SlideShare une entreprise Scribd logo

Internal Investigations

A
alberto0
1  sur  33
Télécharger pour lire hors ligne
Internal Investigations: A Look at Proactive and Reactive Responses Using Technology and Process Albert Barsocchini barsocchini@gmail.com 415.456.8318
Definition of an Internal Investigation P A G E 1 An internal investigation is launched by a corporation to understand and diagnose problems within the corporation. Frequently used to help a corporation avoid or limit possible criminal or civil liability exposure and correct significant problems. Fact driven The old adage that sometimes the best defense is a good offense.
Flawed Investigation Risks P A G E 2 Allegations of obstruction of justice Damage to the corporation’s reputation Damage to employee morale Creation of negative evidence that may be used in future criminal or civil proceedings Destruction of evidence that could be helpful in the company’s defense
Is an Internal Investigation Appropriate ? P A G E 3 The titles, roles and responsibilities of the people alleged to have engaged in the wrongdoing; Whether the company was a victim or the perpetrator of the alleged wrongdoing; If the company was a victim of the wrongdoing, is it likely to recur and will the company likely recover much, if anything, in pursuing the wrongdoers? The nature, length, and scope of the alleged conduct in question; The dollar value of any loss to the company if it was a victim of any wrongdoing; Does the wrongdoing involve ongoing business conduct or existing business relationships, or is it historical and unlikely to recur due to changed business practices or other circumstances? The likely—not merely the possible—potential economic exposure to the company; Whether alleged wrongdoing, if true, is placing any third party at risk; Whether the allegations are susceptible to verification; The cost and effort of the investigation as compared with any results it may yield; The nature and source of allegations, including the motivation and the potential gain to those making the allegation, if that party is known.
Reality Check P A G E 4 There are known known's. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know. Donald Rumsfeld Query: Traditional investigation techniques focus on known known's and sometimes known unknowns 4
Know Your Self P A G E 5 Sun Tzu: “If you know your opponents strengths and limitations and know your own strengths and limitations, you can win one hundred battles without a single loss.” “If you know neither yourself nor your opponent, you will always endanger yourself and the mission.” 5
United States Approach To Data Protection & Privacy P A G E 6 The United States has an ad hoc approach to data protection legislation, relying on a combination of legislation, regulation, and self-regulation, rather than overarching governmental regulations. The private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology. Corporate Codes of Conduct Alternative Dispute Resolution mechanisms The United States has no single, overarching privacy law comparable to the EU Directive. Privacy legislation in the United States tends to be adopted on an “as needed” basis, with legislation arising when certain sectors and circumstances require. For example: Video Protection Act of 1988; Cable Television Consumer Protection and Competition Act of 1992; Electronic Communications Privacy Act; and Fair Credit Reporting Act.
Investigate What? P A G E 7
Today’s Corporate Risks & New Litigation Rules Require Consistent Digital Investigations P A G E 8 eDiscovery Compliance Data Audit & Internal Security Investigations The Common need to search, collect and preserve electronic evidence in a timely, efficient and defensible process with court admissibility
Comprehensive Approach to Investigations P A G E 9 Preparedness Centralized Endpoint Visibility Speed, Consistency, Data Mobility, Protection Adaptability
Trends P A G E 10 Board Members Will Demand Investigations Less Pressure to Waive Attorney-Client Privilege More written reports instead of oral More Executives Will Have Their Legal Fees Paid by Their Employer More Employees Will Be Prosecuted For Lying to Outside Counsel Increased difficulty conducting Investigations because of complex enterprise environment
Invest in Leap Ahead Technology P A G E 11 We still use a lot of Homegrown tools. Not enough innovation. Can we prevent wrongdoing by watching the data? Can we make the data police itself? 11
Know the Triggers P A G E 12 Search Warrant, Government Subpoena or Voluntary Request for Information Whistleblower HR matters Media Reports Financial Restatements Shareholder Demand Letter or Civil Complaint Auditor concerns Part 205 Report Board or Audit Committee Concern FCPA
Understand Data Location P A G E 13 What are your “Crown Jewels”? Do you know where all the Crown Jewels are? Processes and procedures should be in place to ensure “The Crown Jewels” remain in authorized locations.
Evolving Corporate Threats P A G E 14 Traditional reactive investigations not enough New technologies bring new exploits Threats can be internal, external and/or inadvertent A determined wrongdoer will find a way
Proactive Considerations P A G E 15 How do you… Identify unknown or covert corporate threats? Limit the risk exposure presented by sensitive information? Respond to a suspected incident? Limit the scope of an incident? Ensure corporate endpoints remain secure? Address and scale technology and processes to include file servers, email servers, semi-structured data repositories?
