Guidance Software Whitepaper. Best Practices for Integration and Automation of Incident Response using EnCase Cybersecurity

Transcription

1 Guidance Software Whitepaper Best Practices for Integration and Automation of Incident Response using EnCase Cybersecurity

2 60% [of organizations] plan to automate incident remediation within 24 months - SANS Endpoint Survey, % of practitioners were concerned about improved integration of security technologies - EMA Research Report, The Evolution of Data Driven Security, 2014 Executive Summary Information Security (InfoSec) teams are overwhelmed with the constant deluge of attacks from a rapidly growing, increasingly complex threat landscape. These threats combined with the vanishing perimeter, BYOD, the rising number of insider incidents and a host of other social and technological changes have driven an exponential rise in incidents, alerts and false-positives. Consequently, organizations are investing in more tools to combat threats. The modern InfoSec landscape is creating too much data with too many disparate security components. This compounded with the scarcity of IT resources make these problems untenable. It is virtually impossible to respond to every alert, so InfoSec teams must decipher what is happening in organizational networks and prioritize what is important enough to take action. Integration and automation is the key to conquering all these problems. SANS recently concluded that the combination of overwhelming data volumes and challenges in gathering and correlating operational and security data, [organizations] clearly need an integrated way to organize their reporting data. 1 Only through an automated integrated approach can organizations effectively overcome the overwhelming barrage of security threats. This paper addresses how EnCase security products are providing organizations with integrated approaches that enable real time automation and elimination, or at least substantial reductions in false positives. EnCase technology facilitates the integration of Guidance Software products with other tools in an organization s IT security arsenal to address a myriad of security challenges. A use case illustrates how a customer addresses a polymorphic malware problem and reduces false positives in an integrated automated environment. Introduction The threat landscape is continually evolving. Attacks launched by perpetrators are growing increasingly complex and their tools more sophisticated. Consequently, organizations are investing in people, processes and technology designed to counteract the sophisticated threats and prevent malicious access to networks and endpoints. The volume of alerts generated from disparate point solutions, however, adversely impact the effectiveness of information security investments. Attacks continue to compromise the sensitive data of well-defended networks while security teams are overwhelmed with a backlog of countless alerts. EnCase Analytics and EnCase Cybersecurity can be integrated with most Security Incident Event Management (SIEM), malware prevention, and Intrusion Detection System (IDS) products, and out-of-the-box packages are available for most of the leading providers. Integrating third-party SIEM and other technology systems with EnCase products facilitates faster detection and more effective remediation of advanced malware threats against enterprise systems, but the greatest value lies in the automation strategies achieved through integration. Well-designed integration and automation strategies ease management, enable effective prioritization and response to the deluge of alerts with limited security resources, and eliminate the false-positives that plague InfoSec groups. Ideally, InfoSec should have the ability to: Quickly understand which alerts are meaningful Initiate automatic response actions for those deemed to pose the most risk to valuable digital assets Address these threats without bringing down business-critical systems , SANS Security Analytics Survey Guidance Software WP IR Integration/Automation Best Practices

