- SOAR 101
Preface: This is the second installment of a 3-part blog series called “Stories from the Front Lines”. Each installment will feature a different security industry persona-archetype, inspired by real D3’s projects and interactions with customers. Each will illustrate a common problem, and discuss an effective solution with the appropriate software tools.
Ankit is the Director of Digital Forensics for a Fortune 100 Oil and Gas company. He’s smart, hardworking, and excellent at his job, having risen up through the ranks as an investigator, to eventually lead the department. Despite his tenacity and technical proficiency, today Ankit finds himself in a bit of a bind: the Legal team, his main internal customer, is waiting on the results of a large E-Discovery case. And the case could not have a higher profile, with visibility right up to the board of directors.
The task assigned to Ankit and his team is vast: investigators are expected to sift through several terabytes of data, coming from almost a thousand custodians, and 2500 (!!) individual data sources. Eight members of the forensics team will be working on this full time for a matter of weeks. His team relies on spreadsheets to stay organized and assign investigative activity amongst the team, including tracking of retrieval, processing, and delivery tasks for each data source. The spreadsheets work well for smaller cases, but this is the largest case they’ve ever worked on, and with so many people collaborating on the same spreadsheet, things are getting… “messy”.
Under intense pressure from the C-suite to produce an assessment of their exposure, the legal team is breathing down Ankit’s neck. Ankit is spending far too much of his time answering their questions:
“What will their investigation produce?” “How far along is it?” “When can they expect to see results?”
Furthermore, with the spotlight shining directly onto his team and a bottleneck of smaller cases piling up in the meantime, upper management is now asking for detailed metrics on his team’s productivity, which will take him ages to compile by sifting through a mountain of spreadsheets. Overwhelmed, and lacking a systemic backbone to help him manage these competing requests, Ankit turns to Google to search for Digital Forensics Case Management systems. Surely he is not the only one having these problems!
Mainstream forensics tools have done an excellent job of enabling core forensics tasks, such as data collection, searching and processing. Their focus has been the empowerment of investigators to reach a broad spectrum of devices, and file systems, indexing, searching, and decryption. Establishing a powerful toolset has rightly been a priority of this budding organizational function, but as forensics teams around the world get larger, it has often left them wanting additional capability to establish a standardized and effective process, coordination, collaboration, approvals, reviews, and stakeholder transparency.
The need for systemic structure and automation begins, appropriately, at the beginning: the effective management of case requests, or “intake”. Forensics investigations requests may originate from any number of important organizational stakeholders, including Cyber Security, Corporate Security, Legal, HR, or many other departments within an organization.
Sometimes, as in Ankit’s situation above, incoming E-Discovery requests will require sign-off or approval from a gatekeeper, such as the Privacy department, before an investigation can be initiated. Here, an intake request portal, with enforced review and approval, can ensure that everything that lands on an investigators desk has had the appropriate oversight, has fulfilled the requisite criteria to be in compliance with relevant legislation, and has the organizational ‘green light’ to proceed into investigation. Plenty of real world examples have demonstrated that email lacks sufficient structure to serve as an effective intake mechanism once a team grows beyond two or three investigators. A purpose built solution is needed to get the task done successfully.
Forensics cases may also stem from an escalation, an integral part of the remediation and post-incident investigation of a critical cyber incident. Here, a single platform for collaboration shared by incident responders and forensics investigators alike will empower collaboration, and encourage the completion of critical NIST-advocated “Post Incident Activity”, including the attribution of root cause and the enablement of corrective action, lessons learned, and crucial identification of gaps in a cyber security program. Cohesiveness is key. (I know of only one system tailored for both incident response and forensics teams).
Moving on past the genesis of a case, the need for digital forensics case management extends well into the “investigation phase”. From DLP to E-Discovery, each type of Forensics case has unique elements that need to be tracked and recorded, while shared across all case types is a need for structured yet streamlined task management: itemization, summarization, accountability, deadlines and reminders. Again, the size of a forensics team plays a determining role in the need for management structures and mechanisms for delegation and collaboration.
While spreadsheets and emails can sustain a team in the short term, they lack the scalability of an enterprise solution. While mainstream forensics toolkits advertise the inclusion of “Case Management” functionality, it is far from their core competency, and the market has often described their capabilities as “lackluster” at best, as “materially deficient” at worst. There are case management options available whose structure effectively mirrors that of core forensics toolsets, but provide infinitely greater capacity to drive coordinated productivity and produce effective SLA-oriented business process. D3’s own solution fits snugly into the IT fabric of an organization, streamlining the case management process via key integrations with forensics tools, HRIS, and asset management systems.
Evidence management is oftentimes a core element of the forensics case, and the manner in which that evidence is handled and linked to an investigation plays a determining role in its admissibility in court. Any comprehensive forensics case management system must feature an evidence handling piece, tracking chain of custody for physical evidence, and recording MD5 hash for digital evidence in unalterable fashion.
Most importantly, digital forensics departments are characterized by their interconnectedness within an organization. And it is in service to these stakeholders that forensics teams need to leverage an MIS case management framework. MIS provides analytics, benchmarks, and metrics help to establish measured productivity, identify (and legitimize) resource bottlenecks, and establish a critical level of transparency, both laterally, and up to an organization’s senior management. Like any department serving internal customers, demonstrable and measurable productivity go a long way towards securing additional funding and resources. And establishing ROI for the function helps to ease the misguided perception of being seen as an organizational cost-center, rather than an essential and irreplaceable organizational resource.
Ankit’s problems described above are multifaceted but are symptomatic of many overstretched and under-funded forensics departments, whose demands have grown faster than the systems that help manage their workload. But, there are solutions that can help.
D3 Security’s Case Management Software for digital forensics, eDiscovery and IT investigations provides a configurable workflow solution for managing case requests and investigative assignments, case work and collaboration, as well as physical evidence tracking.
To schedule a personalized demo of D3’s Security Case Management system, click on the button below.