Reducing Cost and Risk During an Investigation Start out talking about who is AccessData. I’m John with AccessData. For those of you who are not familiar with our company, AccessData has been in business for 30 years. We provide digital forensic and e-discovery software and services to help corporations, government agencies and law enforcement conduct investigations of all types from criminal to compliance and internal employee investigations. After 30 years, we’re kind of experts in the area of digital investigations! So today we wanted to share some of our knowledge of what we’re seeing in the market with respect to the changing/evolving needs of corporations when conducting investigations, share a few common investigative scenarios you may have even encountered yourself, and then share some tips and best practices on how you can better manage an investigation across your organization, reduce cost and risk. John Massengale, AccessData Drew Nielsen, Druva

Corporate Investigation Trends Companies are conducting digital investigations on at least a weekly basis for a variety of purposes... 52% Ensuring compliance (keeping information systems, applications, devices, processes and procedures in compliance with industry-specific, privacy and other business regulatory mandates) 52% Data security (keeping customer, financial, intellectual property, personally identifiable information and legal information safe from breach) 43% Responding to incidents (shortening the gap between the time of compromise and the time to discovery of cyber breaches or internal incidents) 32% Managing internal investigations (investigating complaints about discrimination, harassment or misuse of corporate computers, corporate intellectual property theft, employee embezzlement and financial crimes, etc.) To get started, I wanted to share some of the research we did with IDG last December. IDG owns well known brands including CIO.com, InfoWorld, Network World…some of the publications many of you most likely review on a regular basis. We worked with them to do an online survey of their subscribers to identify trends and challenges they’re experiencing with digital investigations. One of the things we discovered is that investigations are happening at least weekly across a variety of areas…with compliance and data security being the most frequent types of investigations. No surprise when you consider the evolving regulatory compliance mandates organizations must adhere to, and the increased scrutiny of data security in light of recent high –profile data breaches. No one wants to see their corporation on the news as the next target of an external hack or the unfortunate result of a breach from negligent employees. To help prevent potential problems, investigations are being conducted more frequently and proactively. 27% Managing e-discovery (preparing for litigation discussions) Source: 2016 IDG Market Research Study

Corporate Investigation Trends The top issues corporations are looking to solve when they’re conducting an investigation include detecting and stopping cyber threats and internal bad behavior, and monitoring for compliance to ensure they’re adhering to new regulatory requirements.

Corporate Investigation Trends Today though, it’s not as simple as taking someone’s laptop, imaging it, analyzing the files and determining what information is going to be important in your investigation. In today’s digital world, investigations are becoming much more complex. Data resides in multiple locations – on laptops, servers, with vendors and cloud providers. It’s on your employee’s mobile phones, laptops…maybe even their Apple Watch! A company’s digital footprint is massive, and continues to grow. And that presents numerous challenges when conducing investigations….and it leaves CEO’s and high-level executives increasingly concerned about the security of their data as it’s spread out over multiple locations…..meaning they’re coming to IT more frequently! Source: 2016 IDG Market Research Study

Current Digital Landscape Average laptop hard drive = 500 GBs to 1 TB Average desktop hard drive = 1 TB + A single user receives an average of 150 emails a day, 3,600 a month and over 43,000 a year. Smartphones can hold 64 to 500 GBs of data. The average adult sends and/or receives 85 text messages a day, 2,550 a month and over 30,000 per year. A single thumb drive, smaller than the tip of a finger, can hold 256 GBs. The average person has 5.5 social media accounts that vary between 30 to 100s of messages daily, depending on platform. Just to put into perspective how much digital data has grown over the years, consider that more data has been created in the last two years than throughout human history. By 2020 we’re projecting at least half of all data will be on endpoints and cloud applications. A single user receives an average of 150 emails a day, 3,600 a month, and over 43,000 per year. Smartphones can hold up to 500 GM of data The average adult sends or receives 85 texts a day, 2,550 a month, 30,000 a year. And they have, on average, 5.5 social media accounts that also receive between 30-100 messages daily. Given the magnitude for which we produce and STORE data, it’s no surprise that the challenges of investigating that massive amount of data continue to grow!

