Deloitte Insights: The Future of Cyber Security

The Internet changes on a daily basis, therefore those charged with the protection of data must be stand ready to adapt to the latest cyber threats.

In this special edition of Insights broadcast from Washington, DC, moderator Sean O’Grady discusses the future of Cyber Security with Greg Pellegrino, a Principal in the U.S. Federal Government Services Leader in Deloitte Financial Advisory Services LLP, and Bill Kobel, a Principal in Security and Privacy Services for Deloitte & Touche LLP.

Speakers

Greg Pellegrino, Public Sector Industry Leader, Deloitte Touche Tohmatsu

Bill Kobel, a Principal and Leader of U.S. Security & Privacy for Information and Technology Risk Management Solutions, Deloitte & Touche LLP

Transcript 

Sean O’Grady, Host, Deloitte Insights: Hello and welcome to Insights. Today’s topic is the future of cyber security and how it will factor into your business-making decisions. We have two guests joining us in the studio today in Washington, D.C. to discuss the issue, and they are Greg Pellegrino, a Principal and Global Industry Leader for the Public Sector and responsible for Deloitte’s Computer Forensic Services to the U.S. Government. And we also have Bill Kobel, a Principal and Leader of U.S. Security & Privacy for Information and Technology Risk Management Solutions. Gentlemen, Deloitte was recently been named by Kennedy as the No. 1 Forensic and Dispute Advisory Practice in terms of both breadth and depth in the world. Greg, how are we bringing these capabilities to the federal marketplace?

Greg Pellegrino: Sean, we are really excited about this ranking. It establishes us as the No. 1 firm worldwide in the Forensic and Dispute Services. By revenue, it is roughly about a half billion dollars. We have made a big investment here in the U.S. to bring these capabilities to the U.S. government by extending our Electronic Discovery Solution Center capability in Hermitage, Tennessee, to our clients here in Washington, D.C. Today we are able to serve our clients across the full range of computer forensics, analytics, as well as the emerging area of cyber intelligence. This is whole issue of being able to track down people and issues worldwide is a great capability for us to bringing these clients today.

Sean: Bill your thoughts?

Bill Kobel: Well for many years we have understood that forensics is very important part of an information security program. We have made certain we have been able to bring those kind of capabilities to our client. We see a much tighter integration. We are providing the right kinds of services to our clients and we are able to bring forensics and the cyber or information security capabilities together. So we see that as a big plus. The other is that Deloitte is acknowledged leader in information security and one of the reasons for that is that we are all about bringing in this kind of deep specialization to our clients because we recognize the importance of complete solution.

Sean: So gentlemen, if an organization wants to be current and competitive in this dynamic cyber security environment what do they need to do?

Greg: First they need to be able combine traditional computer forensics to a standard that is done at the level necessary to prosecute for example a federal criminal investigation or case. Deloitte has that capability. Our evidence handling, chain of custody, and processes align perfectly with the needs of our U.S. government clients and some of their sensitive matters. They also need to be able do that in a secure environment and Deloitte is able to provide the level of security as well as the security clearances necessary for practitioners to support the traditional computer forensics investigations. Now we combine that type of collection and log analysis, data recovery, with our ability to follow the network and help our clients connect the dots. So our capabilities really extend computer forensics into the whole new emerging world of analytic technologies. Being able to relate information from IP addresses to address, to individuals anywhere in the world to handle some of the most complex terrorist finance investigations as well as just simply traditional computer forensic and evidence retention cases that our clients are asking us to support.

Sean: Bill do you agree?

Bill : I do and in fact one of the core processes that we always worry about within information protection and support is incident response and one of the things that Greg just mentioned is the ability to do advanced analytics and the ability to do proper data processing is very, very important in terms of the investigation and the response side of dealing with an incident. So we take the capability and make sure that they are folded into a properly structured incident response program for our clients.

Sean: Now for my next question, you gentlemen have a model that helps to explain cyber forensics and we have a graphic up for the audience. Can you describe this model, can you describe the future of cyber forensics?

Bill: Sure and let me take a shot at that. So of all the things we have just been discussing there are still relevant. It is about how do you advance those capabilities and we see it in sort of four core areas. We see the advance in data collection. The ability to take structured and unstructured data. The ability to take automated data feeds and being able to bring that together in a smart way. Just as we see in a lot of different areas of science today the ability to data fusion. How do I take a lot of different data types, data sources and be able to move that information together, make heads or tails our of it and then be able to rollback up to the appropriate decision makers. So the second area is about your data fusion and using advanced technologies to be able to support that and the third area is research. So as we see the forensic sciences evolve we believe that they will be very, very important in tying back into your core processes like doing a self-assessments, trying to determine leading and lagging indicators for doing monitoring and those kind of areas. Then the last area is continuing to develop very advanced algorithms to do pattern recognition and support the forensic sciences. So as the problem gets more complex your algorithms get a lot more complex and be able to sort of chase the problem, find the problem, and then be able to sort of forward looking and be able to foretell of the problem occurring.

Greg: Well if you think of about the issues our clients are trying to address they are complex, they are global, they occur across a full range of technology devices. Our ability to provide the capabilities that Bill just described in a way that connects the dots for our clients is unique. So we can handle an investigation dealing with mobile telephones, dealing with people in multiple locations around the world and then we are able to take the traditional data collected through forensic investigation and match that up with our statistical economics of business investigations capabilities as well as our new geospatial capabilities to show how anomalies that are occurring across geographic regions might be related.

Sean: Bill I want to jump back over to you and that is how do core forensic capabilities and practices need to evolve to support an organizations overall cyber ecosystem for addressing these emerging cyber threats?

