Security Pros Need Forensics SkillsWhy Expertise is Growing in Importance
Digital forensics is a branch of computer science that focuses on developing evidence pertaining to digital files for use in civil or criminal court proceedings. Experts investigate networks, systems and data storage devices.
"Forensics today constitutes 8 percent to 10 percent of my security group's role," says Greg Thompson, security manager at Canada's Scotia Bank and (ISC)2 advisory board member.
Thompson's security group is involved in investigating external and internal fraud, money extortions and security breaches. Often, security practitioners investigate these events by applying digital forensics in accessing logs, analyzing data and monitoring systems.
Digital forensics is growing in importance as companies work to comply with federal and state regulations affecting many industries, including banking and healthcare, that require organizations to be able to quantify how much customer information was exposed during the course of a breach. These investigations frequently require the application of digital forensics, such as to analyze the impact of malware.
Expertise in digital forensics is a core competency for today's security professionals, says Marcus Ranum, chief security officer at Tenable Network Security Inc. "How else can they know what happened, what was the damage to networks and systems and analyze the horizontal spread of the attack?"
An understanding of digital forensics is crucial to career growth for network security engineers, incident response experts, system administrators, patch management experts and professionals dealing with host-based security, says Rob Lee, director and IT forensics expert at Mandiant, a Washington-based information security software and services firm. He's also a certified forensics instructor at Sans Institute. When a security incident occurs, these professionals "should know what they are looking for and what their actions should be," Lee says.
A good starting point for security and network professionals is to become familiar with how to analyze laptops, workstations and network traffic to trace and detect unusual activities at the end-user level.
A security professional's use of digital forensics will depend largely on whether their focus is on monitoring the actions of insiders, providing litigation support, or providing damage containment and incident response, Ranum says. "It's important to be able to decide early on whether security folks need to get into details involving evidence handling, which can get complicated, or primarily be concerned with supporting an incident response."
Digital forensics has growing legal implications. In the event of an incident, security professionals need to ensure that they do not harm the integrity of the data. "It is crucial for them to know what they cannot do in such cases, to prevent further damage," says Robert Brammer, chief technology officer at Northrop Grumman. "If a legal chain of custody is not maintained, getting a successful prosecution or civil litigation will be difficult."
Thompson believes the best way to learn about digital forensics is to obtain training at schools or certification bodies, including the International Association of Computer Investigative Specialists, Sans Institute and the International Information Systems Forensics Association. "The main skill is developing a creative mind-set to think like an attacker in responding to the situation," he says. He advises security professionals to take online courses, seek help from professionals with law enforcement backgrounds and learn on the job. In particular, he encourages developing expertise in forensic investigations of mobile devices, firewalls and malware.
Lee suggests security professionals involved in network security and incident response volunteer to take on additional responsibilities in forensics. "Get pushy about learning new skills and growing in your career," he says.
Security professionals, however, need to fully understand that their involvement in forensics is much more than "what they see on CSI or other police dramas on TV," Thompson adds.