CIOs should be sure they don’t approach ELECTRONIC DATA DISCOVERY solely as an IT issue. “Let your general counsel manage this,” advises Matt Curtin, founder of the forensic computing consultancy Interhack. An attorney can best decide what records would be needed for legal proceedings. And he can set guidelines on cleansing transaction histories: “The longer you keep the data, the more you have to be subpoenaed,” Curtin says, “so you’ll be hit for more [discovery] requests.” That increases the chances that the other party will find your own errors and mistakes, he notes.
Focus on Investigation
While the “forensics” label may be misleading, ELECTRONIC DATA DISCOVERY tools can help the enterprise investigate possible security and compliance breaches to identify where a true forensics investigation should take place or to understand a previous breach as part of an effort to strengthen enterprise defenses.
Curtin advises that enterprises consider ELECTRONIC DATA DISCOVERY tools that provide search and query capabilities that in-house analysts can use to uncover clues about potential problems, not just canned detection rules. Having lots of monitoring systems isn’t that useful if you don’t know where to focus your attentions. ELECTRONIC DATA DISCOVERY tools can help identify the problematic areas, “so you don’t bother with the rest of the data,” he says. But systems that offer only canned analyses don’t let computer forensics experts do the kind of digging they need to do, forcing them to go through logs and databases manually. “Most companies today run the rules that come out of the box,” notes John Summers, global director of managed security at the Unisys consultancy, but for ELECTRONIC DATA DISCOVERY tools to be effective, “rules need to be specific to your business and processes.” Good ELECTRONIC DATA DISCOVERY analysis tools let you both customize the rules and conduct your own queries and searches, Curtin and Summers say.
It’s also key to remember that current real-time analysis tools focus on a specific type of monitoring, such as credit card fraud detection or intrusion detection, rather than provide broad, enterprise wide risk analysis.
Monitor at Multiple Levels
Vendors are increasingly focused on ELECTRONIC DATA DISCOVERY as a way to get CIOs’ compliance money, says Unisys’s Summers. Early ELECTRONIC DATA DISCOVERY tools just added reporting to the real-time event- monitoring capabilities offered by security event management (SEM) tools and appliances, he notes, but since summer 2005, vendors have been adding more “pragmatic” compliance-oriented services to the tools now relabeled as ELECTRONIC DATA DISCOVERY. For example, tools that used to focus on firewall and intrusion detection logs are now examining database logs to monitor access to specific data, both to help assess compliance with data access policies and to identify data access patterns that may indicate fraud. By noticing a firewall breach that occurs 30 seconds before unusual database access, for instance, such tools can alert administrators of a possible identity theft. That might lead to an immediate shutdown of access to that database as well as a deeper look into past activities to see if the identity theft has been ongoing. Similarly, ELECTRONIC DATA DISCOVERY tools are also now examining server logs for both compliance and security analysis, he says.
If you liked my post, feel free to subscribe to my rss feeds