Are You Forensic Ready?

In the landscape of everyday operations, the concept of forensic readiness may often linger unnoticed in the background. When a crisis strikes, be it a major system outage or a security breach. The importance of being forensic ready as part of your overall digital resiliency strategy suddenly becomes evident. That’s the moment you realize it’s necessary for a thorough investigation. The findings enable you to have an effective response and proportionate mitigative actions. During a crisis, it’s often not a challenge to get people motivated to start the investigation. The challenge is mostly about having the data to work with. So at that moment in time, the question is, are you forensic ready?

During a crisis, different departments and teams within a company point towards each other and regulators, the general public and your leadership probably put a lot of pressure on the people responsible.

They want answers:

• When was the incident first detected?
• How was it detected?
• What is the cause?
• What is the scope and scale of the outage or breach?
• What data has been leaked?
• What is the current status of the affected systems or data?
• What are the legal or regulatory implications of the incident?
• Why couldn’t it be prevented?
• Who caused the incident?

Companies are dealing with an increasing threat landscape and know they need a more robust plan to cope with a crisis. Regular exercises, table-tops and reviews help with improving the plans. The issue is that most of the time these exercises are too high-level to work in reality. Incident response is in the end about the details. It’s a challenge to have a realistic test including the technical side without disrupting operations. The possible lack of forensic readiness at a data level will not become visible — until it's not an exercise anymore.

Outsourcing Ensures My Peace of Mind

You might argue that you have it outsourced. You have an external company waiting for a crisis and jumping in to help you when an incident happens, ready to help you scale up in workforce and knowledge to resolve the problem. This is a fair approach when you lack the internal capacity; however, if you expect to have everything covered you might be wrong. Instead of fast resolution, the external party will require significant time getting up to speed, asking you even more questions before they can start resolving the issue — eating into the short window when response time matters.

• Do you have forensic data?
• Can you provide access to it?
• How long is the retention period?
• Where was your sensitive data stored?
• What are your valuable assets?

Many companies cannot not provide the experts with the answers and the data they need. Or the data is spread across a dozen systems with only the default retention period which is almost always not enough for a thorough forensic investigation. It can take days to provide the still limited data set to external experts. The experts will refer in the ‘lessons learned reporting’ after the crisis to the lack of forensic data and thus problematic investigation.

Make it a Priority!

Hopefully by now you are convinced that it’s better to be ready. But what is forensic readiness on data level? Where to start? For at least a hundred years journalists have used The Five W's and H for their research. These are also applicable in digital forensics. You need to be able to answer these questions:

• Who?
• What?
• When?
• Where?
• Why?
• How?

A good quick exercise is to make a list of the most horrific scenarios your company could end up in terms of risk. You can make your own judgment if this is limited to cyber security, also covers IT operations or maybe even risks to the company in general (Yes, risk is not only about IT). Try to figure out if you can answer the previous questions within the scope of these possible situations. Try to identify the gaps and prioritize them. You might question yourself if you have insights on activity in your crown-jewel applications necessary to running your business, for example ERP or CRM systems. Those might become vital in an investigation.

When you have that baseline in place and these gaps covered it’s all about making sure that incident readiness is prioritized. With every new tool, technology or process you need to keep in mind what the impact could be in case of a crisis and if you are ready for that. It’s like real life where we are obligated to think about fire safety and the accessibility by emergency services when we build a house. There is no way of doing that when the disaster happens, you have to do that before. Include forensic readiness in your change management process and include it in your criteria to accept changes and new solutions.

Why Data Is Key

When you incorporate this in your way of working you will also think differently about which data to store and how long to retain that data. Cyber security professionals often focus on threat detection when selecting their data sources and store data that suits an immediate use case. Your retention strategy must shift to allow you to appropriately take into account your secondary-priority, ‘forensic readiness’ use cases. It’s not only about having the data to enable all the detection logic to cover MITRE techniques you want to cover. It’s also about thinking what you might want to know and investigate in case of an outage or security breach.

Maybe you don’t have detections in place on your crown-jewel application logs due to reasons like the lack of knowledge on the data, maybe you can’t figure out how to make the detections efficient enough without an overload of false positives, or you focus first on a different layer or part of your infrastructure. That can be a conscious choice, but it’s paramount to at least make sure you have the data stored in an accessible manner in case of an issue. Even if you don’t understand the data, make sure you have it available so external experts will have something to work with.

Overarching Security and Observability

We often say that resilience is key which also means that we need to break silos and start thinking about the overall risk posture - not only within your Cyber Security practice but also Observability, IT Ops, DevOps or whatever you like to call it in your company. This should also be taken into consideration when getting forensic ready. When your systems go down or complaints come in due to a slow customer portal it might be impossible to say what the cause is and you need to face the crisis in a multi-disciplinary way outside the traditional silos in IT departments.

Isn’t That Expensive?

Of course, nothing comes for free. But there is a lot you can do to limit this and keep in control. Deciding to store a certain data source for a certain amount of time doesn’t mean you need to keep all the log data. You can leverage all the tools we have within Splunk to filter any unnecessary logging. Not only to limit the amount of events but also to limit the size of the events by stripping out all parts of the event that are not valuable.

Essentially, three key factors should be considered to significantly reduce the cost of data storage.

1. Can I filter out unnecessary data before it reaches any storage solution, considering that some of the data might not provide any value?
2. Do I possess noisy log data that is used infrequently? You can use alternate storage options for the data that you only store for (long-term) forensic needs.
3. What to do with my highest priority data after it begins to age? It could be fine to use other options after a period of time like the data retention options within Splunk or you can store it on external storage outside of the Splunk ecosystem.

Keep in mind that you want that data to be available in a crisis when most systems are down, so be aware of too many dependencies and the time it takes to gain access to that data for the teams that need it. The bottom line is that forensic data storage doesn’t need to be expensive as long as you have a proper design and make a distinction between data you need every day and data you need when it all breaks loose.

Forensic Ready?

If you can say confidently ‘Yes’ to this question you can sleep a lot better. As a nice bonus it also helps you with satisfying all the different regulations and frameworks we have out there. Even in a crisis situation you can be ‘in control’ and definitely limit the damage to the company in terms of direct financial impact as well as the overall reputation of your company. One thing is for sure. When you aren't ready, you will definitely regret it when everything goes south!

Please read the following to learn more about Splunk’s capabilities around storing forensic data in a cost-effective way:

• Splunk Edge Processor and Federated Search: Do I Need It?
• Dynamic Data: Data Retention Options in Splunk Cloud Platform