Cut Costs and Save Time with the Latest in Digital Forensics

According to the 2015 Global Cost of Cyber Crime study, the cost of dealing with cyber-attacks can rise significantly if not resolved quickly. So, as the speed of business gets faster in a digitally transformed world, it’s essential that an organization evolve in the way it responds to cyber incidents, whether they infiltrate from the outside or arise from within.

No company today can afford to be left behind: That’s why the latest in digital forensics and incident response tools, technologies and processes can help save time and money in collecting, identifying and preserving digital evidence in the case of an attack. 

Keep in mind, attacks have not substantially increased over the past decade. However, they have become more public and prominent, thanks to the customer and client data that these data breaches release and the social media that quickly amplifies and spreads such news, says Ed Goings, Principal and National Partner in Charge of Forensic Technology Services at KPMG.

“Previously, when companies had these breaches you either never knew it or didn’t recognized it, because it wasn’t made public,” he says. Now, as more information is quickly and widely publicized, there is added regulatory authority and more law enforcement focus on these types of attacks. “In addition, organized crime organizations have figured out it’s a lot easier to steal money by hacking and downloading personally-identifiable credit card information than walking in and robbing a bank,” he says. 

Reputational Issues Are at Stake

With their reputations at stake, companies know that what they can discover within the first 48 hours of a cyber breach is essential. Some of today’s well-known breaches were 6-8 months in the making before discovery, says Goings. “It’s critical to triage the incident,” he says. “Computer systems hold evidence before they are written over — you risk log retention running out and not being able to look back and identity who, what, where, why and how.”

Doing this quickly however, has long been easier said than done. For example, a security operations alert requiring a review of a server  entails a root cause analysis that includes memory collection and analysis; hard disk collection; file execution analysis; timeline creation; remediation recommendations and documentation of findings.

And it isn’t just outside infiltration that’s an issue when it comes to cyber-threats, either. Securing the perimeter tightly doesn’t reduce the risk of insider threats that can have equally significant consequences on a company’s reputation and data safety. For example, workers can click on a rogue link, or accidentally open malware that circumvents carefully laid-down security. Disgruntled employees can decide to do damage to corporate networks, or steal intellectual property such as master client lists. Rapid response to these internal threats, says Goings, is essential — but there are many tasks to deal with, including hard disk collection; removable storage device analysis; jump list analysis; Internet history review; and file deletion activity. 

Basically, it’s all about stopping the bleeding immediately to minimize the damage, says Goings. “The first question asked is usually, ‘What is the extent and how do I stop it?’ You don’t want to end up in a months-long investigation that costs millions, where you have to recreate evidence,” he explains.

Automated digital forensics can save time and reduce costs

So how do companies do more and do better in terms of addressing cyber-threats, but at a lower cost and a faster pace? The answer is to move beyond a traditional and manual consulting approach, and toward one that is digital and automated, says Goings.

“If there is an incident where a client knows malware got launched on one PC but they don’t know anything beyond that, traditionally a consultant would need to respond by going directly to that physical machine and creating evidentiary copies — and then taking it back to the lab and analyzing the data and pulling artifacts together in a time frame just for that one PC,” he says.

That, however, can take anywhere from 2-5 days before critical findings get back to the client — during which time PR problems can quickly take hold. In addition, costs can spiral, with an average of 20 hours at several hundred dollars per hour to do that type of work. Those costs, which tend to be unpredictable and inconsistent, can also grow further, depending on what is found in old encrypted file systems and whether there are more investigative leads to follow — perhaps malware touched several other PCs, for example, which leads one investigation to grow larger.

By automating these functions with the latest in digital forensics tools, rather than an analyst doing the work manually, the time and, therefore, cost to the organization — including consulting costs — is reduced. “You no longer have to send somebody out to the site and nothing is installed on the PC, so it does not leave residual traces,” says Goings.

In just a couple of hours at a fixed cost, digital forensics tools can automatically process the data on the back end, using advanced forensic data analytics techniques. The data is then uploaded and a tailored report is delivered, which an in-house analyst can review. “Within a matter of hours, the organization can have the answers they need,” says Going.

Demand is accelerating for a cost-efficient, yet effective and accurate, solution to cyber-attack response. With the latest digital forensics services, what was inconsistent and unpredictable becomes consistent, normalized and standardized. Companies no longer need to spend precious resources for a highly experienced analyst to do the work. Instead, digital tools can provide a repository of the knowledge and artifact of cyber-response, with a set of tested and reliable processes.                  

To learn more about KPMG Digital Responder and Cyber Response services, visit KPMG’s website for additional insights.