LITIGATION SUPPORT TIP OF THE NIGHT

Security Orchestration, Automation and Response (SOAR) refers to the use of automated workflows to facilitate responses to security incidents. While security automation may take place without human intervention, security orchestration is necessary for people to collaborate on a response, and integrate the use of different tools to provide a proper response.

A SOAR tool should collect data on security incidents so it can be used to address current breaches, and plan for future improvements in security. Data on incidents should be analyzed in real time, and help enforce compliance with security measures. Remediation measures can be implemented quickly by computers.

SOAR systems should allow a security response to be extended and scaled appropriately. A good SOAR system will be HA/DR - highly available or in continuous operation and provide disaster recovery - continuing vital services after an incident.

In contrast to a SIEM (Security Information and Event Management) system, SOAR systems should allow for varying responses to different types of incidents.

Companies like Swimlane provide an application programming interface (API) for responses to security threats.

Digital Forensics and Incident Response (DFIR) is a term for the application of digital forensic techniques to cyber security. It is the collection and preservation of digital evidence to either defend against a cyberattack, or conduct an investigation into one.

DFIR focuses first on containment of a threat. Then the elimination of the malware, unauthorized access, or other causes of the threat can be addressed. The incident can then be assessed, and preventive measures suggested and implemented. EnCase Endpoint Investigator is a tool commonly used for DFIR projects.

Common DFIR techniques on Windows systems include:

1. Review of the Application Compatibility Cache - to check what programs where run on a Windows operating system. The cache is designed to allow software written for earlier versions of Windows to run in the current version.

2. Extracting text from binary files - a search can be run for email addresses; IP addresses; and other information with regular expressions.

3. Event log parsing - event logs are stored in the same format on Windows. During DFIR their various data elements should be processed simultaneously.

4. Review of Prefetch files - the files stored at C:\Windows\Prefetch can be analyzed to show which programs have been run on a Windows computer.

5. Review of Shadow Volumes - deleted and wiped files can be recovered from these periodic back-ups.

6. Shellbag artifacts - these indicate when a folder was accessed.

7. Recycle Bin artifacts - contain information on the time a file was deleted and its original location.

8. Jumplist - hold information on which files have been opened by which applications.

9. Windows timeline - Windows 10 has a timeline showing which files and applications have been opened for the past 30 days.

10. NFTS file system - include records of when a system has been booted and changes have been made to individual files.

11. Windows registry - its files can be processed automatically.

12. LNK - shortcut .lnk files show when files have been opened.

This week Relativity announced that it is now HIPAA compliant. The Department of Health and Human Services is responsible for enforcing the standards of the Healthcare Insurance Portability and Accountability Act. On its web site, HHS provides guidance how the providers of cloud computing services can make sure that protected health information (PHI) it hosts is secure.

The HHS confirms that PHI can be stored in a cloud service but requires that a HIPAA compliant contract be entered into. A service level agreement is needed to address back-up data policies; data retention; and system availability. A cloud service provider that hosts PHI without an executed 'business associate agreement' is in violation of the HIPAA rules.

Even if a cloud service provider hosts encrypted PHI for which it does not have a decryption key, it is still responsible for complying with HIPAA regulations.

A CSP will not be considered as a conduit, like the post office, for the purposes of HIPAA compliance.

The HHS does not certify cloud service providers.

The HIPAA Security Rule with respect to security incidents does not require that reports include specific detail or be made with a particular frequency.

Healthcare providers can use mobile devices to access PHI stored in the cloud.

Upon the termination of a business associate agreement, PHI must be returned or destroyed. If this is not possible security protections must be extended.

PHI can be stored on servers outside of the United States.

HIPAA does not require CSPs to allow customers to audit their security practices.

HIPAA privacy and security rules do not apply to de-identified data.