Drilling for Indicators

If you have used EnCase to drill into a device image, then you know what it means to be Geek-Master of the Universe. The ability to view raw disk, scan clusters, and browse sectors makes visible the data residue that might have lingered long after the delete key was pushed. This experience makes one pause before putting anything on a machine that would be best kept secret (a major hint to politicians).

Since EnCase hit our radar screens twenty years ago, it has been at the forefront of helping investigators collect evidence to solve computer crimes. To match the fast pace of cyber security, however, the EnCase team has had to shrink the gap between observation and response. That is, the time a human needs to observe, decide, and respond to an attack is too much for modern threats.

I had the opportunity to discuss this evolution last week with Anthony Di Bello from Guidance Software. As we shared sushi in the shadows of AT&T’s former headquarters at 185 Broadway, our conversation targeted the cyber forensic process shift from time units of weeks-months to minutes-seconds. “We’ve been serving cyber investigators for decades,” Anthony said, “and we’ve seen a massive shift in the pace of their work.”

Anthony was referring, of course, to the once-held conception of the expert cyber investigator having sufficient leisure time to casually ponder the circumstances of an attack. This image of forensic specialist as clever cyber sleuth, thoughtfully examining EnCase output, while glancing pensively out the window, puffing on a pipe and . . . OK, OK – I think you get the general gist of this: Investigators used to have time to think.

Today, they don’t. Instead, attacks occur at a rate that requires automation to close the gap between detection and response. I asked Anthony how this is done, and his answer made sense: “When you are in the response business, and you have to support the pace and frequency of cyber-related investigations,” he explained, “you need to be surgical in your processing of evidence and automate the discovery of interesting data relationships. Sifting through reams of data takes too long.”

The deep understanding of endpoint data honed through their forensic heritage, coupled with automation advantages, is what has led the Guidance team to the endpoint security business. With their focus on detection and response, the idea made sense to me that efficiency advantages gained supporting investigators could extrapolate to effective endpoint solutions. The secret sauce, of course, is automation.

My prediction, based on Anthony’s guidance (ahem), is that detection, response, and prevention will eventually converge to a lump of automated cyber analysis and intelligence. It will do this using the best available methods, and Guidance Software has the immense advantage of having been serving our industry for two decades. Not many companies can say that.

If you are already addicted to EnCase (join the club), then you’ve already heard the pitch from the Guidance team on how their technology extends to endpoints. If you’re not currently using EnCase, then you should consider giving Anthony a call and asking for advice on how current best practices in fast detection and response can be used to improve the cyber protection of your endpoints.

Let me know how it goes.