The notification chain when a breach is suspected

A few weeks ago, we provided best practice tips on preserving log data for a forensic investigation. Now that you've got the data set aside for your investigation, who else needs to get involved? Let's discuss the notification chain and how other experts support the investigation and its fallout.

Many IT departments are investing significant time and money on log management or security incident and event management tools. It might be to meet a regulation or mandate -- Payment Card Industry standards, for instance -- or to better understand what is happening in the computing environment. Such tools enable the administrators to take a lot of disparate bits of event information, correlate them and present them in a way in which it's easy to spot anomalies.

What happens when the person monitoring the log management or SIEM dashboard sees something a little out of the ordinary? He drills down for details, of course. But what happens (or should happen) when those details begin to suggest something ominous, such as a data breach or corporate fraud? At this point, a lot of care needs to be taken in how the log data is handled and who must be notified of the situation. How the data is handled could impact whether or not it can later be used as evidence in a criminal or civil charge. Who is notified of the suspected breach and how they contribute to the investigation is another delicate matter.

A few weeks ago, we provided best practice tips on preserving log data for a forensic investigation (see "Using computer log data to support a forensic investigation" here). In this article, we'll discuss the notification chain and how other experts support the investigation and its fallout.

Not every blip on a log management or SIEM dashboard means that a serious problem has occurred; more often than not, the incident is benign. However, if the drill-down data suggests that a serious breach might have occurred and a forensic investigation is called for, the company should follow protocol for who must be involved and when they need to be engaged.

According to Eric Knight, senior knowledge engineer with LogRythm, "When an investigation becomes a forensic investigation, an organization has determined that something happened either accidentally or illicitly, and the organization's chain of command will ultimately revolve around the person or group that has the power of attorney for the organization. Many times this will be the legal department, but in many smaller organizations, this can be the company president." This group or person will make the decision on how to proceed -- directing what is to be researched, who will be contacted and when to further the investigation.

If the initial data indicates that the incident could be linked to an internal worker such as an employee or contractor, the human resources department must be engaged. The investigation of an internal employee is a delicate matter. According to Knight, "During any investigation, once a face and name is recognizable in an organization, the tone of the investigation must change from one of being an internal review and to one of dealing with the realities of the legal issues that surround the potential termination of an employee. For example, HR needs to know that there are no racial, sexual or age discrimination, or harassment type of concerns."

If the company suspects that sensitive data might have been accessed -- especially if it's data protected by legislation or mandate, such as cardholder data or Social Security numbers -- it's time to consult with an external computer forensic expert. This person or group will assist in the methodical process of information gathering and evidence collection. This process ensures that the evidence has been collected accurately and that there is a clear chain of custody from the scene of the crime to the investigator -- and ultimately to the court.

The forensic examiner can advise when it's time to call in law enforcement, such as the police or the FBI, for both criminal and insurance purposes. Even if the victim company doesn't have a crime to report, it might still want to claim a loss for tax purposes or damages on its business insurance. In the case of an insurance claim, the business must first open a case with law enforcement. The insurance carrier should be notified only after the nature of the damages has been determined.

"There's a lot of concern about being able to prove an incident," Knight says. Any organization with lax internal controls and little documentation of the processes and controls in place is going to have a hard time proving the loss of information their company needs; for example, intellectual property such as trade secrets. As such, the onus to prove damage will fall upon the business.

The forensic investigation can help demonstrate that a business process was interfered with, causing business interruption. According to Knight, "It all gets back to how you secure things. You are demonstrating that you secure business processes more than just securing computers. When you secure a process you can demonstrate that a process was interfered with. As such, you can prove damages and you can demonstrate the risk assessment associated with it."

Firing employees. Prosecuting crimes. Claiming business interruption on financial statements. These activities seem a far cry from that blip on the SIEM dashboard, but even the mightiest mountain started out as a molehill at some point.

Copyright © 2009 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022