Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Do You Know Where Your Evidence Is?
A closer look at digital forensics within incident response
In part two of our series focused on the Enemy Perspective, we’ll focus on an important element of incident response: digital forensics investigations.
The digital forensics and incident response (DFIR) world continues to evolve on a yearly basis. Investigators need to keep track of changes to the various operating systems, new attack vectors discovered, uncover new locations of evidence and on occasion an ethical quandary regarding an undocumented “Activities” API for Microsoft Outlook O365 (also known as the Secret Office 365 Forensics tool).
But we are not here to talk about artifact locations, tools or other investigation standards that change. This blog is meant to highlight an often-overlooked part of digital forensics and/or incident response investigations. There are organizations lucky enough to have internal forensic investigators or incident response teams on staff. Even in these organizations there are going to be times when an external third party is needed for investigation.
1. What happens to your company’s data/evidence after collection by third parties? Who retains ownership of that data or evidence during an investigation?
In reality, there are only a couple of answers to these questions. Let’s tackle them one at a time.
2. Who retains ownership of the data/evidence during an investigation?
Some overly aggressive firms have language in their MSAs, SoWs and retainers that changes the ownership “of any and all collected evidence” to the external firm. The firm does not want your intellectual property, customer lists or health information. What they want to own is the metadata and the indicators of compromise (IOC) for the attack. However, that comes with a caveat that they can do what they want with the data they own. Imagine being a one-of-a-kind organization in a specific area of the world/country/state. A simple web search can be used to identify the company who suffered an incident/possible breach when the firm releases a blog post referring to a new attack campaign that targeted a specific industry vertical in a specific location. It is extremely important to get this ironed out in contracts before an active incident, when time is of the essence.
We love to take clients through our high-level investigative procedures for responses to every sort of incident, because we’re proud of what we do. But we also urge our clients, both potential and active, to not forget the simple stuff, and that’s data storage and ownership. You must know before, during and after any incident and investigation where your evidence and datum is going, where it’ll be stored and who owns it once it’s settled. And because that sounds so simple it becomes very easily forgotten. And the hassle that follows when it’s forgotten makes it paramount to your enterprise’s security practice.
Let us know what you need, and we will have an Optiv professional contact you shortly.