By Michael Tanji
If you are of a certain age you remember what it was like to work on your own car. Today, about the only thing people do to their cars is put gas in them. Unless you drive like you are in a demolition derby, fixing a problem with your car is a pretty rare occurrence. The flip side of that coin? A lot of people have no idea what to do if their car does not start or if it starts to shake or smoke. They cannot troubleshoot problems, much less fix them. All they know is a light on the dash came on and then the car would not work, so they called someone else who fixed it.
You see a parallel between knowledge about automobiles and knowledge about cybersecurity. Because you may not know what to do if something bad happens to your systems, you need your own cybersecurity help line — a firm you can call to help you when you get attacked. In cybersecurity circles, what you are looking for is a DFIR company. DFIR stands for “digital forensics and incident response,” and those are the skills you need to clean up the mess you are in and get back to work.
Digital forensics (DF) is exactly what it sounds like: looking at digital evidence to determine how something (a policy violation, a data breach, etc.) happened. Maybe it was a hack from an external actor, or maybe it was one of your own people carrying out some kind of fraud. Regardless, someone has to go through the system logs, hard drives, and other data associated with the event in question to gather evidence and piece together what, when, and how it happened.
If digital forensics is the “crime scene investigation” team, incident response (IR) is the “paramedics.” When you have been breached and you need someone to help you get the bad guys out and get back to a known good state, you need an IR team. They stop the bleeding, get things stabilized, and initiate a course of treatment that will get your systems — if not exactly “cured” — at least not dying.
Why Engage a DFIR Company Now?
Unless yours is a company of sufficient size, and/or in a high-risk line of business, DFIR skills are probably not something you want to maintain in-house. The software required can be expensive, the certifications are expensive to earn and maintain, and if you do not routinely use the skills, they atrophy.
DFIR companies do not hurt for work. They are constantly busy, and the number of prospective customers they have to turn away because of a lack of capacity can be substantial. One of the best ways to ensure that you will have the expertise you need, when you need it, is to establish a relationship with a service provider now. A little time and effort to build rapport and trust now — along with a reasonable retainer — will pay dividends when you-know-what hits the fan.
The best laid plans can go sideways on a moment’s notice. When that happens, you want to be able to pick up the phone and have people with the expertise you need show up. Identifying those people and establishing a relationship with them, so that they will not only take your call but respond in a timely fashion, is an important part of reinforcing your security posture. Companies without such relationships are forced to wait at the end of the line when something goes wrong, or are simply left out in the cold, which is not where you want to be.
The author, Michael Tanji, is the Global Marketing Officer and Chief of Staff at the Global Cyber Alliance. You can follow him on Twitter or connect with him on LinkenIn.