CIOs should be sure they don’t approach EDD solely as an IT issue. "Let your general counsel manage this," advises Matt Curtin, founder of the forensic computing consultancy Interhack. An attorney can best decide what records would be needed for legal proceedings. And he can set guidelines on cleansing transaction histories: "The longer you keep the data, the more you have to be subpoenaed," Curtin says, "so you’ll be hit for more [discovery] requests." That increases the chances that the other party will find your own errors and mistakes, he notes.

Focus on Investigation

While the "forensics" label may be misleading, EDD tools can help the enterprise investigate possible security and compliance breaches to identify where a true forensics investigation should take place or to understand a previous breach as part of an effort to strengthen enterprise defenses.

Curtin advises that enterprises consider EDD tools that provide search and query capabilities that in-house analysts can use to uncover clues about potential problems, not just canned detection rules. Having lots of monitoring systems isn’t that useful if you don’t know where to focus your attentions. EDD tools can help identify the problematic areas, "so you don’t bother with the rest of the data," he says. But systems that offer only canned analyses don’t let forensics experts do the kind of digging they need to do, forcing them to go through logs and databases manually. "Most companies today run the rules that come out of the box," notes John Summers, global director of managed security at the Unisys consultancy, but for EDD tools to be effective, "rules need to be specific to your business and processes." Good EDD analysis tools let you both customize the rules and conduct your own queries and searches, Curtin and Summers say.

It’s also key to remember that current real-time analysis tools focus on a specific type of monitoring, such as credit card fraud detection or intrusion detection, rather than provide broad, enterprisewide risk analysis.

Monitor at Multiple Levels

Vendors are increasingly focused on EDD as a way to get CIOs’ compliance money, says Unisys’s Summers. Early EDD tools just added reporting to the real-time event- monitoring capabilities offered by security event management (SEM) tools and appliances, he notes, but since summer 2005, vendors have been adding more "pragmatic" compliance-oriented services to the tools now relabeled as EDD. For example, tools that used to focus on firewall and intrusion detection logs are now examining database logs to monitor access to specific data, both to help assess compliance with data access policies and to identify data access patterns that may indicate fraud. By noticing a firewall breach that occurs 30 seconds before unusual database access, for instance, such tools can alert administrators of a possible identity theft. That might lead to an immediate shutdown of access to that database as well as a deeper look into past activities to see if the identity theft has been ongoing. Similarly, EDD tools are also now examining server logs for both compliance and security analysis, he says.