Find your Heading P A G E 16 Directional orientation determines your focus coming at , going away, or circling you Perception is what you observe Peripheral vision is for detection (perimeter) Central vision is for identification (endpoint) Could you drive with only peripheral vision? Bottom-line: You will conclude what you perceive Learn to use innovative procedures and technology to increase your vision. 16
Technology Obsolescence P A G E 17 Traditional investigative technology are obsolete and not keeping pace with the number of corporate threats being created. Traditional investigative techniques places you in a perpetual catch up mode and provides false sense of security & plausible deniability
Meet Our Cast of Characters P A G E 18
Your New Adversaries P A G E 19 1. “Bear” - firmly nestled where users are most exposed; the data stream… 2. “Raccoon” - masked bandit who sneaks in at night and takes our valuable loot. 3. “Wolf” - constantly probing and looking for signs of weakness. 4. “RAT” - burrowing his way through your foundation, weakening your structure.
Flawed Internal Investigation personalities P A G E 20 1.“Turtle” - both for having a hard outer shell and soft meaty middle, and for being characteristically slow in every endeavor 2.“Lemming” – Because we like to follow other’s lead, often to our own demise 3.“Guinea Pig” – Using untested new ideas and procedures. 4.“Beaver” – Who after getting his dam breached will work feverishly to patch and repair, even when conditions aren’t favorable. 5.“Sheep” – They may make great T Shirts, but terrible investigators 6.“Ostrich” – who believes that there is a peaceful bliss in ignorance and if you bury your head long enough, maybe the threat will go away…
Desired Qualities of an investigator P A G E 21 Objective Impartial Subject matter expertise Credible Fair Respectful Compassionate Professional Innovative Flexible Open to new ideas and techniques
Undesirable Qualities of an Investigator P A G E 22 Biased Judgmental Accusatory Inconsiderate Angry or “put out” Incompetent Inflexible Not thinking outside the box Unwilling to accept new ideas and technology
Challenges P A G E 23 Complexity - Internal investigations are inherently complicated given regulatory considerations, disclosure implications and overall liability exposure. Timing - Critical aspect of any internal investigation. Risk - The disclosure of investigative findings can subject a corporation and its employees to potential criminal and/or civil liability. Ethical Issues - Effectively conducting an internal investigation often requires keen attention to a myriad of ethical issues (e.g., privilege Adverse impact - The investigation and its findings can adversely impact the company by generating low employee morale, hampering employee recruitment and depressing the stock price. Conflict of interests – can effect investigation effectiveness
Investigative Challenges P A G E 24 Detecting Covert, Advanced and Unknown threats and keeping pace with the evolving nature of attacks Identifying and analyzing suspected threats Quickly triaging and containing an identified threat Locating and rapidly responding to data leakage (PII, IP etc)
Be proactive and Understand Potential Corporate Threat Vectors P A G E 25 Network Unusual employee behavior Email Open ports VPN Insider threat Software vulnerabilities
Ten Red Flags for the Enterprise P A G E 26 Account information on unauthorized workstation Account information on a web or email server Unencrypted account information Unscheduled bulk data transfers after hours File sharing software (i.e. Bit torrent) Unknown process running on a workstation Account privilege escalation/out of band activity Encrypted/compressed file repositories Large number of removable drives on a single computer Un-patched applications
Recommendations P A G E 27 Assess your risk Assess your readiness Prevention, detection, response Implement effective compliance program People Process Technologies
Getting Started P A G E 28 Have a corporate investigation and document retention policy Develop a process to identify and retain evidence Develop a response strategy for both inside or outside counsel Identify event triggers and decision tree Who in the enterprise controls the investigation? Who should conduct the investigation –credibility is key? How should the investigation be conducted? What should the scope of the investigation be? What will be done with the results of the investigation?
Investigative Objectives P A G E 29 Find the truth Stop the conduct Identify the Evidence Get control of the evidence Preserve the evidence Find out what happened and why Report (oral or written) (purpose) Implement remedial measures Maintain confidentiality
Best Practices P A G E 30 Document the process Establish credibility Don’t make it worse Always re-evaluate strategy Have a clear communication channel Have consistent procedures Use the latest technologies Have an efficient and cost effective response Properly preserve evidence Provide effective expert testimony Review and de-brief
Rewards P A G E 31 Using the latest investigative approaches and technology will help a company identify potential liability and develop a plan to limit such liability while allowing the company to control the process before governmental or other third party intervention. Give a corporation more time to develop responses or defenses which may ultimately minimize overall criminal and civil exposure and reduce the likelihood of lawsuits. Make a corporation look more responsible to government regulators, shareholders, and auditors, thus minimizing the effect of any negative publicity that has arisen from allegations of wrongdoing. Satisfies the board’s fiduciary obligations.
P A G E 32 Albert Barsocchini

