Ultimately, what it boils down to is the organisation’s ability to create and effectively use an intelligent set of rules, to filter the evidence digital forensics correlates to look for pre-determined behaviour or system configuration changes that it is not expecting.
For example, the use of a privileged identity can be a key indicator of suspicious activity, especially in applications that would not normally require admin rights to run. Take a web browser, for instance, if it were to ask for admin rights it should be flagged in any early warning system that something untoward may be about to occur.
From this proactive position, it should then reactively quantify the request to determine its legitimacy. It could be something benign - such as installing a trusted Active X control, or it could be sinister - such as a drive by download that is trying to gain admin rights to take control of the system.
A further complication for organisations is making timely use of the information being generated by the disparate security systems in use across the enterprise. If you don’t have the ability to process and make sense of all the information then ultimately it’s just more data taking up room.
Instead, the data needs to be fed into a single repository capable of processing this very large constant flow of high bandwidth information and alerting those responsible when something erroneous occurs.
For an organisation to be able to identify the one little nugget that might suggest that something bad has happened, or is about to happen, it needs good rules. Otherwise it risks the clues being missed and the alert not sounding or, if it’s too sensitive, the alert being hidden amongst all the generated ‘noise’.
As you can see this balancing act is exceptionally complex. Organisations need to build, or deploy, intelligent tools capable of dealing with the volume of information. It’s about understanding what to look for and using powerful tools to accurately determine something truly malicious that requires intervention.
If this expertise lies in house then that’s fantastic. Alternatively, solutions are available that offer and deliver the necessary intelligence.
While some might argue that prevention is better than cure, even the best antidote will need an initial injection of venom to stimulate the production of antibodies.
Digital forensics will become increasingly important as part of a security program, can you afford to let the clues slip through your virtual fingers?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.