As the first article on our newly introduced security blog “InfoSecInsight”, I thought I would take this opportunity to introduce AccessData and shed some light on who we are and how we play in the security market. AccessData is best known as a provider of forensics and e-discovery software solutions. We make both FTK®, the leading digital forensics software solution, and Summation®, a leading legal review product, and we are arguably the largest provider of behind-the-firewall, comprehensive e-discovery solutions. If you are asking yourself how those products qualify us to talk about or even say the word security you are definitely not alone. The links between security, forensics and e-discovery are not always obvious.
The world and most certainly analysts like to simplify, breaking things down into cookie cutter markets that have defined borders. In that view, there are security companies, there are forensics companies, and there are e-discovery companies, and rarely are they mentioned in the same sentence. For the most part, this rigid view of the world is a very fair description. No one ever uses a tool like Concordance or Relativity, two of our competitors in the e-discovery market, for security. Likewise, no one has ever used solutions from HBGary or Mandiant, two of our competitors in the security market, for e-discovery. These are all very powerful, purpose-built products designed to perform specific functions in their respective markets, and the companies that make them embrace this purpose-built concept. They design, market, and sell their products for one task and one task only.
However, at AccessData we look at things a little differently. Instead of viewing the world as a giant aggregation of unique markets with unique needs, we have looked across markets for similarities. E-discovery, forensics and security have a lot that make them unique, but frankly, far more similarities. We started with e-discovery and forensics, because the similarities between those markets are the greatest. While the practitioners in each space speak a different language and view their needs as distinct, the reality is that forensics is little more than the criminal brother of the e-discovery market. In fact, were it not for the differences brought about by rules of evidence and the procedures between criminal and civil court, I don’t believe there would be any difference between those two markets at all. Given that, AccessData set out to build a single solution that could meet the needs of both of those markets: one extremely powerful engine, capable of delivering superior processing power and flexibility, with two different UIs to meet the needs of each market. The results were Summation and FTK.
Over the last four years, we have taken that same logic and expanded into security. While the similarities between security and e-discovery might not be as obvious as those between e-discovery and forensics, they are quite extensive. First of all, the core requirement of the security market is the ability to investigate an incident quickly, efficiently and comprehensively. The aspiration of completely preventing bad things (hacking, intrusion, malware penetration) from happening has been conclusively proven impossible, and the world has moved on to the goal of figuring out when bad things have happened as quickly as possible and stopping them from getting worse. The need to investigate all elements of the network has become nothing short of critical. There are a thousand solutions on the market that will generate alerts when things go wrong but precious few ways to truly determine what actually occurred and the extent of it. This is the capability that AccessData is uniquely positioned to provide, and it is also the link that connects security fundamentally to e-discovery.
From a technical perspective there actually isn’t that much of a difference between sweeping a thousand computers in response to a civil discovery request or sweeping those same computers in response to a Snort alert. In each case the investigators start with a basic piece of information and a list of target computers. In the case of e-discovery, the information is usually a search string, and in the case of security, the information is a list of attributes of the suspected incident. In each investigation, the solution must efficiently and quickly interrogate the suspect machines in a way that doesn’t overwhelm the network and return to the customer the responsive computers and files. That information must then be processed and analyzed, so it can be quickly understood, reported on, and reacted to.
The procedural similarities between a targeted forensics investigation of a suspect and a targeted investigation of a potentially compromised machine are also extensive. In a forensics investigation of an employee, the investigator is given an employee name and basic information about the issue. He then must remotely attach to the machine, in a way that doesn’t overtly alert the user and thoroughly assess what the user has been doing. That examination can entail looking at what is currently occurring on the machine, looking at what is on the hard drive, what is in memory, what has been deleted and other key attributes. In the end the investigator must be able to go wherever the facts lead. The same is true of the person investigating a security incident. Again, all he has at the start is a basic idea of what might have occurred. He then needs to investigate the target machine and determine not only what actually happened but the extent of it. The tools of both investigations are basically the same. Actually, in many cases, the tools are exactly the same, because many security practitioners already use forensics tools for these investigations.
While I have only just barely touched on the similarities between forensics, e-discovery and security investigations, my hope is that I have done enough to get your imaginations going. The fact is I am confident the more you think about the respective markets, the more you will see the similarities that join them far exceed the differences that divided them. It is those similarities that provide a very unique opportunity in our view for AccessData. Our hope is that over the coming years people will not only see the value we can bring to the security market but will start to understand what we have all along: that there aren’t really three unique markets at all. There is only one real market — the investigative market — and AccessData is well positioned to lead it.