Recommandé

The Base Rate Fallacy - Source Boston 2013
The Base Rate Fallacy - Source Boston 2013The Base Rate Fallacy - Source Boston 2013
The Base Rate Fallacy - Source Boston 2013Patrick Florer
 
Source seattle 2012
Source seattle 2012Source seattle 2012
Source seattle 2012Patrick Florer
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory RealmShawn Tuma
 
Technology is the Best Defense
Technology is the Best DefenseTechnology is the Best Defense
Technology is the Best DefenseDaegis
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
 
Internal Investigations and the Cloud
Internal Investigations and the CloudInternal Investigations and the Cloud
Internal Investigations and the CloudDan Michaluk
 
Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)jikbal
 
Supply Chain Present
Supply Chain PresentSupply Chain Present
Supply Chain PresentUdomsak Suntithikavong
 

Recommandé

The Base Rate Fallacy - Source Boston 2013
The Base Rate Fallacy - Source Boston 2013The Base Rate Fallacy - Source Boston 2013
The Base Rate Fallacy - Source Boston 2013Patrick Florer
 
Source seattle 2012
Source seattle 2012Source seattle 2012
Source seattle 2012Patrick Florer
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory RealmShawn Tuma
 
Technology is the Best Defense
Technology is the Best DefenseTechnology is the Best Defense
Technology is the Best DefenseDaegis
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
 
Internal Investigations and the Cloud
Internal Investigations and the CloudInternal Investigations and the Cloud
Internal Investigations and the CloudDan Michaluk
 
Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)jikbal
 
Supply Chain Present
Supply Chain PresentSupply Chain Present
Supply Chain PresentUdomsak Suntithikavong
 
Supply Chain Threats, Risks, and Trends | Global intelligence report
Supply Chain Threats, Risks, and Trends | Global intelligence reportSupply Chain Threats, Risks, and Trends | Global intelligence report
Supply Chain Threats, Risks, and Trends | Global intelligence reportUdomsak Suntithikavong
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Internal Investigation What To Expect
Internal Investigation What To ExpectInternal Investigation What To Expect
Internal Investigation What To ExpectBill Banowsky
 
#NISWAW Session 2
#NISWAW Session 2#NISWAW Session 2
#NISWAW Session 2European Journalism Centre
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramPriyanka Aash
 
CONDUCTING A WORKPLACE INVESTIGATION
CONDUCTING A WORKPLACE INVESTIGATIONCONDUCTING A WORKPLACE INVESTIGATION
CONDUCTING A WORKPLACE INVESTIGATIONEnercare Inc.
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Network Solutions Supply Chain Industry Day_May28_2014_Consolidated
Network Solutions Supply Chain Industry Day_May28_2014_ConsolidatedNetwork Solutions Supply Chain Industry Day_May28_2014_Consolidated
Network Solutions Supply Chain Industry Day_May28_2014_ConsolidatedKBIZEAU
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Supply Chain Security
Supply Chain SecuritySupply Chain Security
Supply Chain Securityguest031790
 
Crisis comunication powerpoint
Crisis comunication powerpointCrisis comunication powerpoint
Crisis comunication powerpointMeaganTaylor16
 
How to manage a crisis ?
How to manage a crisis ?How to manage a crisis ?
How to manage a crisis ?Philippe Roques
 
Crisis Communication Plan
Crisis Communication PlanCrisis Communication Plan
Crisis Communication PlanBeth Wilson
 