3 Not All Integrations are Equal Strategic Advantage in Leveraging the Endpoint EnCase is built on the foundation of trusted, comprehensive visibility to the endpoints through its servlet technology. The servlet provides unique and powerful kernel-level access across multiple operating systems with complete visibility into the endpoint including encrypted data, unallocated, slack and hidden data, the registry, RAM and system data. This component enables a deep and powerful insight and control over the activities of machines and viruses exposing root vulnerabilities. The persistent agent speeds time to respond, enables response without interruption to systems, and a complete pre-configured solution is an easier, smoother deployment. This provides a rich and powerful environment upon which to integrate SIEM, malware protection, and incident response systems to build a robust cohesive information security solution. Enabling Integration and Automation with EnCase Technology EnCase products currently include pre-built integrations with HP ArcSight ESM and ArcSight Express, IBM QRadar, RSA Netwitness, McAfee Nitrosecurity, FireEye, Damballa, Blue Coat Security Analytics, and Palo Alto Networks WildFire. These integrated environments enable InfoSec teams to: Immediately validate the efficacy of a dedicated information security event. Zero in on the source and scope of threats Locate other instances of detected malware Detect and dismiss false positives Triage validated events based on data at risk and likeness Find variations of detected malicious code Determine impact to sensitive data These integrations enable automation support of advanced EnCase features including: IP Range Zone Mapping: This feature provides the ability to configure an IP range and assign a zone for the IP range for scans automatically created via the EnCase Cybersecurity ESB. This will provide the ability for the examiner to only process jobs for that IP Range (based on matching zone). Ability to Integrate with Any External Blacklist Database: Integrate EnCase Cybersecurity with any external database of blacklisted hashes. This feature scans endpoints via the System Analysis and Profile (SPA) module to see whether any endpoint contains hashes that match any of the hashes contained in the external blacklist database. Internet Artifact Scans and Sensitive Data Scans: The Internet Artifact (IA) module and Personal Information module scan data in allocated space on the hard drive. Additionally, the IA module on Windows by default will only search for IA in standard Windows folders that generally contain these artifacts. This default can be changed. Snapshot: This unique EnCase technology feature enables specialized criteria within an IP or IP range, such as an automatic snapshot of the target s memory. CopyJob: Allows any pre-configured EnCase Cybersecurity job to be leveraged as an automated response upon receipt of the appropriate information from a third-party system. For example, a system profile and analysis job can be automated when a behavior-based alert is triggered in order to expose any unknown processes that might be responsible for the behavior on the target host. Guidance Software WP IR Integration/Automation Best Practices

4 In addition to the continuously evolving pre-packaged integrations, custom integrations are enabled through the EnCase Cybersecurity Enterprise Service Bus (ESB). EnCase Enterprise Service Bus EnCase Cybersecurity provides a four-layer ESB architecture for receiving and responding to XML requests that trigger various types of EnCase Cybersecurity jobs. The diagram below shows the flow of a third-party SIEM request across the four ESB layers to EnCase Cybersecurity. SIEM: This is a message that comes from a third-party SIEM in its current, standardized format. Listener: This layer interprets the alert and normalizes it to one of several tasks from a preselected menu of tasks available from EnCase Cybersecurity. API: This translates the requested task into a set of instructions for EnCase Cybersecurity to perform. Logic: This translates the instructions to EnCase Cybersecurity Business Logic for processing. Figure 1: ESB Architecture. The EnCase Cybersecurity ESB is included with the various Web components during the EnCase Cybersecurity installation process. Guidance Software WP IR Integration/Automation Best Practices

5 How It Works Functionality and sequence of events are variable based on the integration, but in a typical integration a third-party SIEM request triggers an EnCase Cybersecurity job. The EnCase Cybersecurity ESB listener may respond with a simple reply, such as task complete or a SIEM ID to an EnCase Cybersecurity Web link, and other responses can be programmed. An integrated solution can automate functions as specialized as insider attacks, but focusing on malware detection, a typical scenario looks like this: 1. Previously undiagnosed polymorphic malware passes from a perpetrator through the IDS and firewall to an end user. 2. The malware triggers alerts as it passes through the IDS and firewall, which are sent to the SIEM. 3. The SIEM sends the IP addresses and hash values of recipient endpoints to EnCase Cybersecurity. 4. EnCase Cybersecurity then automatically scans the infected endpoint, checks for a host of anomalies, such as signs of packing and compile times, and collects appropriate information based on defined rules. Information includes running processes, hash entropy signature, DLLs, open ports, network connections, evidence of sensitive data and a host of other pertinent points as defined. 5. EnCase Cybersecurity compares the scan against the previous scans, detects anomalies, and then either securely contains and/or remediates all instances of the detected malware based on hash and according to integration configuration. Figure 2: EnCase Cybersecurity automated response. Guidance Software WP IR Integration/Automation Best Practices

