Computer Forensics and e-Discovery
Editor's Note: Increasingly, financial institutions rely on computer forensics and e-discovery to respond to legal issues arising from electronic activities in the workplace. Editor Tom Field recently spoke with Matthew Spear of M&T Bank about his forensics program.

TOM FIELD: Hi. This is Tom Field with Information Security Media Group. I am talking today with Matthew Speare, Senior Vice President of Information Technology with M&T Bank in New York.
Matt, how are you today?

MATTHEW SPEARE: I’m doing well Tom. How are you?

FIELD: Very well. Matt, we are going to talk about computer forensics and e-discovery. I wanted to ask you, how did you first encounter this topic of forensics in your work?

SPEARE: Sure. You know, for us we are really first exposed to forensics in 1997, when an employee complaint forced us to conduct an email discovery. Something we had never even considered doing in the past. We built on this initial effort in silos for a number of years with limited capability to conduct what I would consider being a comprehensive investigation.

The “ah-ha” moment for us occurred in 2003 with the class action lawsuit, which encompassed a class action on intellectual property, and it involved hundreds of employees across our organization, encompassing paper, email and file discovery. And that forced us to change our thinking.

FIELD: So, that went from an--I mean you developed from a one “aha” type of thing to suddenly you really had to have a program in place.

SPEARE: Well, absolutely. And I think we have seen over time where the expectations from the courts as well as from our internal resources, such as human resources, has increased substantially, and the environments continue to get more complex. And so you really have to have a comprehensive program and not do it from a silo'd technology focused approach.

FIELD: Well let me ask you one question, just to sort of back up and take a step back Matt. In your context in banking, how do you define forensics?

SPEARE: Well, for us, digital forensics in this case would be any electronic file transmission or encounter of a user with an application. And so obviously anything that could be logged or would exist electronically for us is or would be within that world of forensics.

FIELD: Okay. Now you’ve talked about how that sort of an “aha” moment. How did you go about establishing your own forensics program within the bank?

SPEARE: Well, what we realized immediately, kind of from that “aha” moment, is that a comprehensive forensics program crosses corporate business lines. It is not technology specific, and if technology tries to do it alone they will fail.

The first step for us was to identify, engage, and then educate stakeholders from across the company from such areas as human resources, legal counsel, compliance, as well as the technology groups themselves.

The next step, once we got through that education process and tried to understand the world of what we might be required, was to build a business case for the resources required to support the program. This is not something that people can do as a part-time job in a large organization, and there is a significant amount of resourcing that goes into this, especially to spend dollars for building skill sets or hiring experts. And so we needed to build that business case to be able to communicate with our executive management.

And then, finally, we had to build the skill sets required and leverage third-party experts to fill gaps in our abilities that didn’t make sense for us to build on our own.

FIELD: So Matt, how many people, how much resource do you have dedicated to forensics now within your group?

SPEARE: Well, within mine we have five dedicated, and they have a variety of skill sets across the entire footprint of technology so that they can quickly utilize the tools and resources that they have to be able to, you know, guide legal counsel through how to go about searching and what we should be looking for based upon the individual case or scenario.

And, you know, that is out of an employee base of about 13,500, so it is relatively small, but at the same time this group continues to grow exponentially. In 2003 we were at zero, and we are up to five and expect that this is going to continue to grow over time.

FIELD: Sure.
Now, what would, in the business cases you made, what was it that really got that attention of senior executives?

SPEARE: The overall inherent risk of not having this capability and what we were seeing in the court system for fines that were being levied for failure to produce this type of evidence, as well as we quantified some of the risk about what was our potential liability if we had to do things such as customer notifications across the broad scale of our customers versus knowing that it only involved a few. And it was very easy to show the return on investment in building this skill set in order to get that inherent risk down to an acceptable level of residual risk.

FIELD: That makes sense.
Matt, what difference would you say that the forensics program has made at your institution?

SPEARE: Well, it feels as though, you know, what we’ve seen is that with the latest round of changes to the judiciary guidance on electronic discovery, we have seen an incredible increase in the frequency and number of forensics requests occurring both in litigation and in internal human resource requests around employee behavior.

