GUIDANCE SOFTWARE EnCase Cybersecurity Complement Guide. EnCase Cybersecurity. Complement Guide

Transcription

1 GUIDANCE SOFTWARE EnCase Cybersecurity Complement Guide EnCase Cybersecurity Complement Guide

2 GUIDANCE SOFTWARE EnCase Cybersecurity Complement Guide To truly secure an enterprise, a comprehensive approach to network security requires a defense-in-depth approach; multiple layers of defense placed throughout the network to address potential vulnerabilities and to monitor major ingress and egress points. Each of the security components, or processes, feeds reactive intelligence to the other components/processes. The result is continuous updating to the enterprise security posture and a defense in depth strategy. In addition to self-contained malware identification, audit, response and data preservation capabilities, EnCase Cybersecurity adds value to other security technologies through its ability to audit information on endpoint devices and provide meaningful response capabilities to a comprehensive network security plan. This document provides insight into the products and solutions that contribute to a comprehensive approach to network security, and how EnCase Cybersecurity software adds value to existing security investments and initiatives. This document answers the following questions: In what areas can EnCase Cybersecurity complement existing investments in enterprise security? What products (by name) does EnCase Cybersecurity complement? There are an overwhelming number of products on the market today that solve one or more security processes in some way. Therefore, this document references only those solutions typically associated by the industry and vendor specification, for each respective section.

3 Block/ Quarantine These technologies are designed to actively block or take corrective action against known bad or sensitive data based on pre-defined rules and criteria (firewalls, AV, DLP, IPS, NAC) or passively prevent the reading of sensitive data (encryption). AV scanners generally also contain a response component in the form of user notification and removal of the binary that was a known piece of malware. Enterprise Firewalls Intrusion Prevention Systems (IPS) Enterprise Antivirus Fortinet Check Point Juniper Endpoint Protection Cisco ASA 5500 McAfee Network Security Platform TippingPoint IPS Endpoint Protection NitroGuard IPS Sourcefire McAfee VirusScan Enterprise Endpoint Protection Trend Micro OfficeScan Sophos Kaspersky Anti- Virus A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria. EnCase Cybersecurity can be used to audit firewall policies by scanning the network endpoints for sensitive or malicious data that should be blocked by the firewall. An Intrusion prevention system (IPS) is a network security device that monitors network and/ or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. EnCase Cybersecurity can determine if unknown threats have successfully averted the defenses of an intrusion prevention system and verify whether the responses of an IPS have been successful in protecting a targeted host. This is accomplished via a connection (either direct or through a SIM) to the IPS, allowing EnCase to collect information from the affected machine at the time the alert is generated and to perform subsequent scans to ensure the malicious data was in fact blocked. Antivirus (or anti-virus) software is used to prevent, detect, and remove malware, including computer viruses, worms, and trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware. EnCase Cybersecurity is able to find and remediate both rootkits and covert malware, such as iterations of polymorphic malware. Operating at the kernel level, the software can identify data the operating system is blind to and is able to destroy hidden processes and hooks used by rootkits and other types of covert malware. It complements existing antivirus and malware protection systems by identifying and remediating covert processes that signaturebased detection tools are ill-equipped to address. EnCase Cybersecurity Entropy Near Match Analysis, application descriptors, hash sets, machine profiles and Snapshot technology enable an enterprise to quickly identify and remediate malicious code not yet detectable by antivirus solutions nor ranked by reputational methods of detecting suspicious data. These zero-day exploits and worms commonly slide under the detection of antivirus systems because they do not match known signatures. EnCase complements existing antivirus software by providing a means to quickly identify these covert threats, their scope and source and remediate machines that have been compromised. After determining that a security event took place, EnCase Cybersecurity can analyze computers across an enterprise to find other machines compromised by worms, zero-day exploits or trojans that share any similarity with an identified piece of malware through Entropy Near Match Analysis. This technology can also be used to find iterations of polymorphic malware if a single iteration has been identified.