Crisis management presentation
Crisis management presentationCrisis management presentation
Crisis management presentationiChange
 
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...IntelCollab.com
 
Internal Investigation 20110315 1
Internal Investigation 20110315 1Internal Investigation 20110315 1
Internal Investigation 20110315 1Mayer Brown LLP
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...
Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...
Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...Harsh_Sinha
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsShanaAneevan
 
Why Have A Digital Investigative Infrastructure
Why Have A Digital Investigative InfrastructureWhy Have A Digital Investigative Infrastructure
Why Have A Digital Investigative InfrastructureKevin Wharram
 

Contenu connexe

En vedette

Supply Chain Threats, Risks, and Trends | Global intelligence report
Supply Chain Threats, Risks, and Trends | Global intelligence reportSupply Chain Threats, Risks, and Trends | Global intelligence report
Supply Chain Threats, Risks, and Trends | Global intelligence reportUdomsak Suntithikavong
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Internal Investigation What To Expect
Internal Investigation What To ExpectInternal Investigation What To Expect
Internal Investigation What To ExpectBill Banowsky
 
Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramPriyanka Aash
 
CONDUCTING A WORKPLACE INVESTIGATION
CONDUCTING A WORKPLACE INVESTIGATIONCONDUCTING A WORKPLACE INVESTIGATION
CONDUCTING A WORKPLACE INVESTIGATIONEnercare Inc.
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Network Solutions Supply Chain Industry Day_May28_2014_Consolidated
Network Solutions Supply Chain Industry Day_May28_2014_ConsolidatedNetwork Solutions Supply Chain Industry Day_May28_2014_Consolidated
Network Solutions Supply Chain Industry Day_May28_2014_ConsolidatedKBIZEAU
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Supply Chain Security
Supply Chain SecuritySupply Chain Security
Supply Chain Securityguest031790
 
Crisis comunication powerpoint
Crisis comunication powerpointCrisis comunication powerpoint
Crisis comunication powerpointMeaganTaylor16
 
How to manage a crisis ?
How to manage a crisis ?How to manage a crisis ?
How to manage a crisis ?Philippe Roques
 
Crisis Communication Plan
Crisis Communication PlanCrisis Communication Plan
Crisis Communication PlanBeth Wilson
 
Crisis management presentation
Crisis management presentationCrisis management presentation
Crisis management presentationiChange
 

En vedette (16)

Supply Chain Threats, Risks, and Trends | Global intelligence report
Supply Chain Threats, Risks, and Trends | Global intelligence reportSupply Chain Threats, Risks, and Trends | Global intelligence report
Supply Chain Threats, Risks, and Trends | Global intelligence report
 
Incident Response
Incident Response Incident Response
Incident Response
 
Internal Investigation What To Expect
Internal Investigation What To ExpectInternal Investigation What To Expect
Internal Investigation What To Expect
 
#NISWAW Session 2
#NISWAW Session 2#NISWAW Session 2
#NISWAW Session 2
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security Program
 
CONDUCTING A WORKPLACE INVESTIGATION
CONDUCTING A WORKPLACE INVESTIGATIONCONDUCTING A WORKPLACE INVESTIGATION
CONDUCTING A WORKPLACE INVESTIGATION
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
 
Network Solutions Supply Chain Industry Day_May28_2014_Consolidated
Network Solutions Supply Chain Industry Day_May28_2014_ConsolidatedNetwork Solutions Supply Chain Industry Day_May28_2014_Consolidated
Network Solutions Supply Chain Industry Day_May28_2014_Consolidated
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
 
Supply Chain Security
Supply Chain SecuritySupply Chain Security
Supply Chain Security
 
Crisis comunication powerpoint
Crisis comunication powerpointCrisis comunication powerpoint
Crisis comunication powerpoint
 
How to manage a crisis ?
How to manage a crisis ?How to manage a crisis ?
How to manage a crisis ?
 
