Is there more demand for forensic technology to be hosted on endpoints, as more breaches occur at the employee’s end?
Stuart Okin, VP EMEA at Cipher, told IT Security Guru that it commonly sees Guidance Software’s Encase solution deployed on every endpoint, as most businesses only wait until something bad occurs to do something about it.
“What we are seeing is a trend in this direction in the US which allows a remote analyst to track how the infection or breach occurred, what led up to it and how it spread or laterally moved. Combining this with deep packet inspection, it then allows analysts to look for the insider threat,” he said.
Okin said that the main issue is the amount of logs and “noise” to be managed, as the data feeds in to the Security Operations Centre and SIEM.
This week’s Verizon Data Breach Investigations Report revealed that 23 per cent of recipients open phishing messages and 11 per cent of recipients click on attachments, yet when there is a major breach the forensics team look at the network. So is it a surprise that there is more demand for forensic technology to sit on the endpoint?
So is this completely unbelievable, or the start of a solution to avoid the issue of employees being the cause of data breaches? Ryan Rubin, managing director of Protiviti said that what would be prohibitive would be the cost element, but from his own experience, he found it would not scale and when there is a breach and there is an investigation at most organisations, Protiviti is called in to forensically analyse those endpoints and there are technologies allowing you to do this.
“As an industry we are doing very focused searches and once you look at the full drive and on the endpoint, you search for particular bits of information and if that triggers an alert, then a more detailed investigation gets done,” he said.
“The big challenge with recording everything, all of the traffic, is that activity is noisy and what I have seen is anti-virus vendors extending their solution set to keep up in the space, and that can include fine signature monitoring and application whitelisting, but we are not there yet with the full forensic capability.”
The challenge is not only managing the solution and its potential for huge amounts of data, but also the cost of adding more solutions to the endpoint. Quentyn Taylor, director of information security for EMEA at Canon, told IT Security Guru that he would find it hard to justify pushing this out to thousands of clients, as if you were continually having employee issues it may be worth doing, but maybe solve the issues in a different way rather than just prepping everyone for laptop forensics.
He also acknowledged that there may be a privacy issue, as if you are working in a regulated environment a regulator could be convinced into endpoint forensics being a recommended piece of technology, then it may take off.
“We’ve looked into this, and we said ‘how many cases do we process in a year’ and ‘could we really justify this to work councils and unions’ and ‘could I justify this to operations as they will have to maintain that package’,” he said. “Unless you are doing so many cases all of the time that it is worth doing this, but we are not.
“It is a technology that it interesting but I think about the ROI and if I cannot justify it to myself, I cannot do so to the board.”
So maybe that is the challenge for security managers, trying to convince the board that this case of a technology assurance is worth investing in if a breach were to happen? Maybe it is a way off yet, but Rubin said that one move is towards virtualised desktops where everyone has a thin client and logs into a remote desktop, so it becomes easier to capture what is taking place in those environments.
Speaking to CISO and Give01Day founder Amar Singh, he said that he is aware of endpoint forensic technologies being used in incident response scenarios, as well as in audit situations to demonstrate compliance and save costs in licensing.
However he was keen to stress that this all comes down to visibility, as that is one of the key tenants of managing cyber security to determine what is happening. He said it is not about trying to catch an employee out, but to make sure they don’t compromise the integrity of the company.
“Without visibility of endpoints you are blind in one eye as you only have partial visibility,” he said. “Endpoint visibility is the state of the endpoint changing and it gives you sight into what is happening.”
He explained that he sees more and more products offering visibility into the state of the machine, and he disagreed that it is not needed, as businesses need to encourage the benefits of detection and gaining visibility and protect against attacks.
“What will save you from fines will be detection in a certain period of time, and the only way to do that is visibility,” he said. “This is not an anti-virus model, this is admitting that machines could be compromised. If something has done something on your machine, you want to know what it did.”
Singh said that monitoring brings up connotations of being watched, but endpoint visibility can aid the state of compromise. Perhaps the state of forensic technology has moved fast after the “year of the breach” in 2014 and with big acquisitions in the managed service space, but on the endpoint – maybe this is a trend to watch as if it solves an issue and better aids an investigation, it is not worth dismissing.