The Immutable kBlog: thoughts on data integrity

Vivek Kundra’s legacy was to set in motion a deep change in the IT landscape for the Federal Government.  The last few years saw many sceptics express doubts about the government moving to the cloud, but the rudder did turn and now its obvious how deep the Fed is in this turn, addressing the challenges of procurement (e.g. Apps.gov) Security and simplified accreditation (FedRAMP).  However, a recent Presidential Memorandum on Managing Government Records that was released on November 28, 2011 sets  a pretty significant hurdle for agencies that use public cloud providers to jump over, let alone comply with for internal systems.  Specifically, these agencies are required to “managing electronic records, including email and social media, deploying cloud based services or storage solutions…supporting agency compliance with applicable legal requirements related to the preservation of information relevant to litigation”

Untangling that; basically preservation of records for litigation is pretty complex and is discussed in many publications. It is supported by the test of authenticity which results in whether the data carries sufficient evidential weight to be admissible see The Foundations of Digital Evidence and BS10008. As US Chief Magistrate Judge Paul W. Grimm (author of lorrain vs markel opinion paper) in his recent eDiscovery interview, suggests “rules that deal with whether it’s admissible or not must be addressed…If people weren’t aware of what they had to do to get this stuff into evidence during the discovery phase…they were potentially spending huge amounts of money only to be left wanting a trial because they couldn’t get it into evidence”.

Think about a simple case of a cloud provider who does somehow agree to provide data to support your e-Discovery requests but cannot prove the data´s authenticity.  Brings to mind all those sunk costs invested to discover, retain and preserve the data, but with no forethought towards actually having to use it in court.   

Author: Nadeem Bukhari

I know the Ponemon Institute has a sponsor for each of their studies but the recently released Second Annual Cost of Cyber Crime Study does contain some really valid findings that CSO´s should take into account. 

Their study highlights just how many companies are immature in the detective and reactive controls following a breach.  I would suggest that for data theft and fraud breaches, most of the deployed controls as so ineffective that often, the occurance of a breach is detected though a source outside of their organisations.  A great example of this is the TJX breach  where the incident was reported by TJX officials around a month after an extensive fraud had occurred. 

There are many reasons for this including but not limited to zero day hacks, or ineffective intrusion detection systems.  However, as Ponemon points out in their findings, “companies using SIEM were better able to quickly detect and contain cyber crimes than those companies not using SIEM”… Yes, the sponsor or this study is a SIEM provider.  More importantly though, it does point to the fact that audit log information is a key source of information in the detection capabilities.  However as recognised year after year by another study known as the Deloitte Global Financial Services Security Survey; within the top 5 internal/ external audit findings is “Audit trails/ logging issues”.  I.e., organisations are still wrestling with collection, analysis and protection of audit log data.   CSO´s need to place greater emphasis on using some of their rapidly reducing IT budgets on log collection, analysis and protection tools.  Because as Ponemon points out  “Cyber attacks can get costly if not resolved quickly…the average time to resolve a cyber attack by a participating organisation was 18 days at an approximate average cost of $415k with malicious insider attacks taking more than 45 days”… I know of more than a few log management solutions that cost less than that.
 
OK,  now lets assume that you have a solution to detect and fix a breach but now want to prosecute or even have to defend a prosecution.  Most companies are missing a critical capability that will cause such a significant pain point in litigation scenarios.  Specifically most organisations have not deployed capabilities so that the electronic data to be digital evidence ready.    I will write more on this in an upcoming post, however if you cannot prove the electronically stored data´s authenticity, it will not be usable as evidence.  A great source to identify the controls you need to consider are located in BS 10008 – Evidential weight and legal admissibility of electronically stored information. 

In addition to the digital evidence point, it is now a known fact that the hacker of today is not out to be noticed.  In fact they have always preferred to stay undetected until they want to get noticed.  To do this they delete or modify data that may show their activity.   In most hacking 101 books/ papers, there are sections on how to conduct a stealth attack and how to remain undetected by deleting or modifying log data.  It’s obvious that if the log data has been modified the time to detect and respond to an attack will be substantially increased. 

A professor at one of the first lectures that I had in Information Security asked the question: “What is the most dangerous thing a hacker can do?” After going through a list of responses by the class, he suggested; “It is to stay hidden and seep corruption into the organisations digital data that it even gets into the backups and yield an unrecoverable digital data environment…. This type of effect can put a company out of business”.  Now, years on, I recognise that this is not the worst a hacker can do, i.e. they can cause an outage of a power grid, mayhem at a nuclear plant etc.  However with respect to normal business it does make me wonder how many organisations were subjected to this type of attack when the UK´s Ministry of Defence published the warning “Foreign hackers ‘putting UK firms out of business’“.

Author: Nadeem Bukhari

I found an interesting article that explains that a new ruling in the US is forcing companies to preserve their metadata in an immutable way. (NOTE: metadata describes how, when and by whom a particular set of data was collected and how the data is formatted. It is essential for understanding information stored in data warehouses and has become increasingly important in, for example, XML-based Web applications).

In the court case referred in the article (Aguilar v. Immigration & Customs Enforcement Div. of U.S. Dep’t of Homeland Sec.), a U.S. District Court ruled that metadata associated with e-mails and electronic files must be preserved, maintained and produced in the course of legal discovery.

