Email Forensics: CSI for Your Enterprise

The IT administrator’s job has always been difficult - lack of funding, shortage of personnel, the inability to easily quantify IT’s return on investment (ROI), and the constant ring of the help desk phone—to name just a few challenges. Compliance regulations (including SOX, HIPAA, SEC 17a—4 and FERPA), ever-greater information mobility (Blackberries, text messaging, etc.) and the increasingly litigious society in which we live add to the complexity of today’s business environment.

Now more than ever, IT administrators must be able to see exactly what is happening on their network in order to identify current threats, anticipate future network growth, and reconstruct events for internal investigation or external audit purposes. This growing need for visibility into network activity has led to explosive growth in the market for advanced reporting and forensics tools.

Reporting tools – which typically provide insight into IT systems’ activity, performance, and other network information – have been popular for years, especially among IT administrators eager to show their executive bosses the benefits reaped by IT expenditures. However, new, more advanced reporting tools offer deeper insight into past events – especially those involving email, by far the most common medium used for the dissemination of threats and confidential information. These advanced reporting tools, commonly lumped under the category of "email forensics", enable IT administrators to satisfy increasingly stringent compliance, policy and legal demands.

Like the forensics experts on the TV drama "CSI," corporate IT departments must be able to piece together events in order to understand exactly what happened in a particular incident. A good email forensics tool will allow the administrator to return to any point in the preceding 10 years and pinpoint anything that happened (or did not happen) anywhere on the email network. Was there a network outage? If so, where did it originate, what caused it, and what was the impact on offices, systems, users, and data? What users distributed what information, when, and how? What did they do with this information? What traffic entered the email network, when and from where (email address, IP address, etc.)? Where did the information go, and what attachments and other content were included? Were email messages about a particular topic sent or received during a particular timeframe?

All of these questions – and many more – can be answered accurately with an advanced email forensics tool. And when integrated with a high performance archiving solution, the forensics tool can even extract individual messages, an important piece of functionality when an enterprise is faced with a lawsuit (and inevitable document subpoena), internal investigation, or audit.

Email Forensics in Action

What sorts of enterprise scenarios might give rise to the need for an advanced email forensics tool? A few hypothetical examples and pertinent questions illustrate why customer need is pushing this market’s rapid growth:

• A disgruntled employee leaves a company
• Did the employee access data they should not have?
• Did the employee take proprietary information with them?
• Did the employee send out any inappropriate messages and/or leave behind malware that could bring down the network? (Incidentally, if you think this sounds implausible, read on - the UBS PaineWebber case described below may surprise you.)
• The company network is attacked and brought down (e.g. by distributed denial-of-service attack), necessitating an immediate investigation
• What type of attack hit the company?
• Who launched the attack?
• Can authorities track down the perpetrator(s) by IP address, MAC address or other identifying information?
• How was the attack able to succeed?
• How do we remove the vulnerability to ensure it cannot happen again?
• A company employee (or board member) is suspected of having leaked sensitive company data
• Where could a leak have occurred?
• Did a leak occur?
• What information may have been compromised?
• What employee(s) may have been involved?

Think it couldn’t happen to your enterprise? Odds are good it could happen to most mid- to large-size enterprises. If you work at UBS PaineWebber or Bank of America, it has already happened to you. These two cases underscore the very real potential for network malfeasance.

In July 2006, Roger Durino, a disgruntled systems administrator at UBS PaineWebber, was found guilty of computer sabotage and securities fraud. Durino, angry that his annual bonus would be lower than he’d expected, brought down UBS PaineWebber’s national trading network in 2004 using malicious code he’d built. While the defense argued that UBS Webber ‘s network security was flawed – specifically UBS’s logs, which the defense claimed were unable to track which individual user had issued the network attack – the forensics investigator on the case said UBS’s security was ironclad. In fact, UBS’s lawyers were able to trace the network attack to Durino, given his high level of knowledge about the network he was responsible for protecting for the three years he worked for UBS.¹

Former employees can also cause great damage. In 2005, a group of former employees of Bank of America and several other banks were arrested for their involvement in a scheme in which account numbers and balances from 670,000 accounts were stolen and resold to law firms and debt collection agencies.²

An email forensics tool may not prevent all of these situations, and is unlikely to change user behavior. What the tool will do is provide visibility into exactly what is happening on the corporate network while acting as insurance in the event past incidents must be reconstructed or investigated, whether for compliance purposes, as part of a lawsuit, or as a result of an internal investigation.

Invest now to save later

As with any IT decision, cost is an important consideration. However, much like an insurance policy, spending a little money now could save you a lot in the longer run – maybe even in the short term. A decision to deploy a system costing upwards of $200,000 will seem extremely cost-effective compared to the cost of hiring legal and forensics "specialists" to reconstruct events after the fact.

