#17 on our list of “Top 20” SOC Capability Areas is the broad category of Digital Forensics. This is a domain of hardcore computer systems engineering; demanding deep knowledge of system internals, kernel architectures, assembly and machine languages, security models, weakness and vulnerability patterns, attack patterns, etc.
More serious compromises will often require some level of digital forensics. Depending on the severity of the circumstances, this typically involves a range of specialized forensic analysis capabilities, used by experienced (often certified) forensic Analysts, following strict “eDiscovery” processes for evidence gathering, analysis, and handling.
With the scope of responsibility for many Security Operations teams now growing to include any mobile device on their network, transient “container” systems running in off-premise “clouds” (= someone else’s datacenters), and even ICS/SCADA and IoT systems and devices, the challenge of Digital Forensics is growing exponentially.
The range of capabilities in this area is quite broad; including network forensics, computer forensics, mobile device forensics, database forensics, forensic data analysis, malware analysis (reverse engineering), tradecraft analysis, etc. Note that many of these forensics capabilities will rely upon the Instrumentation/Sensor capabilities and Security Controls already deployed across the organization.
Because of the demand here for Analysts with very specialized experience, and the range of forensic analysis capabilities involved, most small-to-medium size Security Operations teams choose to outsource this activity to companies that specialize in it. Something we strongly recommend.
Organizations that opt to perform some level of forensic analysis internally should plan to dedicate significant resources in both technology and the certified personnel to use it; and should plan to incrementally evolve their in-house team and capabilities over time.
This article barely scratches the surface of the need for Digital Forensics Analysis capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Digital Forensics Analysis capabilities to support your own Security Operations efforts.