Crisis Communication Plan
Crisis Communication PlanCrisis Communication Plan
Crisis Communication Plan
 
Crisis management presentation
Crisis management presentationCrisis management presentation
Crisis management presentation
 

Similaire à Internal Investigations

Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...IntelCollab.com
 
Internal Investigation 20110315 1
Internal Investigation 20110315 1Internal Investigation 20110315 1
Internal Investigation 20110315 1Mayer Brown LLP
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...
Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...
Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...Harsh_Sinha
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsShanaAneevan
 
Why Have A Digital Investigative Infrastructure
Why Have A Digital Investigative InfrastructureWhy Have A Digital Investigative Infrastructure
Why Have A Digital Investigative InfrastructureKevin Wharram
 
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powellCWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powellCapgemini
 
Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Dan Michaluk
 
Sit in a common area and observe. This may be in your office, a co.docx
Sit in a common area and observe. This may be in your office, a co.docxSit in a common area and observe. This may be in your office, a co.docx
Sit in a common area and observe. This may be in your office, a co.docxjennifer822
 
Hedna pii is your goldmine a landmine
Hedna pii is your goldmine a landmineHedna pii is your goldmine a landmine
Hedna pii is your goldmine a landmineEvelyne Oreskovich
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?Logikcull.com
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfMahdi_Fahmideh
 
Data Breach Brochure
Data Breach BrochureData Breach Brochure
Data Breach Brochuretonycord01
 
Data Breach Brochure
Data Breach BrochureData Breach Brochure
Data Breach Brochuretonycord01
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachFinancial Poise
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCyphort
 
ZyLAB White Paper - Bringing e-Discovery In-house
ZyLAB White Paper - Bringing e-Discovery In-houseZyLAB White Paper - Bringing e-Discovery In-house
ZyLAB White Paper - Bringing e-Discovery In-houseZyLAB
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 

Similaire à Internal Investigations (20)

Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
Securing Your Perimeter: Preventing Loss, Theft and Misappropriation of Your ...
 
Internal Investigation 20110315 1
Internal Investigation 20110315 1Internal Investigation 20110315 1
Internal Investigation 20110315 1
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...
Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...
Understanding The Legal Boundaries For Competitive Intelligence In India 9th ...
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
 
Why Have A Digital Investigative Infrastructure
Why Have A Digital Investigative InfrastructureWhy Have A Digital Investigative Infrastructure
Why Have A Digital Investigative Infrastructure
 
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powellCWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
 
Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)Introduction to FOI law (the law of information)
Introduction to FOI law (the law of information)
 
Sit in a common area and observe. This may be in your office, a co.docx
Sit in a common area and observe. This may be in your office, a co.docxSit in a common area and observe. This may be in your office, a co.docx
Sit in a common area and observe. This may be in your office, a co.docx
 
Probity is a pool with no shallow end
Probity is a pool with no shallow endProbity is a pool with no shallow end
Probity is a pool with no shallow end
 
Hedna pii is your goldmine a landmine
Hedna pii is your goldmine a landmineHedna pii is your goldmine a landmine
Hedna pii is your goldmine a landmine
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?
 
Ht t17
Ht t17Ht t17
Ht t17
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
 
Data Breach Brochure
Data Breach BrochureData Breach Brochure
Data Breach Brochure
 
Data Breach Brochure
Data Breach BrochureData Breach Brochure
Data Breach Brochure
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocks
 
ZyLAB White Paper - Bringing e-Discovery In-house
ZyLAB White Paper - Bringing e-Discovery In-houseZyLAB White Paper - Bringing e-Discovery In-house
ZyLAB White Paper - Bringing e-Discovery In-house
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat Mitigation
 