4 GUIDANCE SOFTWARE Continued Block/ Quarantine Network Access Control Data Loss Prevention and Content Scanners Encryption File, Disk & Cisco Juniper Websense McAfee SmartFilter RSA/EMC VERICEPT Verdasys Varonis PGP Disk PC Guardian Encryption+ PGP mail EFS BestCrypt Utimaco BitLocker Drive Encryption WinMagic Network Access Control (NAC) tools use a set of protocols to define and implement a policy that describes how to secure access to a network by devices when they initially attempt to access the network. When a computer connects to the network, it is not permitted to access anything unless it complies with a set standard, including anti-virus protection level, system update level and configuration. While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues. Once the standard is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system. EnCase Cybersecurity can be used to in conjunction with NAC technology to detect if any malware has been introduced to a computer via USB or other local means before allowing a computer to computer to connect to the network, as NAC technology has no visibility into risk presented by unstructured data. EnCase Cybersecurity can automatically verify not only the integrity of static files on a system, but also the running processes on that system. It can gather additional information apart from configuration settings such as data from the registry, file system and network settings to identify if a machine s integrity has been compromised. Content Scanners and Data Loss Prevention (DLP) tools identify, monitor, and protect data in use (e.g., endpoint actions) and data in motion (e.g., network actions), through deep content inspection and with a centralized management framework. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information. Once an event has been identified by one of these systems, EnCase Cybersecurity can analyze the user s machine, providing crucial information (Internet history, Web cache, keyword search) to validate whether a policy violation took place. EnCase Cybersecurity can be used to scan network endpoints for sensitive or unauthorized data, complementing technologies that specialize in the analysis of data in motion. Once sensitive or unauthorized data is identified that poses a risk to the organization, EnCase Cybersecurity is able to remotely collect and wipe that data, mitigating the risk that the data could be compromised from that endpoint. EnCase Cybersecurity can be used to audit DLP technology policies by scanning the network endpoints for data that should be blocked by the DLP. In addition, EnCase Cybersecurity can ensure a clean house in advance of implementing data-in-motion DLP to reduce the chance of an employee having sensitive business data to begin with. Subsequent audits ensure the data-in-motion DLP is configured properly. Encryption technologies transform information (referred to as plaintext) using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. EnCase Cybersecurity allows security analysts to determine whether encrypted data exists on computers in the enterprise that could be a violation of corporate policy. As encryption technologies are also used by malicious entities to hide information and tools that could be used for unauthorized activities, EnCase Cybersecurity lets you analyze encrypted data on both stand-alone and domain-authenticated systems through partnerships with several leading encryption providers. EnCase Cybersecurity lets security analysts view and analyze mounted encrypted volumes as logical drives if opened by the suspect during the time of investigation. EnCase Cybersecurity validates encryption is working by verifying the randomness of the allegedly encrypted file(s).

