CrowdStrike's Henry also says there's no one way that law enforcement conducts investigations.
The FBI no longer seems to have the reputation for grabbing servers as evidence or otherwise disrupting networks, as was the case a decade or so ago. However, law enforcement may place specialized devices on a corporate network to to see if suspects that grabbed data return to try for more, Kraus says.
Don Gray, chief security strategist at Solutionary, adds that some national-security-oriented investigative forces will still show up without advance notice and grab entire storage drives on national security grounds. Solutionary, as a managed security services provider, accounts for that possibility in its network design for customers with sensitive information, he suggested, without offering more detail.
At companies that have been breached, the house attorney is often the one appointed to first receive the forensics report before it's handed to law enforcement or anyone else at the company, Gray notes. Sometimes the forensics report is requested in "draft form," and attorneys draw up the written report. "They only want the house lawyer to see it," says Gray. This is a way to try and keep control over the breach from a legal vantage point, especially if the case ends up in court. That may limit how much the IT department initially knows. Law enforcement typically commences its interactions with upper management, not the IT department directly.
Solutionary last year was hired by a bank to conduct a forensics examination after the FBI showed up with evidence of a major breach that turned out to have been caused by SQL Injection attacks on the bank's website and had been going on for months. One difficulty, says Kraus, is the bank's logging system was weak and only stored log data for 2 ½ months. Solutionary believes incident response capabilities remain tepid at best in companies today.
This raises the all-important question of how well companies defend their networks and whether their logging capabilities are sufficient to give them a clue about anything after a breach.
Target, whose CIO Beth Jacob "resigned" in the wake of the data breach, recently acknowledged the security team at the retailing giant missed clues about the breach, even after spending well over a million dollars on threat-detection software from FireEye and Symantec endpoint protection software. The Target breach has stirred up the debate over whether to blame the security software, the security staff, or both.
In spite of all the FBI and Secret Service visits, there's still the perception that the cyber-criminals — sometimes in faraway places like Eastern Europe — are not being brought to justice. After all, it is each enough for cyber-criminals to reach across the world to break into a network, but nabbing them in a foreign country and bringing them to trial remains a tough proposition.
Sign up for Computerworld eNewsletters.