create and analyse hard drive images and memory dumps, or to extract information from the live system. And software and file analysis tools analyse and study the behaviour of different file formats such as executable, PDF and .doc files.
"They look for traces of the breach — typically left behind in memory dumps that are analysed. By analysing the traces, they can determine what resources were compromised and what the potential damage is," says Litan.
Again, though, the cost of purchasing these tools, as well as hiring a good team to use them, has deterred many enterprises from setting up their own incident response and digital forensics teams. As one anonymous, Dubai-based end-user says, "A lot of us just put up a firewall, buy an anti-virus licence, and hope for the best."
AccessData's Wright, however, believes that there is simply no argument for not investing in a digital forensics team — "And I'm happy to sit down with anyone and explain why," he says. That said, he argues that a dedicated team should only be created under a number of provisos.
"They need to undergo a forensic readiness assessment, which will highlight their shortcomings with regard to establishing such a team," he says.
"By highlighting any gaps, management and investigators will be able to achieve its forensic objectives in a cost-effective and efficient manner, whilst maintaining procedural correctness. The assessment will also ensure that technology is used in a systematic and well-thought-out manner, this being the only way to deal efficiently and effectively with the ever-increasing amount of data and matters associated with that data."
The argument for outsourcing
Unfortunately, many organisations still cannot stomach the costs involved in creating their own digital forensics teams. But this does not mean that the Middle East is giving up entirely on the concept. To more cost-effectively deal with their incident response needs, enterprises are now beginning to outsource digital forensics teams — a positive development, according to Gartner's Litan, who says, "It's best to hire a team that specialises in digital forensics and memory analysis. It's difficult to do this internally unless the enterprise has resident expertise."
Saad points to the outsourcing idea as a solid answer to the lack of incident response teams in the Middle East. He says that, if the organisation cannot afford to operate its own in-house forensics team, it should, at the very least, divert some budget away to outsourcing an incident response unit. Indeed, he says that Kaspersky now provides forensics and malware analysis services to customers as it senses demand for incident response capabilities.
Early adopters of digital forensics technologies include banks, financial institutions and government departments. But there has been a marked increase in the number of organisations investing in digital forensics over the past 12 months, according to Mahmoud Samy, area head for the Middle East, Pakistan and Afghanistan at Arbor Networks.
"According to the Economist Intelligence Unit survey sponsored by Arbor, around 70% of the firms spoken to — and 80% of the large firms — have made arrangements with specialist organisations as part of their incident response plan. Having an arrangement with third-party experts is twice as likely at firms that have suffered an incident in the past 12 months than at firms that have not," he says.
But the million-dollar question is: Can organisations get by without paying much heed to the industry's warnings on digital forensics? Do enterprises really need to invest in the technology and resources?
Samy's answer is frank: "It is similar to the question of whether you need a home security alarm. Maybe not, until your house gets broken into," he says.
"The justification is both offensive and defensive. Having forensics capabilities helps the organisation understand the threats and alter their defences, especially if they are targets for frequent attack. Having these capabilities helps improve defensive posture over time."
(c) 2014 ITP Business Publishing Ltd. All Rights Reserved. Provided by Syndigate.info, an Albawaba.com company
[ Back To Cloud Computing 's Homepage ]