6 The following use case illustrates an EnCase integrated solution in action. Use Case Despite layers of security, a large corporation was frustrated by polymorphic malware persistently infiltrating the network compromising endpoints. The malware was generating a high volume of false-positives, drowning out legitimate alerts. Traditional scans were revealing nothing. Prior to integration, analysts would run periodic scans on groups of machines with EnCase Cybersecurity and automatically remediated malware on infected endpoints, but the high number of endpoints and persistent attacks from numerous vectors necessitated a more proactive approach. EnCase Cybersecurity and HP ArcSight Integrated Solution The IT group integrates their HP ArcSight ESM with EnCase Cybersecurity. False-positives are reduced to actionable alerts. A group of potentially infected machines is promptly identified. The screenshot in Figure 3 illustrates an overview of the investigations providing an at a glance view of endpoint security posture. Analysts view all EnCase Cybersecurity investigations, giving them visibility into what investigations are open, closed or rejected, the machines with the most number of incidents, as well as the source of the alert (i.e. SIEM or manual), which triggered the investigation. Custom reports can also be generated to provide further graphical representations of the vast volume of data collected. Figure 3: EnCase Cybersecurity Investigations Overview provides graphical representation of investigation status, machines with alerts, and the source of alerts in upper pane, with detailed list provided in bottom pane. User can hover over bubbles for machine specific details. Guidance Software WP IR Integration/Automation Best Practices

7 Based on data gathered from multiple perimeter security devices, the HP ArcSight ESM triggers intelligent alerts based on rules, which are executed upon conditions that are defined down to specific endpoint behaviors, including changes to hashes. Having identified a malicious file that has traversed the network EnCase Cybersecurity performs a function known as a snapshot. This is triggered when an alert is received from the HP ArcSight ESM. Immediate analysis from the source and target machines reveals details of known, unknown, and hidden processes, TCP network socket information, open files, device drivers, services and more, revealing whether machines have been compromised, and virtually eliminating false positives. Subsequent automated snapshots are triggered shortly after the event to show attack results in time slices, so security analysts can confirm that the event actually occurred, and its impact and origin. With a specific group of endpoints identified as destinations where the file may have landed, ArcSight ESM sends an intelligent alert to EnCase Cybersecurity to run the verifybyhash job type. This confirms whether the hash value received matches the hash value of any of the files on the targets. Hash values are automatically provided and scans are conducted on machines identified at risk to find if the file(s) with the particular hash running or on disk. EnCase Cybersecurity locates the files and collects a copy for analysts to review. The integrated solution includes an automated, real-time incident response process. Upon approval, EnCase Cybersecurity automatically remediates the infected files on each endpoint. The entire incident response is reduced to minutes. Summmary / Conclusion Information security breaches are inevitable, the complexity of the threat landscape is growing more complex, and the sheer volume of alerts is growing exponentially. The speed at which breaches are identified and resolved, progress of infectious malware halted, access and exfiltration of sensitive data stopped, and threats remediated will make significant difference in controlling risk, costs, and exposure during an incident. An integrated automated solution at the endpoint is the key. The EnCase Cybersecurity integrated automated solution enables fast results. Data requests can be processed simultaneously on a large number of endpoints, which fosters efficiency. The user cited in this paper realized significant value and efficiency when they integrated their HP ArcSight investments with EnCase Cybersecurity. Guidance Software WP IR Integration/Automation Best Practices

8 Our Customers Guidance Software customers are corporations and government agencies in a wide variety of industries, such as financial and insurance services, technology, defense contracting, pharmaceutical, manufacturing and retail. Representative customers include Allstate, Chevron, FBI, Ford, General Electric, Honeywell, NATO, Northrop Grumman, Pfizer, SEC, UnitedHealth Group, and Viacom. About Guidance Software (NASDAQ: GUID) Guidance Software is recognized worldwide as the industry leader in endpoint investigation solutions for security incident response and forensic analysis. Its EnCase Enterprise platform, deployed on an estimated 20 million endpoints, is used by more than 70 percent of the Fortune 100 and more than 40 percent of the Fortune 500, and numerous government agencies, to conduct digital investigations of servers, laptops, desktops and mobile devices. Built on the EnCase Enterprise platform are market-leading cyber security and electronic discovery solutions, EnCase Cybersecurity, EnCase Analytics, and EnCase ediscovery. They empower organizations to conduct speedy and thorough security incident response, reveal previously hidden advanced persistent threats or malicious insider activity, perform sensitive data discovery for compliance purposes, and respond to litigation discovery requests. For more information about Guidance Software, visit This paper is provided as an informational resource only. The information contained in this document should not be considered or relied upon legal counsel or advice. EnCase, EnScript, FastBloc, EnCE, EnCEP, Guidance Software and Tableau are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks and copyrights referenced in this press release are the property of their respective owners.