Does Your Org Need A Digital Forensics Team? Probably Not (CSO Online disagrees)

Why you need a digital forensics team (and the skills to look for) by Karen Epper Hoffman:

In a world where enterprises are embracing the fact that breaches are not a matter of ‘if, but when,’ it is becoming increasingly important to develop internal and external resources to investigate and oversee the impact of attacks after they have happened.

Yes. This is where my opinion diverges.

Digital forensics is a relatively recent skills concentration

It’s not. I took a digital forensics class with SANS about 10 years ago. And when I hired someone for that role in Canada about 9 years ago I had many qualified candidates with experience to choose from.

one that does not necessarily require the same talents, expertise or background as other cybersecurity positions.

Also wrong. While forensics requires its own skill set, thinking it is divorced from the rest of security is absurd. Context is important, and not understanding security will make analysis ineffectual.

And while more enterprises are recognizing that they need such talent on the back-end, as it were, there are still holdouts that are entirely focused on detection and prevention, to their detriment.

Wrong. Just wrong. That’s like not getting checkups or taking medication and then, when illness happens, spending time and money to track down who in your family tree made you prone to the heart disease you need major surgery to fix.

“I think this is actually a misconception [that] organizations do not necessarily need to build out digital forensics teams in-house,” says Sean Mason, director of incident response for Cisco Security Services, adding that Cisco is building out its ownforensic capability via its incident response services team. A key problem, Mason says, is “there is not enough talent to go around and, generally speaking, most organizations don’t have enough demand to require a full-time team on staff.”

Some companies and organizations absolutely should have this capability in house — large financial, energy, and government organizations leap to mind — but the bulk of companies either don’t need the capability as it would take resources away from higher ROI functions or could make no use of the data. Also, digital forensics is almost begging to be done as-a-Service. (Full disclosure: IBM employs me, offers this function as a service, and I consult with companies about this. My views on this are mine and not my employer’s. Cisco is an IBM partner btw.)
As I said, most companies aren’t mature enough to make use of the information even if they have it. If your security posture is already weak, what counter measures can you hope to employ with such data?

Munish Walther-Puri, chief research officer at dark web monitoring company Terbium Labs, points out that digital forensics requires a combination of “investigation, intelligence, and innovation.”
Digital forensics teams are a complement to any IT team “because they figure out the who, when, when, where and why a bad actor came into the system, says Avani Desai, president of audit and accounting firm Schellman & Co. “They help paint a picture of the incident and provide guidance on how to mitigate the risk of that happening again.” The forensics teams also take past data and processes and builds upon it to make sure they have the tools to handle issues that are getting significantly tougher to solve, Desai adds.

Let’s say you figure out the “who, when, when (sic), where and why a bad actor came into the system”. The where bit might be actionable, but the rest? As an understaffed and underfunded IT or Security team, how will the knowledge that Russian organized crime attacked your company on a Tuesday a year ago change anything for you?

Darien Kindlund, vice president of technology for Insight Engines, a provider of natural language search technology, points out that digital forensics is “an important pillar in any security operations team, in order to assess and understand tools, tactics, and procedures (TTPs) used by attackers to compromise a firm. That way, the firm can stop future breaches using these same TTPs by new attackers. A firm’s ability to understand how these attacks work is directly tied to how effective their digital forensics team is.”

Again, in some contexts digital forensics can be useful, even valuable. But 99% of organizations and companies are better off hiring it out as-a-Service.
Time is not addressed here: digital forensics takes time. Time is not a security practitioner’s friend. By the time an in-house team provides actionable intelligence, it is probably too late. A service provider might be faster as they leverage what they see across multiple clients, but still requires time.
My digital forensics criticisms also apply to a lesser extent to threat intelligence. What use are Indicators of Compromise (IOC) if you’re unable to act on them?
There is still too much focus on attribution. Better security hygiene returns more value.
Here is a good guide: if you can’t make use of threat intelligence then digital forensics is nothing but show.
Also, I disagree with the article’s implied definition of digital forensics. It is more than just outsider attack attribution. It is very valuable for dealing with malicious insiders, again after the fact. If your organization is litigious, such a team is invaluable.
Regardless, forensics plays a valuable role. As an internal team, a managed service, or an organizational goal, digital forensics can enrich a security team’s intelligence.