Corporate Investigation Trends To add to the challenges…IT is expected to conduct investigations efficiently and cost effectively, but often with tools that don’t measure up. Our research indicated that IT teams are challenged by the amount of time spent on investigations, and the cost associated with that time…largely driven by their inability to efficiently search across repositories where data resides, or because solutions don’t integrate, so they’re moving data more frequently…processing and reprocessing, taking time, costing money and of course, introducing potential risk of data loss, leakage and spoliation. All of this sound familiar? Raise of hands if you can relate to some of the pains and challenges identified here? Our goal today is to help you better understand how you can more efficiently manage investigations, reduce cost and time spent on an investigation and ensure visibility into your data. To help outline these best practices, first let’s take a look at a couple of common investigative scenarios.

User Scenario: Insider Threat Investigation Negligent employee uploads customer PII to Box. Customer information is compromised and it’s been traced back to your company. Customers are suing for damages. CEO wants answers: how did this happen who is responsible, is there any remaining threat? The challenge: Identifying the perpetrator. Investigating discreetly to not alert employees. Containing the threat and remediating identified risks. Keeping all teams involved. Let’s start with the insider threat. Chances are today you’ve heard a LOT about protecting your organization from external threats…ransomware, hackers, bad actors lurking around every corner, preying on your infrastructure’s weaknesses to infiltrate your data. A lot of cyber companies are focused on protection to avoid a breach. We’re focused on when the inevitable happens…and it’s GOING to happen. Let’s consider this analogy. It’s like a home security system. You can have the best system in the world that from the outside will hopefully deter a criminal. But, if a criminal is determined…you have windows. There is always going to be a way for them to get in. Or…same analogy…your teenage daughter gives our the code to her boyfriend who she “loves and trusts.” Three months later, they break up and the ex boyfriend and his friends come and rob you blind. Because they’ve got access to your home and your belongings…and you had no idea they ever knew the code! At a company…your biggest threat to your data’s security isn’t always external. Many times, it’s your own negligent employees (the “teenage daughters” in our little analogy) who accidentally compromise the security of your protected information. Let’s take this scenario, for example. An employee is working with an external vendor. In order to share files, they upload documents to the vendor’s Box account. In the process, the employee accidentally drags and drops a file that contains the personally identifiable information of about 1,000 of your customers to the Box. Whoops!!!!!!!! They don’t even realize it. It’s part of 50 other files they’re passing along. And the vendor doesn’t call attention to it. Weeks pass and you get a call that you’re being investigated because there have been several reports of individuals personal information being compromised and they have tracked it back to information on the vendor’s box of YOUR customers. But you have the best cyber security protection money can buy!! How did this happen? Your being sued and your CEO is demanding to know how the data got out. What do you do?

User Scenario: Insider Threat Investigation Solution: Gain visibility across endpoints: leverage tools that deploy agents to each endpoint and seamlessly connect to data repositories and cloud platforms. Covert investigation: look for software that runs “behind the scenes” to avoid alerting employees or disrupting business operations. Solutions should also pause when offline and resume when employees log back in to the network, picking up where they left off. Remediation: delete offending files or processes. Collaboration: integrated tools that can easily be used by all departments involved without moving data between platforms and teams. Benefits: Improved data visibility Cut down on risk of future threats Speed investigations Improved collaboration How to manage these kinds of investigations visibility across 100% of network to identify questionable activity with tools that deploy agents to covertly look for files and artifacts/ Leverage seamless connectors to scan and collect from cloud repositories like Box, Druva, Office 365, etc. for the leaked files. Quickly investigate and remediate breaches, We are the king of all crash-scene investigators, we get more evidence than any Need to quickly put end to this because of loss of Revenue but also Brand impact and Reputation How do you ensure this doesn’t happen again, (information management, information governance --- Druva)

Reduce risk of data loss/spoliation Single platform to proactively collect data meets legal forensic requirements Automated legal holds, data preservation and chain of custody tracking and reporting Search and cull data to reduce downstream e-discovery costs High-speed processing and review Druva slide for Insync to set up Preventative measures to protect against insider threat issues.They have data backup and archival, protection and governance for Box (our example here) and other cloud platforms as well as endpoint protection to do backup, remote wipe, locate laptops and smart devices so careless employees forgetting cell phones at a restaurant no longer represent a threat.

