By understanding what happened, when, how, and why, security teams can prevent similar breaches from occurring in the future.
In the 1991 movie Backdraft, Robert De Niro plays the part of Donald ‘Shadow’ Rimgale, a fire department detective investigating a series of arsons in Chicago. As a former firefighter himself, De Niro’s character works closely with firefighters to piece together events based on the available evidence, both physical and circumstantial, and relies on his years of experience as both a firefighter and arson investigator.
Today’s practice of incident response (IR) is very similar to De Niro’s Backdraft character: equal parts firefighter (containing and remediating a breach as quickly as possible while minimizing damage) and investigator (figuring out what exactly happened, how, from where, and why). Security analysts must first and foremost get things under control, stopping harmful or unauthorized activity as soon as it is discovered. But while a fact-based understanding of exactly what happened is important, without a root cause analysis, similar breaches can and often do simply reoccur. And though threat vectors and tools (think keyboards, computer monitors, and sophisticated software instead of flames, hoses, and fire-retardant jackets) are very different — the use cases for incident response and firefighting are actually quite similar.
Full Article Here: http://www.darkreading.com/attacks-breaches/why-digital-forensics-in-incident-response-matter-more-now/a/d-id/1318254?