Internal Investigations

  • 1. Internal Investigations: A Look at Proactive and Reactive Responses Using Technology and Process Albert Barsocchini barsocchini@gmail.com 415.456.8318
  • 2. Definition of an Internal Investigation P A G E 1 An internal investigation is launched by a corporation to understand and diagnose problems within the corporation. Frequently used to help a corporation avoid or limit possible criminal or civil liability exposure and correct significant problems. Fact driven The old adage that sometimes the best defense is a good offense.
  • 3. Flawed Investigation Risks P A G E 2 Allegations of obstruction of justice Damage to the corporation’s reputation Damage to employee morale Creation of negative evidence that may be used in future criminal or civil proceedings Destruction of evidence that could be helpful in the company’s defense
  • 4. Is an Internal Investigation Appropriate ? P A G E 3 The titles, roles and responsibilities of the people alleged to have engaged in the wrongdoing; Whether the company was a victim or the perpetrator of the alleged wrongdoing; If the company was a victim of the wrongdoing, is it likely to recur and will the company likely recover much, if anything, in pursuing the wrongdoers? The nature, length, and scope of the alleged conduct in question; The dollar value of any loss to the company if it was a victim of any wrongdoing; Does the wrongdoing involve ongoing business conduct or existing business relationships, or is it historical and unlikely to recur due to changed business practices or other circumstances? The likely—not merely the possible—potential economic exposure to the company; Whether alleged wrongdoing, if true, is placing any third party at risk; Whether the allegations are susceptible to verification; The cost and effort of the investigation as compared with any results it may yield; The nature and source of allegations, including the motivation and the potential gain to those making the allegation, if that party is known.
  • 5. Reality Check P A G E 4 There are known known's. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know. Donald Rumsfeld Query: Traditional investigation techniques focus on known known's and sometimes known unknowns 4
  • 6. Know Your Self P A G E 5 Sun Tzu: “If you know your opponents strengths and limitations and know your own strengths and limitations, you can win one hundred battles without a single loss.” “If you know neither yourself nor your opponent, you will always endanger yourself and the mission.” 5
  • 7. United States Approach To Data Protection & Privacy P A G E 6 The United States has an ad hoc approach to data protection legislation, relying on a combination of legislation, regulation, and self-regulation, rather than overarching governmental regulations. The private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology. Corporate Codes of Conduct Alternative Dispute Resolution mechanisms The United States has no single, overarching privacy law comparable to the EU Directive. Privacy legislation in the United States tends to be adopted on an “as needed” basis, with legislation arising when certain sectors and circumstances require. For example: Video Protection Act of 1988; Cable Television Consumer Protection and Competition Act of 1992; Electronic Communications Privacy Act; and Fair Credit Reporting Act.
  • 8. Investigate What? P A G E 7
  • 9. Today’s Corporate Risks & New Litigation Rules Require Consistent Digital Investigations P A G E 8 eDiscovery Compliance Data Audit & Internal Security Investigations The Common need to search, collect and preserve electronic evidence in a timely, efficient and defensible process with court admissibility
  • 10. Comprehensive Approach to Investigations P A G E 9 Preparedness Centralized Endpoint Visibility Speed, Consistency, Data Mobility, Protection Adaptability
  • 11. Trends P A G E 10 Board Members Will Demand Investigations Less Pressure to Waive Attorney-Client Privilege More written reports instead of oral More Executives Will Have Their Legal Fees Paid by Their Employer More Employees Will Be Prosecuted For Lying to Outside Counsel Increased difficulty conducting Investigations because of complex enterprise environment
  • 12. Invest in Leap Ahead Technology P A G E 11 We still use a lot of Homegrown tools. Not enough innovation. Can we prevent wrongdoing by watching the data? Can we make the data police itself? 11
  • 13. Know the Triggers P A G E 12 Search Warrant, Government Subpoena or Voluntary Request for Information Whistleblower HR matters Media Reports Financial Restatements Shareholder Demand Letter or Civil Complaint Auditor concerns Part 205 Report Board or Audit Committee Concern FCPA
  • 14. Understand Data Location P A G E 13 What are your “Crown Jewels”? Do you know where all the Crown Jewels are? Processes and procedures should be in place to ensure “The Crown Jewels” remain in authorized locations.
  • 15. Evolving Corporate Threats P A G E 14 Traditional reactive investigations not enough New technologies bring new exploits Threats can be internal, external and/or inadvertent A determined wrongdoer will find a way
  • 16. Proactive Considerations P A G E 15 How do you… Identify unknown or covert corporate threats? Limit the risk exposure presented by sensitive information? Respond to a suspected incident? Limit the scope of an incident? Ensure corporate endpoints remain secure? Address and scale technology and processes to include file servers, email servers, semi-structured data repositories?
