1 / 58

FishNet Security

FishNet Security. E-Discovery Benjamin Stephan CISSP CISA EnCE PA-QSA QSA PFI Benjamin.Stephan@FishNetSecurity.com. FishNet Security Overview.

ivrit
Download Presentation

FishNet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FishNet Security E-Discovery Benjamin Stephan CISSP CISA EnCE PA-QSA QSA PFI Benjamin.Stephan@FishNetSecurity.com

  2. FishNet Security Overview Committed to security excellence, FishNet Security is the #1 provider of information security solutions that combine technology, services, support, and training. FishNet Security solutions have enabled over 3,000 clients to better manage risk, meet compliance requirements, and reduce costs while maximizing security effectiveness and operational efficiency. • Over 12 years of experience delivering enterprise solutions and comprehensive service offerings • Established relationships with “best-of-breed” information security partners and vendors • A full-suite of information security services provided • Respected national presence - Focused local support

  3. About FishNet Security Office Locations Atlanta, GA Boston, MA Charlotte, NC Chicago, IL Columbus, OH Dallas, TX Denver, CO Detroit, MI Ft. Wayne, IN Houston, TX Indianapolis, IN Kansas City, MO Newport Beach, CA New York City, NY Omaha, NE Phoenix, AZ San Francisco, CA Seattle, WA St. Louis, MO St. Paul, MN Tallahassee, FL Tampa, FL Washington, D.C. West Palm Beach, FL Cambridge, UK

  4. Overview • Introduction • Computer Forensics vs. e-Discovery • Federal Rules of Civil Procedures • E-Discovery Reference Model • Early Case Assessment • Products & Services • Sample Cases • Disclaimer: • Speakers opinions are just that – opinions • Not offering legal advice, just discussing principals

  5. Introduction • Technology Age • Rapid Communication • E-mail • Cell Phones • Instant Messaging • Digital Information • Electronic Media • Documents, Spreadsheets, PowerPoint, Databases • CD, DVD, Blu-Ray • Data Capacity • 90’s – Megabytes • 00’s – Gigabytes • 10’s – Petabytes • 20’s – Zettabytes

  6. Documents Per Gigabyte *Discovery Services | Fact Sheet; Lexis Nexis

  7. Introduction • Data that used to be stored on paper or physical media is now stored on digital media. • Emails* *Email Statistics Report, 2010; The Radicati Group, Inc.

  8. Computer Forensics vs. e-Discovery

  9. Computer Forensics vs. e-Discovery • Computer Forensics: The acquisition, preservation and analysis of digital information that meets the requirements of evidence for court presentation. • e-Discovery: refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.

  10. Computer Forensics vs. e-Discovery • Forensics vs. e-Discovery: E-discovery is the process of analyzing data that is accessible without the need for additional tools or applications. Whereas, Computer Forensics is the process of analyzing data that can only be accessed with proper training and tools.

  11. Federal Rules of Civil Procedures(FRCP)

  12. Federal Rules of Civil Procedures • Key Date: December 1, 2006 • The FRCP is amended to more accurately address digital information. • Amended Rules: 16, 26, 33, 34, 37, 35 • Electronically Stored Information (ESI; Rule 26.a): • ESI is all information stored on electronic media. • Examples: • Email • Voicemail • CD • DVD • Hard Drive • Thumb Drive • Computer in your car • Fragmented files • PS3 / WII / Xbox 360 • Mobile Devices

  13. ESI – Lifeblood of all Companies Intellectual Property BusinessIntelligence Company Data Business Unit Data Epicenter of Risk Customer Data Human Resources Financial Sales

  14. Requesting party must submit: Information on people Information on the ESI Only information requested is allowed (26.s). Meet and confer “gottchas” (26.f): Must occur 120 days from request Most attorneys want 30 days to review Most attorneys wait 30 days to provide Litigation Holds “Clawback” (26.b) Inadvertent disclosure of ESI Privileged information FRCP Rule 26

  15. Identify sources of ESI Sample information Validation of sources Exclusion of sources Reasons for exclusion: Not relevant Excessive burden Both parties should agree on ESI Court makes final decision Determine who is responsible for payment FRCP Rule 26

  16. Establish protocols of production Requesting party can set format “Safe Harbor” Minimize the potential of loss data Data deleted as part of everyday processes is acceptable Must have defined data retention policies FRCP Rule 34 & 37

  17. E-Discovery Reference Model(EDRM)

  18. E-Discovery Reference Model • EDRM is a project of multiple organizations to establish set protocols, guidelines, recommendations, and procedures to assist individuals involved with a discovery request.

