Main Nav

We're currently reevaluating how we perform Malware forensics here and wanted to see what others were doing. Are you doing it in-house or outsourcing? 

If in-house, do you have dedicated staff for this, or is this tasked distributed? How do you keep people current—do you have a preferred vendor for training?

If you outsource, do you use a major vendor such as one of the big consulting firms, or do you prefer a local specialist? How has this worked for you? 

Or have you implemented a blended solution, where certain cases are handled in-house and others referred to a vendor? 

Thanks all, and happy Friday,

Dave

--
Dave Nevin, IT Manager
Technology Support Services/Information Services
Oregon State University
Corvallis, OR


Comments

Message from mclaugkl@ucmail.uc.edu

Not really answering your questions but one thing I just stumbled on here is that our asset management group had all kinds of hardware, switches, etc. that we can get for free and these items make excellent lab resources. We stick all kinds of stuff on them and can attack them, analyze them, etc. Asset management was more than willing to provide infosec with the equipment for us to play with. Most of the stuff we found to use was surprisingly "new". -Kevin Kevin L. McLaughlin AVP, Information Security & Special Projects University of Cincinnati
> If you outsource, do you use a major vendor such as one of the big > consulting firms, or do you prefer a local specialist? How has this worked > for you? We're somewhat hybrid - we do some in-house, but have been outsourcing more-and-more lately. We used to be a purely in-house forensics shop but looked at outsourcing for the following reasons: 1) Forensics work creates big spikes in our workload that are difficult to predict and account for. We'd basically lose an analyst for a week or so each time we decided to do this in an incident. 2) We felt our forensics service could be easily out-sourced without impacting the rest of our security program too much, and without too much overhead or setup time for existing staff (thankfully this turned out to be true). 3) Malware is getting advanced enough that we felt like without investing in a significantly more robust forensics infrastructure and probably a dedicated FTE, we weren't going to be able to keep up for much longer, so best to find a vendor we trust now so that we're prepared to completely outsource if that becomes a necessity. We have been extremely happy with our chosen vendor, SecureWorks. They've got excellent technical staff and their customer service has been more-than-satisfactory. When we initiate an incident we got a person, on the phone, able to help us pretty quickly. We have used them about half a dozen times and their work has been solid and consistent. They were a relatively small company but were recently bought by Dell. As far as I can tell that doesn't seem to have had a negative influence on the company. I'm happy to provide more details about our experience with them offline if you like. Cheers, Brian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Smith-Sweeney Project Lead ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks Brian--that helps. Anyone else?