Educause Security Discussion mailing list archives

Re: Malware forensics

From: "Nevin, David" <Dave.Nevin () OREGONSTATE EDU>
Date: Mon, 28 Nov 2011 10:30:32 -0800

Thanks Brian--that helps.

Anyone else?

On 11/20/11 11:31 AM, "Brian J Smith-Sweeney" <bsmithsweeney () NYU EDU>
wrote:

If you outsource, do you use a major vendor such as one of the big
consulting firms, or do you prefer a local specialist? How has this
worked
for you?


We're somewhat hybrid - we do some in-house, but have been outsourcing
more-and-more lately.  We used to be a purely in-house forensics shop
but looked at outsourcing for the following reasons:

1)  Forensics work creates big spikes in our workload that are
difficult to predict and account for.  We'd basically lose an analyst
for a week or so each time we decided to do this in an incident.

2) We felt our forensics service could be easily out-sourced without
impacting the rest of our security program too much, and without too
much overhead or setup time for existing staff (thankfully this turned
out to be true).

3) Malware is getting advanced enough that we felt like without
investing in a significantly more robust forensics infrastructure and
probably a dedicated FTE, we weren't going to be able to keep up for
much longer, so best to find a vendor we trust now so that we're
prepared to completely outsource if that becomes a necessity.

We have been extremely happy with our chosen vendor, SecureWorks.
They've got excellent technical staff and their customer service has
been more-than-satisfactory.   When we initiate an incident we got a
person, on the phone, able to help us pretty quickly.  We have used
them about half a dozen times and their work has been solid and
consistent.

They were a relatively small company but were recently bought by Dell.
As far as I can tell that doesn't seem to have had a negative
influence on the company.

I'm happy to provide more details about our experience with them
offline if you like.

Cheers,
Brian

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney            Project Lead
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Current thread:

Re: Deepfreeze - Why not?, (continued)
- - - Re: Deepfreeze - Why not? Ryan Hiebert (Nov 17)
    - Re: Deepfreeze - Why not? Dave Koontz (Nov 17)
- Re: Deepfreeze - Why not? SCHALIP, MICHAEL (Nov 17)
  - Re: Deepfreeze - Why not? Rich Graves (Nov 17)
    - Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 17)
    - Re: Deepfreeze - Why not? Tim Doty (Nov 18)
  - Re: Deepfreeze - Why not? Heath Barnhart (Nov 18)
    - Malware forensics Nevin, David (Nov 18)
    - Re: Malware forensics Mclaughlin, Kevin (mclaugkl) (Nov 18)
    - Re: Malware forensics Brian J Smith-Sweeney (Nov 20)
    - Re: Malware forensics Nevin, David (Nov 28)
  - Re: Deepfreeze - Why not? Kevin Kelly (Nov 18)
    - Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 18)