Many IT departments are investing significant time and money on log management or security incident and event management tools. It might be to meet a regulation or mandate -- Payment Card Industry standards, for instance -- or to better understand what is happening in the computing environment. Such tools enable the administrators to take a lot of disparate bits of event information, correlate them and present them in a way in which it's easy to spot anomalies.

What happens when the person monitoring the log management or SIEM dashboard sees something a little out of the ordinary? He drills down for details, of course. But what happens (or should happen) when those details begin to suggest something ominous, such as a data breach or corporate fraud? At this point, a lot of care needs to be taken in how the log data is handled and who must be notified of the situation. How the data is handled could impact whether or not it can later be used as evidence in a criminal or civil charge. Who is notified of the suspected breach and how they contribute to the investigation is another delicate matter.

A few weeks ago, we provided best practice tips on preserving log data for a forensic investigation (see "Using computer log data to support a forensic investigation" here). In this article, we'll discuss the notification chain and how other experts support the investigation and its fallout.

Not every blip on a log management or SIEM dashboard means that a serious problem has occurred; more often than not, the incident is benign. However, if the drill-down data suggests that a serious breach might have occurred and a forensic investigation is called for, the company should follow protocol for who must be involved and when they need to be engaged.

According to Eric Knight, senior knowledge engineer with LogRythm, "When an investigation becomes a forensic investigation, an organization has determined that something happened either accidentally or illicitly, and the organization's chain of command will ultimately revolve around the person or group that has the power of attorney for the organization. Many times this will be the legal department, but in many smaller organizations, this can be the company president." This group or person will make the decision on how to proceed -- directing what is to be researched, who will be contacted and when to further the investigation.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.