It seems that the digital footprint of either an employee or of communications with customers is usually one of the first things that an opposing counsel asks for. And we have--the number has increased about 150% over the last 18 months, and we have to be able to meet those demands.

So, building this has allowed us to respond while keeping our total costs down, and we have reduced our time to respond and to fill these requests while still having a greater capacity to meet what we consider to be, you know, almost an unlimited rise in the need.

FIELD: Sure. Now you have been so immersed in this that you have written a book about it. Can you tell us about the book that you prepared?

SPEARE: Well certainly. You know the book itself is not only on forensics, although there are a lot of forensic pieces to it. But you know, when it comes down to it, as a manager of information security at a large financial institution, there is so much theory and then some rudimentary international standards around how to have comprehensive programs around security and digital forensics, and I’m a practical guy.

And so knowing that we have all these different requirements and, you know, sets of what we would call “best practices” out there, I tried to pull these together to have a really as a guide for the practitioner on what are your requirements, how to go around building these programs from a practical standpoint and not a theoretical one, and then point to the specifics in the regulatory as well as legal requirements, so that at the end of the day you can defend your financial institution for doing the right things.

FIELD: Now when does the book expected to be out, Matt?

SPEARE: Well we are expecting it to come out in March of 2008 and looking forward to it.

It was a long, long time in coming, and it is one of those interesting things that when you first sit down to write a book, you know, superficial level it is things like, well that can’t be that hard. I think my wife would tell you different. And many, many, many nights just writing and writing and writing and trying to put it into a language that, you know, average people like me can understand.

FIELD: I can’t wait to see the final result.

Now, Matt, you’ve also got a webinar presentation coming up with us at Information Security Media Group. What, from your perspective are the key take-aways from that presentation for people that might attend it?

SPEARE: Well, I really think that it comes down to four key take-aways. First and foremost, you know, why should you care? You know either as a business manager or a technology manager, why should you make this a priority given all the things that you have to do on any given day. And so building the case for, you know, why it is so important, what are some of those key risk indicators that are out there for you that should show you that this is a problem that is not going away and it is going to continue to become more complex and you need to get out in front of it.

And then, how do you build a forensics program, and what are some of the resources that are available? Whether you are large institution or a small institution with limited resources, to be able to build a forensics program either through the skill sets in house or by leveraging some key certified forensics examiners out there.

Next would be the basic approach and process. So, what are those things, the kind of a standard methodology to go through during these forensics obligations that will keep you out of trouble as well as being able to demonstrate to the courts, if needed, that you have defined methodology to go through. And it is also to show you how incredibly complex this really is.

And then lastly, what are some of the generalized tools out there that you should be considering? Not vendor specific, but the types of tools, because unfortunately one size does not fit all. Many of the tools out there today are still very siloed for a particular piece of technology, such as email, and don’t look across comprehensively, so there is actually a tool kit that you need to be able to put together so that you can satisfy these requirements.

FIELD: Oh, that is excellent.

Matt, if you had to give a single piece of advice to a banking executive that was just thinking about forensics, where would you advise them to start?

SPEARE: If you haven’t built a comprehensive program, don’t wait. Start today. There are those who have, and those who will. While ignorance may be bliss, if you are dealing with electronic data transactions at some point you will have to conduct a digital forensics investigation.

Plan for it today. Understand your requirements because you don’t want to be making key decisions in the middle of having to do one and respond.

FIELD: That is excellent. Well said. Matt Speare with M&T Bank, I want to thank you for your time and your insight today.

SPEARE: Thank you Tom.

FIELD: And I want to thank people for tuning in and listening, and if you want to learn more about digital forensics, please follow the link and tune into the webinar presentation that Matt will be doing upcoming very soon. http://www.bankinfosecurity.com/webinarsDetails.php?webinarID=65

I want to thank you for listening today. For Information Security Media Group, I’m Tom Field. Thank you very much.




Around the Network