According to Simon Perry, VP of Security for CA, with the
launch the Microsoft Vista platform, which will encrypt systems at the disk level by default. If successful investigation of a security breach relies on the data on a computer’s drive being accessible to an investigator, then locking out that investigator by encrypting the data means all bets are off. While encryption has been a capability for years, most people doing bad things don’t take the steps necessary to cover their tracks. Encryption by default means that without user credentials it will no longer be possible to investigate user behaviour at a disk level.
The result? Network forensics is rapidly becoming the next big thing in IT security.
And we have already seen a great deal of traction with vendors like Paraben and Guidance Software. The greatest threat these days (and this has been discussed for some time now) is the insider threat. We see issues time and again like the problem of USB devices and iPods in the workplace. Now as the technology improves we see the ability to tie products such as EnCase together with intrusion detection systems like ISS Siteprotector that will allow security staff to automate some of their responses. As well, we have the growing use of centralized logging. Now this is a practice that most (if not all) enterprises should really be leveraging. Not just for a tick box on an audit but, to be used for forensic investigation and troubleshooting. A couple of vendors that I like are Network Intelligence and ArcSight. None of this is new. Rather, this is something that is gaining a greater acceptance in the marketplace.
Some large organisations, particularly in the financial services sector, have had dedicated forensics departments for years, investigating activity such as employee fraud. Within the conventional law-enforcement community, the lack of expertise and resources for investigating computer crimes has meant private organisations have to take it upon themselves to investigate suspected cases of IT fraud or misuse, gathering the necessary evidence to take action against employees or hand over for prosecution.
For the rest of Perry’s article read on.
[tags]Vista, Network Forensics, Insider Threat[/tags]