Bill: Sure. One of the things that we have made a major investment in is the advancing technologies to support these new models and concepts we are dealing with. As we look at the advancing of the forensic sciences sort of in lockstep with the advanced and emerging threat. We see sort of two core areas that are going to evolve to be able to sort of stay up with the problem. The first is being able to take the forensic sciences and the capabilities that we have been talking about here and tying that back into the core cyber processes and capabilities that are out there. So historically there has already been a very well defined sciences area but is has been in its own silo. What we see happening is a change in the way that the forensic sciences have to integrate within the core processes and these processes could be, such as incident response, advanced monitoring, logging/reporting capabilities, and control monitoring. So a lot of things that were historically security related we see now coming together a little more tightly integrated. The second area is as we already touched on is sort of advancing the sciences around using near real time and real time data. So how do use technology, how do you advance technology, how do you start to do algorithmic forecasting versus sort of looking backward and trying to find the problem. It is how can you use technology to sort of find the problem and then fast forward that in a forward looking way to feed that back into other engines that are actually looking at different parts of the cyber environment. So we see those are the two areas that need to evolve and grow to be just sort of stay up with the cyber threat.

Sean: Now Greg, given the proliferation of data and computing systems and there is constant threat of cyber attack to governments. How can cyber forensics be used to increase this responsiveness and limit the cost of these investigations that come with this?

Greg: Well I think that being able to not only look at an incident once it has occurred but extending that to a complete 360 degree perspective around the organization, the threats to that organization, the sources of attacks, the people behind those attacks, and where they are and their motives. What Bill describes really brings together our ability to conduct deep background investigations on organizations and people and be able to then match that up with our ability to monitor information streams real time looking for very sophisticated anomalies that might suggest that some type of issues is occurring and so when we today look at, for example the ability to follow money. The ability to follow money is not just something that demands computer forensic expertise, e-mails, maybe information stored on a computer, or pass through a network but it involves looking at financial transactions and looking at financial flows and who is dealing with whom around the world and helping facilitate these financial crimes. We find that for any meaningful complex criminal activity including cyber attacks the motivation is often something to do with money. If we can penetrate the network and understand who is behind and what is occurring, we bring a much more enhanced capability then organizations just simply collect data of hard drives.

Sean: Now Bill, what defense practice areas do you think are going to benefit as core forensic capabilities and practices become more advanced?

Bill: As Greg indicated one of the things that I was going to add on to it is though we see the money is one of the key motivators of why people do things. When we start looking at the defense side of things and the nation’s and state’s problems the art of cyber warfare is far more sophisticated than that and the motives are lot different. So you see, we will take the forensic sciences and tie that back into that ecosystem. So the motives are different and how and why you want to look the data is different. I think a lot of the underlying algorithms are same. I think that can sort of reaps the benefits of the advances in this area would include the defense industrial base. So these are lot of organizations that work with the government. They have network systems and applications and data. The question is as they monitor themselves, the government tries to monitor them, can you use this kind of capability and this knowledge to be able to improve the way that they do their self-assessments and do third-party assessments that would be an example. If you start to think about the cyber threat and then realize that there is another game out there as well the whole idea of you are protecting the global information grid. So that is the governments, secure and unsecure networks, how do you take this information and those environments so that you can better understand what an operating environment is, where are abnormal activities are occurring and be able to respond to it as quickly as possible. So those are two areas that we see can easily take advantage of the advancing capabilities of that we are talking about today.

Sean: So our last question is about evidence and Greg we will start with you and that is what new evidence sources can help a government solve these cyber cases.

Greg: Well as we have seen with this latest wikileaks, leakage of government information to organizations around the world. The whole area of insider threat is growing as an area of active interest. Deloitte has invested in having some of the best experts on insider threat. Psychologists who have led the industry and the professions response to these issues in the past applying them to the issues our federal clients are trying to grapple with relative to creating a culture in a organization that is sensitive to the new issues of cyber security and protecting information and assuring that information is not inappropriately or inadvertently leaked our or lost. They are looking at new types of patterns in other words what are the risk indicators to an organization of insider threat activities, what does traditional security and privacy approaches to protecting information mean in a world today where we have so many new types of devices. We have the emergence of social networking as a potential risk to organizations as they and their employees go increasingly online and share information about what they are doing or where they are working. So we are helping organizations really be able to understand how to connect across discipline of computer forensics with the emerging areas of mobile technologies, iPods, iPads, as well as looking these new issues caused by employees doing things on Twitter, Facebook, and other social networking Web sites.

Bill: Also we are just trying to see that the same set of concerns are starting to find their way into U.S. requirements policy and laws that are going to start to find their way back into the marketplace and so we are going to start to see a lot of organizations that do the business with the government or have so involvement with critical infrastructure protection. We will start to need to be able to be much more responsive to these areas. So what Greg was touching on we see lot of these things filtering back into existing programs. The other thing we see is a different stress point on technology for example if you could imagine you have got technology that helps you provide access rights into appropriate data source or a particular application you are going to start to see or continue to see is other technologies like data leakage protection. So Sean if I granted you rights to have access to certain set of data but you are abusing that how do I know and how do I know quickly enough so that the damage can be limited. So you are going to start to see these kinds of technologies and methods continually promoted by the federal government you are going to see a lot of that to start filter back in to the broader industrial contractor base so that everybody is sort of playing their game in terms of how they are actually responding to these kinds of challenges.

Sean: Okay you have been listening to Greg Pellegrino, a Principal and Global Industry Leader for the Public Sector and responsible for Deloitte’s Computer Forensic Services to the U.S. Government. Bill Kobel, a Principal and Leader of U.S. Security & Privacy for Information and Technology Risk Management Solutions. Thank you both gentlemen for joining us today in Washington, D.C. If you’d like to learn more about Greg, Bill, or any of the information discussed during today’s program you can find it online at www.deloitte.com/us/podcasts.