  • 17. Find your Heading P A G E 16 Directional orientation determines your focus coming at , going away, or circling you Perception is what you observe Peripheral vision is for detection (perimeter) Central vision is for identification (endpoint) Could you drive with only peripheral vision? Bottom-line: You will conclude what you perceive Learn to use innovative procedures and technology to increase your vision. 16
  • 18. Technology Obsolescence P A G E 17 Traditional investigative technology are obsolete and not keeping pace with the number of corporate threats being created. Traditional investigative techniques places you in a perpetual catch up mode and provides false sense of security & plausible deniability
  • 19. Meet Our Cast of Characters P A G E 18
  • 20. Your New Adversaries P A G E 19 1. “Bear” - firmly nestled where users are most exposed; the data stream… 2. “Raccoon” - masked bandit who sneaks in at night and takes our valuable loot. 3. “Wolf” - constantly probing and looking for signs of weakness. 4. “RAT” - burrowing his way through your foundation, weakening your structure.
  • 21. Flawed Internal Investigation personalities P A G E 20 1.“Turtle” - both for having a hard outer shell and soft meaty middle, and for being characteristically slow in every endeavor 2.“Lemming” – Because we like to follow other’s lead, often to our own demise 3.“Guinea Pig” – Using untested new ideas and procedures. 4.“Beaver” – Who after getting his dam breached will work feverishly to patch and repair, even when conditions aren’t favorable. 5.“Sheep” – They may make great T Shirts, but terrible investigators 6.“Ostrich” – who believes that there is a peaceful bliss in ignorance and if you bury your head long enough, maybe the threat will go away…
  • 22. Desired Qualities of an investigator P A G E 21 Objective Impartial Subject matter expertise Credible Fair Respectful Compassionate Professional Innovative Flexible Open to new ideas and techniques
  • 23. Undesirable Qualities of an Investigator P A G E 22 Biased Judgmental Accusatory Inconsiderate Angry or “put out” Incompetent Inflexible Not thinking outside the box Unwilling to accept new ideas and technology
  • 24. Challenges P A G E 23 Complexity - Internal investigations are inherently complicated given regulatory considerations, disclosure implications and overall liability exposure. Timing - Critical aspect of any internal investigation. Risk - The disclosure of investigative findings can subject a corporation and its employees to potential criminal and/or civil liability. Ethical Issues - Effectively conducting an internal investigation often requires keen attention to a myriad of ethical issues (e.g., privilege Adverse impact - The investigation and its findings can adversely impact the company by generating low employee morale, hampering employee recruitment and depressing the stock price. Conflict of interests – can effect investigation effectiveness
  • 25. Investigative Challenges P A G E 24 Detecting Covert, Advanced and Unknown threats and keeping pace with the evolving nature of attacks Identifying and analyzing suspected threats Quickly triaging and containing an identified threat Locating and rapidly responding to data leakage (PII, IP etc)
  • 26. Be proactive and Understand Potential Corporate Threat Vectors P A G E 25 Network Unusual employee behavior Email Open ports VPN Insider threat Software vulnerabilities
  • 27. Ten Red Flags for the Enterprise P A G E 26 Account information on unauthorized workstation Account information on a web or email server Unencrypted account information Unscheduled bulk data transfers after hours File sharing software (i.e. Bit torrent) Unknown process running on a workstation Account privilege escalation/out of band activity Encrypted/compressed file repositories Large number of removable drives on a single computer Un-patched applications
  • 28. Recommendations P A G E 27 Assess your risk Assess your readiness Prevention, detection, response Implement effective compliance program People Process Technologies
  • 29. Getting Started P A G E 28 Have a corporate investigation and document retention policy Develop a process to identify and retain evidence Develop a response strategy for both inside or outside counsel Identify event triggers and decision tree Who in the enterprise controls the investigation? Who should conduct the investigation –credibility is key? How should the investigation be conducted? What should the scope of the investigation be? What will be done with the results of the investigation?
  • 30. Investigative Objectives P A G E 29 Find the truth Stop the conduct Identify the Evidence Get control of the evidence Preserve the evidence Find out what happened and why Report (oral or written) (purpose) Implement remedial measures Maintain confidentiality
  • 31. Best Practices P A G E 30 Document the process Establish credibility Don’t make it worse Always re-evaluate strategy Have a clear communication channel Have consistent procedures Use the latest technologies Have an efficient and cost effective response Properly preserve evidence Provide effective expert testimony Review and de-brief
  • 32. Rewards P A G E 31 Using the latest investigative approaches and technology will help a company identify potential liability and develop a plan to limit such liability while allowing the company to control the process before governmental or other third party intervention. Give a corporation more time to develop responses or defenses which may ultimately minimize overall criminal and civil exposure and reduce the likelihood of lawsuits. Make a corporation look more responsible to government regulators, shareholders, and auditors, thus minimizing the effect of any negative publicity that has arisen from allegations of wrongdoing. Satisfies the board’s fiduciary obligations.
  • 33. P A G E 32 Albert Barsocchini