The Aguilar decision emphasizes the importance of metadata preservation in the course of e-discovery. Metadata can be used for authentication, search and analysis while also offering evidential value such as when the file was created or accessed. This ruling shows that organizations now must be ready to present metadata if requested, and it should be kept and preserved in a way that its legal admissibility is not questioned. In other words, organizations must be able to unquestionably prove that metadata is trustworthy and was preserved in an immutable way.

One solution for that would be being prepared to retain more information on WORM format, as this can help preserve the data and metadata. However, using Kinamik Secure Audit Vault is a  more efficient and cheaper alternative for preserving data with integrity (i.e. it can not be altered) than WORM disks. By using Kinamik’s solution, organizations can use any normal disk to achieve immutability of their data with a software.

Once again, this is the proof for the need of anti-tampering solutions.

The British Standards Institution (or BSI) has recently published the BSI 10008, a new standard that focuses on the evidential weight of electronic information. It establishes up a set of requirements organizations should follow in their data management procedures for ensuring… yes, you got it: the integrity of information.

The new standard’s name is quite self-explanatory: “Evidential weight and legal admissibility of electronic information. Specification”. As the BSI website states, “legal admissibility concerns whether or not a piece of evidence would be accepted by a court of law. To ensure the admissibility, information needs to be managed by a secure system throughout its lifetime (which can be for many years). Where doubt can be placed on the information, the evidential weight may well be reduced, potentially harming the legal case”. The BSI 10008 is aimed therefore to ensure that any piece of electronic information used in a Court of Law has the maximum evidential weight.

There are many interesting aspects here. First, it shows the need of clearly establishing guidelines and a common framework for how to deal with electronic data and digital evidence. And second -but no less important- it outlines how data integrity is a key aspect in information management.

We just bought a copy of the standard. We’ll read it and publish some thoughts… Stay tuned.

Pretty much everybody agrees that 2009 will be key on how the current economic crisis develops. It will certainly change many aspects of our personal and professional lives. And when trying to identify how the e-discovery market will evolve, the folks at Clearwell Systems have produced a list of ten predictions for this year. They respond mainly to greater financial and legal stress, calling for more collaboration, control and proactive readiness in the matter.

So here’s the list, via MarketWatch. Enjoy:

1. Government Investigations Increase: the economic tensions and increase in high-profile scandals will lead to a natural rise in government investigations, compliance audits and data requests.

2. Corporations Take More Control Over e-Discovery: e-discovery processes go “in-house” for having more control and reducing costs. Organizations will then see that a proper proactive approach will bring cost-reduction opportunities for organizations when an e-discovery process takes place.

3. Industry Push For Collaboration: improving collaboration efforts will reduce costs and conflicts.

4. Federal Rules of Evidence (FRE) 502 Helps Automated Reviews: the use of automated analytical tools will be on the rise, reducing costs and lowering the time and money associated with inadvertent disclosure of privileged information.

5. “Showing Your Work” Becomes Mandatory: technology must be transparent and auditable, with organizations in the need of not only showing but also proving transparency and good practice.

6. Solving Colloquial E-Discovery Is Top of Mind: new technologies such as voicemail, instant messaging, web 2.0 and others must be included in the e-discovery process. Trustworthy auditing becomes the key aspect here.

7. Global Economic Downturn Drives Global E-Discovery: e-discovery will go international and therefore more complex. E-discovery technologies will be in the need to address privacy and data protection issues, in line with international compliance requirements.

8. Information Stores Will be Mapped: in line with prediction #1, there will be an increasing need for organizations to clearly map their electronically stored information. This means the capacity of retaining, archiving, searching and producing whatever information is required.

9. Integration Happens Across the EDRM Framework: integration will be the key for e-discovery technologies this year.

10. Information Management Shows Positive ROI: proper information management is no longer related solely to good practices, but will also have a clear cost-saving effect. Being unprepared and having unmanaged data stores will bring enormous costs if an e-discovery process comes into play. The key here is having a proper forensic readiness approach.

I came across a very interesting post today.  It  seems that when Google was requested to present evidence for a case early this year,  they alleged that due to the complexity of their e-mail structure they could present it, but  that  it would be very difficult and expensive to search and find exactly what was needed. I guess it makes sense, since they are so technologically behind the curve…

Leaving any sight of sarcasm behind, this puts into focus a simple -and enormous- truth: the high costs of any e-discovery process, specifically when organizations are requested to search among their data to produce evidence. If Google claims the process is difficult and too costly, any other company should really stop for a second and think on how to tackle this issue.

The first solution that may come to mind would be to improve searching capabilities for finding exactly what is needed. This solution, though, may produce what is called  a  “false negative” if a relevant file is not found, or  a “false positive” if something that is not relevant for the case is found  – recent findings suggest that 70% of the total documents revised in an e-discovery process are false positive findings. This proves that the correct approach should be not just having a good searching tool, but -as the columnist mentions- also that  organizations should “take available technological measures to preserve documentation for legal proceedings”. Having “the ability to preserve new documents as they are created” is key to this.

This brings me to what we do at Kinamik… which is exactly that! We build a centralized, independent and Secure Audit Vault that serves as a safe for all the sensitive data -such as audit trails-, making  them tamper-proof in the process for a future proof preservation. And of course, search capabilities are also available in that audit vault. Well … maybe I should give Google a ring?