Security professionals face a variety of challenges every day. One particularly vexing issue is a lack of cybersecurity talent.
The cybersecurity talent shortage and the so-called Great Resignation can lead to gaps in security, an increase in insider threats and overworked employees, not to mention external threats like hacking and ransomware.
These gaps are particularly evident in Digital Forensics and Incident Response (DFIR), where, according to Exterro Forensics Evangelist Justin Tolman, the talent pool is short by some 600,000 people in the U.S. alone.
Digital forensics can help alleviate these challenges with solutions that collect evidence properly, automate workflows, function in Zero Trust environments and detect and mitigate insider threats. In a recent episode of Enterprise Security Weekly, Tolman described it as taking the mundane out of the daily workflow of those practitioners who are in such short supply, freeing them up to do more analytical work and receive more on-the-job training.
“The future of DFIR is automation,” he said. “We will always need DFIR professionals, but at a time where we have a shortage of skilled people, you want them to be able to focus on things like analysis.” In that respect, he added, “automation eliminates the mundane.”
Tolman and Enterprise Security Weekly host Adrian Sanabria also discussed the must-have elements of digital forensics, including defensibility, scalability, and accuracy. In a recent blog post, Exterro analyst Tim Rollins described those elements this way:
Data defensibility is one of the most critical elements of a forensic investigation. It represents the handoff from the organization’s IT investigators to the legal teams who will be using this digital evidence in court. To have value in the legal context, data from an investigation must be defensible – teams must be able to prove the data they started with during an investigation is the exact same data they ended with – otherwise it will never be admissible under the law. Investigators must therefore demonstrate a clear chain of custody, showing that the data presented has not been altered in transit, whether by human error or reviewer bias or malicious interference. Forensic toolsets should factor this in by including checks throughout the process - even down to low level imaging of an endpoint - to demonstrate that nothing has been changed. This avoids the potential of challenge to your evidence.
Scalability is another key attribute. Without high-capacity tools, there’s no way to manually manage the threat vectors at sufficient scale to cover all endpoints in a mid-sized or large organization. To be effective, the toolset must scale to allow analysis of all potentially affected endpoints with a single click.
Accuracy: All these features count for little unless organizations have confidence in the results of their forensic investigations. There is no room for doubt about the accuracy of the data; IT pros need to be sure they are looking at the right information when time is at a premium. So, when seeking a digital forensics tool, choose one that has demonstrated minimal false positives over a substantial period.