  19. E-Discovery Reference Model • Information Management: The process of maintaining structure and organization around ESI. • Some organizations implement products to allow for pre-capture of potentially critical ESI. • Such as collection of all email both ingress and egress. The email is then indexed and archived. When a request for discovery is initiated then the emails can be processed easily. • Pre-collection of critical data allows for ESI to be archived and indexed prior to a discovery request. • Pros: • Data is pre-indexed • Minimal interruption • Cons: • Substantial storage space requirements • Can be expensive • Some solutions provide online hosting which would require additional bandwidth

  20. E-Discovery Reference Model • Identification: The process by which ESI is categorized and marked for potential necessity in a discovery request. • ESI profiling • Custodians are correlated with ESI based on the level of access to data. • A primary matrix is kept to easily correlate the potential ESI sources based on the discovery request. • Data classification • Data is classified according to sensitivity and access controls. • By creating a data classification structure ESI is more easily segmented and controlled.

  21. Develop a data classification plan. Develop a data retention policy. Assure data is appropriately marked. What’s My Data? Where’s My Data? • ESI may be stored in many places: • File servers • Laptops • Blackberries • Thumbdrives

  22. Custodian to information matrix Also know as an ACL matrix Custodian to system matrix How many systems does your Administrator access? Data access history Physical Access controls Access and Audit logs Who Has The Data?

  23. Data Classification • Mapping of sensitive data classification • Determination of risk of data compromise • Citation of evidence of exfiltration • Interpretation of exfiltration potential • Assist in determination of notification potential • Identification of sensitive data storage • PCI • HIPAA • PII • SOX • Financial records

  24. Sensitive Data Flow

  25. E-Discovery Reference Model • Preservation • Data must be preserves in its native format. • Alterations to the data can lead to spoliation, contamination, and potential sanctions • Collection • Data must be collected by trained professionals • Failure to collect the data in the correct manner can lead to dismissal of the evidence • “The most expensive piece of evidence is the one you can’t use.”

  26. Preservation & Collection • Collect & Secure any data in a forensically sound way • Targeted collection vs. forensic image • Tools used to carry out the collection exercise • Encase • FTK • Write blocker • Time for initial culling? • De-Nist • Hash sets • System files • Filter in/out • Analyze the data • Produce culled data set for the processing phase

  27. Evidence Collection • Both computer forensics and e-discovery require professional expertise in collecting the data. • Computer Forensic Collection & Investigation • Imaging • PCs/laptops, USB devices & mobile phones • Investigations • Corporate theft/leakage • HR issues • Data deletion & concealment • Breach analysis • Incident response • Experienced practitioners • Expert witness for civil and criminal matter

  28. Evidence Collection “Chain of custody refers to the chronological documentation, and/or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic”. http://en.wikipedia.org • Evidence Handling & Chain of Custody • Chain of Custody • Secure storage • Evidential integrity and continuity

  29. E-Discovery Reference Model • Processing • E-Discovery processing uses sophisticated mapping, indexing, and heuristical software to create a relationship structure from all the ESI collected. • Often keywords, document types, conversational topics, and other criterion are used to filter the ESI into a smaller dataset. • Filter can happen on multiple levels to help reduce the amount of data to be reviewed.

  30. E-Discovery Reference Model • Taking the collected data from different sources • Digital • Hard copy • Audio • Entering the data into one controllable database • Whittle down the size of the data by: • Keywords • Date ranges • Custodians • De duplication • File types • Produce a responsive data subset to go to review phase.

  31. E-Discovery Reference Model • Review • Document review is often a critical portion of the litigation process. The efficiency of the review can be maximized by decrease the review set to allow more time for accurate analysis. • Tools • The efficiency of ESI review can also be improved by leveraging advance tools. • Query tools can leverage multiple methodology to review the ESI such as: • Conversational de-duplication • Content pivoting • Boolean logic • dtSearch

  32. E-Discovery Reference Model • Review • Following a reduction of data via the processing phase the review phase prepares the data for a legal review. • Many utilities allow for reviews to view, tag, mark up any documents, emails, attachments or any data found to be relevant.