5 Alert Alerting technologies either scan network traffic for malicious activity and policy violations using pre-defined criteria or scan endpoint configuration settings to detect anomalies. Some detection technologies gather and correlate alerts from point solutions to reduce false positives and triage suspected network intrusions based on the alerts grabbed from other detection technologies. Other technologies are primarily used to keep track of past threats and the actions that were taken to correct those threats. Intrusion Detection Systems (IDS) Vulnerability assessment and management Network Intrusion Detection Systems (NIDS) Snort IBM ISS TippingPoint Host-based Intrusion Detection Systems (HIDS) Zone Alarm Cisco CSA Host IDS BigFix Sourcefire N-Stalker Web Application 2009 Tenable Nessus Proventia Network Enterprise Scanner Retina SAINT An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic EnCase Cybersecurity can be used to respond to events through an automated process, or to respond manually. It can be integrated with an existing IDS solution for an automated, real-time incident response process, known as a Snapshot, which is triggered when an alert is received. Immediate analysis from the source and target machine reveal details of known, unknown and hidden processes, TCP network socket information, open files, device drivers, services and more - revealing whether machines have been compromised and virtually eliminating false positives. Subsequent automated Snapshots are triggered shortly after the event to show attack results in times slices, so you know whether the event actually occurred, and if so, its impact and origin. You can also use the same Snapshot capability to quickly isolate and respond to security incidents manually. After confirming that a security event took place, EnCase Cybersecurity can be used to analyze computers across your entire enterprise to find other machines compromised by the same or similar worm, zero-day exploit or trojan. Vulnerability scanners and vulnerability assessment tools are designed to actively search for and map systems for weaknesses in an application, computer or network. Typically these technologies scan and look for active IP addresses, open ports, open shares, unused user accounts, running operating systems, running applications, etc. to identify and report on potential vulnerabilities discovered based on canned criteria and vulnerability tests. Some scanners can also remotely deploy missing patches and service packs. Some specific application scanners, such as web application security scanners, can detect vulnerabilities by actually performing common attacks. Before or after performing application vulnerability scans, EnCase Cybersecurity can be used to verify common library files that applications depend on are not feeding misinformation to the application and ultimately the application scanner. An example of this is using EnCase Cybersecurity to verify DLLs that are relied upon by various applications to execute and run are known good DLLs and not DLLs injected with malicious data. EnCase Cybersecurity assesses from a host point of view as opposed to a network point of view to audit for unauthorized or malicious programs running or unauthorized communications taking place. It also allows the user to identify unknown or hidden programs that may be zero-day exploits. As network vulnerability scanners rely on the endpoint (host) response to identify running services, applications and configuration settings, this information can be misleading or incorrect if the machine is compromised.

6 GUIDANCE SOFTWARE Continued Alert Configuration Management and Assessment Tools Security Information Management Tools (SIM) TripWire SolarWinds Orion NCM Novell Arcsight Security Information Manager NetIQ Security Manager NetForensics Intellitactics LogLogic Configurations Management and Assessment Tools enable the process of identifying and defining the Configuration Items in a system (such as registry settings), recording and reporting the status of Configuration Items and Requests For Change, and verifying the completeness and correctness of Configuration Items. EnCase Cybersecurity can automatically verify not only the integrity of static files on a system, but also the running processes on that system. It can gather additional information apart from configuration settings such as data from the registry, file system and network settings to identify if a machine s integrity has been compromised. EnCase Cybersecurity can be configured to audit against configuration settings unique to any given organization as defined by an XML database in an automated fashion. Security information management (SIM) is the industry-specific term in computer security referring to the collection of data from disparate security technologies, network tiers, and event logs turning security data into prioritized, actionable information for trend analysis. SIM products generally comprise software agents running on the computers that are to be monitored, communicating with a centralized server acting as a security console, sending it information about security-related events, which displays reports, charts, and graphs of that information, often in real time. EnCase Cybersecurity can be used to respond to various types of alerts and validate whether a security event actually happened. Although the SIM tool does advanced correlation across many systems to generate the alert, it still does not validate from the target host perspective whether an event did take place and the extent of the compromise. EnCase Cybersecurity enables you to take that final response step after an event has been identified by accepting alerts generated by SIM tools and automatically taking a Snapshot of the affected systems volatile data at the moment the alert is generated and subsequent Snapshots to see how the machine state changes over time from that point. If a malicious process is detected, EnCase Cybersecurity can be used to return that machine to a trusted state, and to sweep the rest of the network for the same or similar threat that set off the original alert. EnCase Cybersecurity can be used to schedule regular scans against past threats to not only ensure the same threat isn t reintroduced to the network, but also to ensure no threats similar to past threats are introduced into the network.

