As a cybersecurity professional, I see the increasing frequency and scale of data breaches, ransomware attacks, and identity theft as disturbing. This has motivated me to accelerate processes that leverage lessons learned from cyber incidents to advance data protection, problem detection, and rapid recovery. My immediate focus is to apply digital forensics and incident response (DFIR) to software as a service (SaaS) as more organizations migrate business critical applications to SaaS. Protecting data in SaaS environments poses unique challenges, which a growing number of organizations are learning the hard way.
In recent years, Verizon’s Data Breach Investigations Reports have observed an increasing percentage of incidents involving external cloud assets. In addition to data breaches, more organizations are experiencing major business interruptions due to SaaS data loss, corruption, and inaccessibility.
It’s for these reasons that I joined Own last month as Vice President of Cybersecurity Strategy & Product Development. My mission in joining Own is to provide organizations with proactive cyber risk mitigation, reinforcing resiliency against inadvertent data mishandling and malicious cyber attacks, including data breaches, ransomware, and insider threats. This blog introduces features of Own Recover that support Proactive Digital Forensics and Streamlined Incident Response for SaaS Data Exposure.
Applying DFIR to SaaS platforms requires innovative solutions that support forensic-quality preservation, deleted data recovery, and forensic analysis. Own addresses this need by exploiting routine backup processes to provide proactive preservation and analysis of data in a growing number of SaaS platforms. By proactive, we mean performing these activities before an incident or exposure occurs (“left of boom”) to enable automated forensic recovery and analysis, and to accelerate incident detection and response. When all else fails and data is lost or targeted by ransomware, Own customers can rapidly recover their SaaS data from backups, either fully or surgically down to a specific record or field.
Forensic preservation and recovery of SaaS data
Traditional approaches to forensic preservation and data recovery are largely reactive. Own founder Ariel Berkman’s early experiences involved salvaging data from various physical digital media using forensic methods. Waiting until after a problem occurs generally results in high recovery cost and some data loss. The foundation of Own Recover is proactive forensic-quality preservation of mission-critical data stored in Salesforce, ServiceNow, and Microsoft Dynamics 365. These and other SaaS providers operate under a shared responsibility model, and typically provide customers with little to no ability to preserve or recover deleted data.
Own Recover resolves this issue by creating frequent forensic-quality copies, automatically and on-demand. The preserved data is stored in secured cloud-based environments that remain accessible even when SaaS provider systems are not.
Another advantage of proactive preservation is that analysis can be performed on a separate secure platform, eliminating the risks of touching live systems and impacting business operations. This approach follows forensic best practices of performing analysis on a working copy of data rather than the original. Furthermore, data preserved with Own is accessible after a ransomware attack or when a SaaS provider system is inaccessible, supporting continuity of operations.
Treating Own as a forensic-quality preservation platform also creates additional opportunities to address legal and regulatory requirements, enabling organizations to be audit ready at all times. For example, Own uses cloud infrastructure dedicated to different geographical regions, which can satisfy data residency laws in countries that require a copy of cloud data to be stored within their borders. There is also a capability called Blockchain Verify to compute a cryptographic signature for the forensic-quality copy and to store the signature in a public blockchain to support independent integrity verification.
Proactively preserving all the available contents and context of a SaaS database enables forensic data recovery. Own Recover provides tools to find, examine, and recover lost data from past copies.
Proactive forensic analysis of SaaS data
Beyond providing companies with the ability to quickly recover lost data, these forensic-quality copies of SaaS data can be analyzed proactively to reduce incident detection time (IDT) and to accelerate forensic analysis. Own Smart Alerts perform daily comparative analysis of backups to detect deletion and alteration of valuable data, alerting customers of a problem that might otherwise go undetected.
The Own comparative analysis capabilities will look familiar to anyone experienced in database forensics, including the Visual Graph which supports a top down analysis of data that was deleted or altered/corrupted, and when. This comparative analysis is invaluable when questions about database integrity arise due to accidental damage or intentional tampering.
The Compare features in Own Recover can also display the specific records that were deleted or altered/corrupted, along with the user identifier that last modified a record.
“For forensic [purposes], I have used both the Find and Compare tools to see the past state of records. Find will show the location of each backup in a date range that holds the record, and will show the date and time a record was modified. At that point I would use the Compare tool to see what was different between the backup earlier in the day on which the record was changed and the backup from the next day. This will allow me to see the LastModifiedBy and LastModifiedDate values, plus any data that was changed. It’s not entirely foolproof and not nearly as robust of a method as having Salesforce Shield/Own Secure, as multiple people can modify a record in a given day, but it can help for objects on which we don’t have robust field history activated. Even on objects with field history, it supplements the activity data nicely. Recently I had a case where a staff member merged two cases together and lost data in the merge process. For instance, I was able to find when the record was merged and look at the data as it existed on the merged case using the process outlined above.”
-Jay Schnedl, University of Florida
The ability to dig into historical layers of SaaS data permits kinds of forensic analysis such as digital stratigraphy which, until now, were only possible with physical storage media.
Streamlined incident response
Organizations that proactively collect digital evidence and employ forensic analysis in anticipation of cyber incidents put themselves in a better position to detect, investigate and neutralize attacks. The sooner an incident is detected, such as data deletion or ransomware, and the faster data can be analyzed and restored to its original operational state, the lower the risks. Therefore, it is essential to minimize the Incident Detection Time (IDT), Analysis Duration (AD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO).
Own Recover combines forensic-quality preservation and analysis of SaaS data with rapid restoration capabilities to enable streamlined incident response. Providing these capabilities advances our conviction that no organization operating in the cloud should lose data, and certainly no organization should have to pay ransom to get their data back.
Stay tuned for a more detailed description of what constitutes a forensic-quality copy of SaaS data, and proactive cyber risk management of SaaS data. To learn more about Own Recover, check out our website or request a demo below.