Take the case of WestLB, an investment-banking firm sued by one of their former executives for sexual harassment. The plaintiff’s lawyers requested that WestLB produce a wide range of messages from the mailboxes of nearly 20 employees, a practice that is extremely common in today’s litigation. Because WestLB had not deployed sufficient forensics and archiving technology in-house beforehand, they were forced to utilize outside help to defend the lawsuit. The search, handled by an outside e-discovery firm WestLB hired, yielded nearly 650,000 email messages and evidence from 75,000 more electronic documents. The cost for unearthing this data: $480,000. Why was this search so expensive? Fully 86% of the data was stored on magnetic backup tapes that are difficult to search and have no reporting capability, something a $25,000 reporting/forensics tool and archiving solution would easily have addressed.

To make matters worse, WestLB did not have complete and accurate system logs, forcing their legal team to review each individual document manually. This resulted in hours of additional work and expense and the inadvertent release of thousands of pages of private material to the plaintiff’s lawyers.³

E-discovery firms typically charge stratospheric hourly rates because they must complete their searches under extreme time crunches and, to be blunt, because they can. After all, if you have one week to extract and produce hundreds of thousands of pieces of evidence from literally millions of emails and documents, are you really in a position to haggle on price?

Hence the need for a powerful email reporting and forensics solution. Waiting for an audit or a lawsuit to determine a prudent course of action for recovering relevant data is like waiting for a fire to level your home before purchasing a homeowner’s insurance policy. Wouldn’t you rather spend a little now to know you are covered? And if you are an IT director, CEO or board member, don’t you have an obligation to insure your enterprise against a potentially huge audit or litigation costs?

Email Forensics Best Practices

In most cases, setting up an effective email forensics solution is relatively straightforward. First, make sure your logging is set up correctly and working properly; without all of the necessary log data, accurate reporting and forensics are impossible. Ask your IT department (or yourself if you are the IT department) the following questions to make sure your company is covered:

• Are the server logs capturing all the necessary data – including all email traffic tagged by date, time, sender, recipient, as well as message content?
• Are all mail servers, directories and security devices on the network (and any other device from which your reporting tool may be pulling data, like routers, firewalls, etc.) included in the logged data?
• If another server or appliance is added, will its data also be added to the logs?

The more thorough your logs, the better the data you will have to work with later. In addition, it is impossible to go back and recapture data that was missed the first time around, so it is important to make sure all relevant data is being logged at the outset.

Next, take a look at the email reporting and analysis solution your company has deployed, or if your company has yet to deploy such a solution, consider the available solutions on the market. A true, enterprise-class solution should provide a real-time view into each of the following:

• Spam, viruses, worms, hacker attacks and other threats hitting or traversing the network in real-time. It should also have the ability to support multiple alerts so your IT administrator can be quickly apprised of a threat whether or not he/she is standing in front of their management console at that particular moment.
• Email traffic, performance, and capacity utilization of every piece of equipment within the email network; the solution should also be able to generate reports about email usage trends over time, allowing for timely network planning and avoiding instances of insufficient capacity which often lead to network downtime.
• Past incidents, ideally being able to reconstruct events as far back as 10 years. The solution should allow administrators to drill down to the individual user level, and to identify each and every message that was sent to, from and within the entire email network. This search functionality should be highly granular, and able to identify messages based on a variety of characteristics, such as sender, recipient, subject, date, time, size, protocol, attachment, etc.

Although there are many solutions on the market, many of which may meet your needs, pricing for reporting and forensics tools can vary from just a few thousand dollars to well over $100,000. Pricing is typically based on the number and type of systems from which the tool will pull data. It is imperative that whatever reporting tool you choose have some level of integration with the product(s) from which it will pull data and on which it will produce reports and conduct forensics analyses. Without solid integration, you run the risk of the product not working properly and – even worse – the inability of vendors to provide ample technical support when you need it. Depending on the size and nature of your business, in most cases you should be able to find a reporting tool to meet your needs for far less than $100,000 and in some cases for $10,000 or less.

The last step is to make sure your forensics tool has the right “output”— typically various reports and graphs. All reporting tools will have some “canned” or prefabricated reports—the more of these the better (at least 30 is a good start), as they are quick and easy to produce.

However, almost any business will want and need some level of customization so be sure your tool can also produce customized reports based on the parameters that are important to your size, industry and other characteristics. Many of the lower-priced options provide only a handful of canned reports; you may want to spend a little extra money to get exactly what you need.

^1.Sharon Gaudin, "UBS Trial Aftermath: Even Great Security Can't Protect You From The Insider," InformationWeek, July 21, 2006
^2.Steven Marlin, "Former Bank Employees Are Charged In Data Heist," InformationWeek, May 23, 2005
^3.Kim S. Nash and Deborah Gage, "When Email is Evidence," Baseline, August 2006