7 Audit & Response EnCase Cybersecurity allows an organization to take definitive action against incidents identified by alerting technologies and against sensitive data that is identified in unauthorized locations. EnCase Cybersecurity can also identify and respond to malware or policy violations that slip past blocking and alerting technologies. Audit, Response and Recovery EnCase Cybersecurity EnCase Cybersecurity complements and augments existing information security tools that aim either to block or quarantine data such as firewalls, intrusion prevention systems, antivirus, or data loss prevention tools or that trigger or correlate alerts, such as intrusion detection systems, configuration management, or SIM and SIEM tools. EnCase Cybersecurity provides: The ability to identify and analyze undiscovered threats, such as polymorphic or metamorphic malware, packed files, and other advanced hacking techniques that evade traditional network- or host-based defenses. Powerful investigative capabilities so that an organization can search across its network for sensitive or confidential data, such as credit card numbers, account numbers, or intellectual property Risk mitigation by wiping sensitive or confidential data from unauthorized locations, and removing malware and malware artifacts from hard drives, RAM, and the Windows Registry on laptops, desktops, and servers Visibility into endpoint risk, leveraging disk-level forensic access of data on endpoints, with the ability to compare endpoints against a trusted baseline and/or an included hash database (both whitelist and blacklist) EnCase Cybersecurity Complements and Augments both and Reactive Security Technologies Proactive Block/Quarantine Audit Firewall Fortinet Check Point Juniper Capabilities: Rule based, this first line defense blocks unauthorized access Limitations: Phishing and common web site attacks easily circumvent; no help vs. insider threat IPS TippingPoint McAfee Sourcefire Capabilities: Blocks data associated with known attack methods Limitations: Morphing threats evade this signature-based tech AV McAfee Trend Micro Capabilities: Identifies and blocks known malware Limitations: Cannot detect or block unknown malware; is signature-based NAC Cisco Juniper Capabilities: prevents access to network unless user meets pre-defined criteria Limitations: Cannot protect against malware introduced via USB or optical drive; no visibility into unstructured data DLP Websense RSA/EMC Capabilities: IDs pre-defined content; alerts (claims blocking) Limitations: Requires complex policies that are easily circumvented; rarely used to block Encryption Ultimaco WinMagic PGP Capabilities: May stop unauthorized users from accessing data Limitations: Can be used to hide data; disk-based encryption does not protect running systems Triage suspicious or sensitive data Identify internal/ external threats Collect IP/PII Wipe IP/PII Remediate malicious data Reactive Alert Response IDS IBM ISS Snort TippingPoint Capabilities: Alert on data associated with known attack methods Limitations: Morphing threats evade this signature-based tech; cannot respond to alerts effectively VA/VM BigFix Sourcefire Tenable Capabilities: Alert on known application or network specific vulnerabilities Limitations: Cannot detect unknown vulnerabilities (application or network configuration); cannot respond to alerts effectively Config. Mgmt. TripWire SolarWinds Novell Capabilities: Alert on OS and network device settings that are not configured properly Limitations: Has no visibility into unstructured data; cannot respond to alerts effectively SEIM/SIM ArcSight RSA Cisco Capabilities: Correlate data from a variety of alerting technologies Limitations: Cannot collect data or respond to alerts effectively Alert response Triage suspicious data Identify threats Analyze risk Remediate malicious code

8 Our Customers Guidance Software s customers are corporations and government agencies in a wide variety of industries, such as financial and insurance services, technology, defense contracting, pharmaceutical, manufacturing and retail. Our EnCase customer base includes more than 100 of the Fortune 500 and over half of the 50, including: Allstate, Chevron, Ford, General Electric, Honeywell, Mattel, Northrop Grumman, Pfizer, UnitedHealth Group, Viacom and Wachovia. About Guidance Software (GUID) Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase platform provides the foundation for government, corporate and law enforcement organizations to conduct thorough, network-enabled, and court-validated computer investigations of any kind, such as responding to ediscovery requests, conducting internal investigations, responding to regulatory inquiries or performing data and compliance auditing - all while maintaining the integrity of the data. There are more than 35,000 licensed users of the EnCase technology worldwide, and thousands attend Guidance Software s renowned training programs annually. Validated by numerous courts, corporate legal departments, government agencies and law enforcement organizations worldwide, EnCase has been honored with industry awards and recognition from eweek, SC Magazine, Network Computing, and the Socha-Gelbmann survey. For more information about Guidance Software, visit Guidance Software, Inc. All Rights Reserved. EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. ECS BR