Effective management of cyber risk is sometimes not enough. Organisations are demanding a higher degree of certainty that the integrity of their business systems is not compromised. To achieve this, security leaders are relying on forensic-state surveys of their operating environment.
The Benefits of using Forensic-State Compromise Assessments
1. Incident Verification
There should now be an appreciation by many organisations who have implemented SIEMs that such technologies in themselves introduce several new problems — the greatest of these being the thousands of security alerts produced that need to be investigated. With many alerts being false positives, this makes it difficult to identify the truly important and actionable events, and, results in ineffective use of valuable resources. Security teams need a process that allows their analysts a way to quickly verify events (SIEM alerts) determine which are actually actionable and which can be ignored/filtered out. By leveraging the power of forensic-state compromise assessments, security analysts can quickly run surveys of the target hosts to validate the SIEM alert — essentially eliminate hours of burned time used by security analysts in investigating a false positive alarm.
2. Cyber Assurance
A critical capability of an Information Security Program is to maintain a secure business environment. Information security leaders can achieve this and provide a high degree of assurance to their business through forensic-state compromise assessments. Cyber Assurance is achieved when the integrity of information technology systems can be validated. Blocking unknown/malicious traffic and relying on passive/reactive monitoring tools reduced risks but does not provide a high degree of assurance that business systems are not already compromised. On the other hand, cyber assurance can be achieved by conducting forensic-state compromise assessments as these set out to answer the question, "Are we currently hacked?"
3. Post Incident Auditing
Following incident detection, containment and clean-up, two important questions still remain — were we able to detect the full scope of the breach and did we therefore completely contain and clean-up the threat? One of the greatest challenges for security teams is to verify the integrity of all operating systems within the business environment following detection of system compromise on a single or group of endpoints. By running periodic or post-incident forensic-state surveys of all operating systems in the environment, the integrity of the IT infrastructure can be verified.
4. Mergers and Acquisitions
With mergers and acquisitions, two previously-isolated organisations begin to integrate their information systems and infrastructure. This is achieved without the same level of attention to risk because there is naturally a higher level of assumed ‘trust’ established between the two organisations. However this trust must be verified if the organisations are risk-averse and want to understand what risk they are taking on prior to interconnecting to the other organisation. It's extremely important to certify the assets, network, and environment being acquired are free of breaches, malware, high vulnerabilities, and cyber risk. This cyber due diligence can help M&A firms avoid downtime, data theft, and breach damage. During or directly following mergers and acquisitions, the firms involved can use forensic-state compromise assessments to validate the integrity and current security state of both organisations before establishing a higher degree of mutual trust.
5. Measure of Security Program Effectiveness
Security breaches are inevitable despite the advanced protective and detective controls being used by many organisations to defend against cyber threats — organisations still continue to find themselves falling victim to advanced threats and human errors. Many security teams conduct penetration testing to look for security gaps in order to validate and improve their security posture however penetration testing is not designed to detect existing malware, breaches, and advanced attacks, and, the opportunity to learn from how these occurred is therefore not attained. By running periodic forensic-state compromise assessments, an organisation can validate the effectiveness of its existing security program by detecting systems that have actually been compromised.