Your organization needs to be ready for a digital investigation to start at any moment. Maybe it’s a partner contacting you because they’ve noticed suspicious traffic coming from one of your servers, or your HR team has received a complaint about an employee. Maybe an investigation ticket has just been opened as the result of an internal whistleblower. Perhaps a watchdog complaint has been filed.

Regardless of the issue, time is of the essence. This is especially true when intentional wrongdoing is underway – it’s amazing how many computers are “lost” or “stolen” right around internal investigation time.

The longer it takes an organization to investigate any given incident - as evidence is overwritten and destroyed or damage escalates - the greater the chances for increased risk and repercussions to the organization. In response to this, digital regulations not only outline the trigger events of a digital investigation, but also specify that the investigation must be initiated soon. Consider Sarbanes Oxley 301(4) or PCI DSS section A.1.4, both of which specifically state an investigation must be carried out “promptly” in the case of SOX and “timely” according to PCI DSS.

Particularly in the case of an incident investigation, measured cost savings can be realized for an organization that can facilitate a rapid investigation in response to a suspected breach.

Ponemon’s 2011 Cost of Cyber Crime study found that a prompt response can minimize the cost of cyber attacks, which often result in data breaches or a disruption of operations. According to the report:

Results show a positive relationship between the time to contain an attack and organizational cost. The average time to resolve a cyber attack is 18 days, with an average cost to participating organizations of $415,748 over this 18 day period. This represents a 67 percent increase from last year’s estimated average cost of $247,744, which is compiled for a 14 day period. Results show that malicious insider attacks can take more than 45 days on average to contain.”

The investigation stage of incident response is critical to ensure the entire scope of a suspected breach is realized in order to confidently contain the threat. In order to cut costs and minimize risk, that initial investigation needs to be fast and comprehensive. Additionally, in the case of suspected insider involvement, investigators often don’t want to tip the subject off that an investigation is underway. Investigations must be clandestine as well.

EnCase Enterprise enables fast, remote, covert corporate investigations. With EnCase, a tiny, passive software agent can be placed on each system, either in advance or during the first stage of an investigation. Investigators can then access the agent and analyze the system over the network. This subtle exploration provides both speed and privacy. Time is saved because investigators don't need to be dispatched to a physical location. By enabling this over-the-network analysis, EnCase provides prompt and covert investigatory capability.

A percentage of accusations will always be completely baseless; some accusations will be vague, and in the case of a suspected breach, the initial information available will be limited. EnCase excels at helping investigators during the early, ambiguous phase of their cases.

The “First Look” option within EnCase enables IT investigators to preview a suspected system to see if there is any substance to an accusation or validity to a security alert, without revealing any visible indication that an investigation is underway. If - or when - an investigator determines that a deeper investigation is merited, the same infrastructure enables an analysis of the system software, memory, and data. The investigator, guided by internal policies, might choose to take additional actions depending on what is uncovered.

As the number of investigations increases - along with the number of industry and government regulations - swift, comprehensive, and accurate triage will help investigators to more wisely allocate expertise and personnel for maximum impact. This intelligent use of resources is your “force multiplier.” It makes it possible for centralized resources (both investigators and auditors) to perform more investigations, more quickly, without the expense and delay of travel. Local “hands- on” work can be restricted or avoided altogether, without compromising the quality of the investigation or the authenticity of the evidence.

So while the number and complexity of investigations may be on the rise, thankfully there is technology available that will not only enable investigators to keep up, but excel at doing so. If you are interested to learn more about what to consider when implementing an investigative framework for compliance, check out our recent webinar on the topic here.

Find this interesting? Follow me on Twitter @CyberResponder