User Scenario: E-Discovery Investigation Customers whose data was compromised suing for damages. Legal team needs access to data used in the internal investigation/launching e-discovery investigation. The challenge: Need to move quickly to minimize brand damage if word gets out your company suffered a breach. Need to easily share the data between HR, Legal and IT. Need to minimize cost. The internal data leak has been found, the problem file remediated, security stepped up to prevent future issues. Your company is working with Druva now, and putting processes in place to control use of external sites to ensure employees are only using approved cloud apps, devices, etc. to access critical data. But now the customers whose data was compromised have come forward, victims of identity theft and are suing your company for damages. The legal team is involved to investigate what happened and build a case/defend your company. This leads into our second type of “investigation” – for an e-discovery matter. The legal team reaches out and wants IT to help with collection and preparing the data for e-discovery. They need to move fast because they want to settle quickly to hopefully prevent this from leaking to the press, doing harm to your brand. They need to get litigation hold notices out quick, collect relevant documents, etc. and time is of the essence. You work with legal to determine what is needed. manage lit hold notifications collect documents, data and evidence from all endpoints use connectors to collect from data repositories like cloud applications, O365 and Druva You can then move directly into analysis and review without needing to move data between applications, taking time, introducing risk of data getting lost or spoliation nad saving cost.

User Scenario: E-Discovery Investigation Solution: Leverage an integrated solution: data never has to be processed and reprocessed, or moved between platforms. Forensically sound: preserve ESI in a forensically sound manner to ensure data is not lost or corrupted, which could jeopardize your case. Collect from the cloud: data connectors enable seamless transfer of data from platforms otherwise challenging to collect from in an investigation. Collaboration: ensure all teams are collaborating and up to speed in an efficient way. Benefits: Reduced cost Reduced risk Improved collaboration Repeatable, defensible process To effectively manage the end-to-end e-discovery investigation, spanning IT, Legal and other teams…you need a solution that is integrated to reduce data movement as you’re collecting, processing and passing documents to legal for review. You need a tool that preserves the data..and the metadata… in a forensically sound way so that there is no question about the validity of the evidence that could cause it to be thrown out of your case. You need a tool that can collect from cloud applications…in our case of the careless employee, box in particular—but other platforms like Office 365, and Druva that are becoming increasingly used in corporations as a means of improving processes and reducing cost. And you need to collaborate. Investigations are not done in silos. You’re constantly working with legal, going back and forth on collection requests, sending reports on litigation hold notices, and more. You need a solution that facilitates collaboration and simplifies that process. You need a tool that can simplify the entire e-discovery workflow as a way of reducing cost, risk, and creating a defensible, repeatable process. The e-discovery process USED to take a lot of time the old way and introduced a lot of risk. But with an integrated solution the work that took weeks before can now be measured in hours and days. And at a fraction of the cost and with much more protection over your data. Let’s take a look:

Complicated, Manual and Expensive Streamlined E-Discovery Workflow Complicated, Manual and Expensive

What’s the Solution? Leverage an e-discovery solution in combination with compliance/archiving solutions to speed up the process, thus cutting e-discovery costs. Existing IT solutions can be leveraged to help streamline e-discovery. Existing IT solutions meaning leverage their e-discovery software in combination with their compliance/archiving software to speed up the process, cut costs and become more efficient in e-discovery.

Benefits of a Streamlined Approach Significantly lower costs Eliminate manual processes Save time Reduce ROT (Redundant, Obsolete, Trivial) data with pre- ingestion culling

Summary With the joint solution from Druva and AccessData to manage investigations, you benefit from: Improved efficiency and collaboration Accelerated digital investigations Reduced cost Minimize spoliation risk and ensure your data remains protected

Thank you! Questions? For a demo of how Druva and AccessData can be used together to improve overall investigation efficiency, stop by our booth. John Massengale, AccessData jmassengale@accessdata.com Drew Nielsen, Druva andrew.nielsen@druva.com