  33. E-Discovery Reference Model • Review • One key step in the review process is redaction. • Redaction: The process of reviewing multiple documents and extracting key pieces of data from the original content. • In litigation cases the redaction process is applied to remove client attorney privileged information from ESI prior to provision of evidence to opposing counsel. • Redacted information must be logged and explained such that if any discrepancies arise then the reason for the redaction can be supported.

  34. E-Discovery Reference Model • Analysis • Throughout the e-discovery process ESI is analyzed using multiple criterion. • While analysis falls after review in the EDRM the analysis actually occurs throughout the discovery. Analysis help to: • Minimize the ESI data set • Determine relativity of data • Identify potential ESI sources • Create ESI sets for manual review

  35. E-Discovery Reference Model • Production: The process of organizing ESI into a format that can be delivered to legal counsel. • After the ESI has been reviewed by legal counsel and is ready for delivery to opposing counsel, the ESI must be “produced”. • Production of ESI in a litigation case can be a crucial step. The FRCP mandates that the means of production be fully delineated by both parties. • Failure to produce ESI according to the agreed upon means can lead to fines and sanctions. • ESI must be produced in its “native format”. • Rule 34(b) allows that the requesting party may specify the format for production.

  36. Production • Finding the responsive and reviewed data set then converting into a production set ready for disclosure. • Options to consider when doing a batch print: • Endorse (i.e. bates number), • Annotations & Coding • Document redaction • Watermark • Export • Convert documents to PDF, TIFF or both

  37. E-Discovery Reference Model • Presentation: The results of the discovery process must be presented in such a format that all parties involved are able to understand the results. • ESI is often presented in “image” format. The image format allows for easy view of the ESI and corresponding data. • Images are often in TIFF or PDF format • Expert witnesses can be critical to the presentation of the ESI. The expert witness interprets, explains, and details the results of the discovery process.

  38. Early Case Assessment

  39. Early Case Assessment • Strategic Scoping • “Meet and Confer”: Leverage the meet and confer meetings to establish an exact means of scoping. Ensure discovery requests address specific custodians, data flows, data classifications, and technical architecture. • Targeted Collection • Live collection • Logical Evidence File (LEF) • Keyword Triage • Keyword crawlers • GREP • 7phrase

  40. Early Case Assessment • ESI Profiling • Custodian to ESI Matrix • Legal Hold • Ambiguous • Too comprehensive • Overly Burdensome • Pre-process Data Culling • Keyword filtering • Boolean expressions • Data Pivoting • Visualizing data statistics • Graphical analysis of trending and anomalies

  41. ROI of Early Case Assessment scope BEFORE 1st Instance of Incident Discovery Collection / Review Presentation Time/cost Uncompromised endpoints Scope of compromise Resources • Early identification of scope • Rapid collection and review • Fewer required resources • Rapid presentation scope AFTER Cllctn. / Rvw. 1st Instanceof Incident Presentation Time/cost

  42. Products and Services

  43. Flexible • Custom workflow • Multiple parties or multi-stage review • Tracking, e.g. timelines or chain of custody • Secure • Role based • Folder-level • Document –level • Field-level • Scalable • Millions of documents • Hundreds of concurrent users • Multiple delivery options

  44. Foreign Language Support • Fully Unicode compliant. • Language identification • Relativity Analytics • Cluster similar documents • Relativity Pivot • Data analysis functionality • Hosted • Via Legal Gateway

  45. e-Discovery Services • Enterprise e-Discovery • Native file review • Online tiff conversion for redaction • Local file review • Concept Searching • Review and search documents based on “concepts” or subject matter terms. • dtSearches • Relativity Pivot • Graphical analysis of search statistics and metadata • Online review • Provide access to opposing counsel

  46. Relativity Pivot

  47. Mobile Review • New e-Discovery services support virtually any mobile device • Secured review • Power of e-Discovery anywhere • Redaction at your fingertips… literally

  48. Nexidia • Audio eDiscovery • Nexidia • Speed of search • Reduces cost of review • Accuracy

  49. EnCase e-Discovery • In house e-Discovery • Collection • Pre-collection Analytics • Preservation • Early Case Assessment & Review • Legal Hold Automation • Web based • Validation • Email delivery • User Friendly • User defined tagging • Email & conversational searches

  50. EnCase e-Discovery

More Related