Guidance Software Whitepaper. Best Practices for Integration and Incident Response Automation Using EnCase Endpoint Security

Transcription

1 Guidance Software Whitepaper Best Practices for Integration and Incident Response Automation Using EnCase Endpoint Security

2 60% [of organizations] plan to automate incident remediation within 24 months - SANS Endpoint Survey, % of practitioners were concerned about improved integration of security technologies - EMA Research Report, The Evolution of Data Driven Security, 2014 Executive Summary Information Security (InfoSec) teams are overwhelmed with the constant deluge of attacks from a rapidly growing, increasingly complex threat landscape. These threats combined with the vanishing perimeter, BYOD, the rising number of insider incidents and a host of other social and technological changes, have driven an exponential rise in corporate security risk. Consequently, organizations are investing in more tools to address known gaps in their security and ultimately combat threats. The modern InfoSec landscape is creating too many alerts and false positives with too many disparate security components. This compounded with the scarcity of IT resources make these problems untenable. It is virtually impossible to respond to every alert, so InfoSec teams must decipher what is happening in organizational networks and prioritize what is important enough to take action. Incident response automation through integrations between critical tools is key to greater effectiveness. SANS Institute recently concluded that with the combination of overwhelming data volumes and challenges in gathering and correlating operational and security data, [organizations] clearly need an integrated way to organize their reporting data. 1 Only through response automation can organizations effectively overcome the overwhelming barrage of security threats. This paper addresses how EnCase Endpoint Security is providing organizations with integrated approaches that enable real-time automation and elimination, or at least substantial reductions in false positives. EnCase technology facilitates the integration of Guidance Software products with other tools in an organization s IT security arsenal to address a myriad of security challenges. Also included is a use case illustrates how a customer addresses a polymorphic malware problem and reduces false positives in an environment set up for response automation. Introduction The threat landscape is continually evolving. Attacks launched by perpetrators are growing increasingly complex and their tools more sophisticated. Consequently, organizations are investing in people, processes and technology designed to counteract the sophisticated threats and prevent malicious access to networks and endpoints. The volume of alerts generated from disparate point solutions, however, adversely impact the effectiveness of information security investments. Attacks continue to compromise the sensitive data of well-defended networks while security teams are overwhelmed with a backlog of countless alerts. EnCase Endpoint Security can be integrated with most Security technologies with out-of-the-box integrations available for the leading providers in Security Incident Event Management (SIEM), Log Analysis, APT Detection, Network Security Analytics, and Intrusion Detection System (IDS). Integrating third-party Security alerting technology systems with EnCase Endpoint Security facilitates faster detection and more effective remediation of advanced malware threats against enterprise systems, but the greatest value lies in the automation strategies achieved through the integration. Well-designed integration and automation strategies ease management, enable effective prioritization and response to the deluge of alerts with limited security resources, eliminate the false positives that plague InfoSec groups, and ultimately increase productivity of security team analysts. Ideally, InfoSec should have the ability to: , SANS Security Analytics Survey Quickly understand which alerts are meaningful Initiate automatic response actions for those deemed to pose the most risk to valuable digital assets Address these threats without bringing down business-critical systems Endpoint Security Software WP IR Integration/Automation Best Practices 2

3 Not All Integrations are Equal Strategic Advantage in Leveraging the Endpoint EnCase Endpoint Security is built on the foundation of trusted, comprehensive visibility to network endpoints through its servlet technology. The servlet provides unique and powerful kernel-level access across multiple operating systems with complete visibility into the endpoint including encrypted data, unallocated, hidden data, the registry, system data, devices, and memory. This component enables a deep and powerful insight and control over the activities of machines, potential threats, malware and viruses exposing root vulnerabilities. The servlet dramatically diminishes the time to respond, enables response without disruption to system activities, and is pre-configured with security controls for easy deployment and peace of mind. This provides a rich and powerful environment upon which to integrate and automate SIEM, log analysis, APT detection, network security analytics, IDS and other security technologies with incident response systems to build a robust and cohesive information security solution. Enabling Integration and Automation with EnCase Endpoint Security EnCase Endpoint Security currently include prebuilt integrations with Splunk, McAfee Data Exchange Layer (DXL), LogRhythm, HP ArcSight ESM and HP ArcSight Express, IBM QRadar, FireEye, Palo Alto Networks Wildfire, Blue Coat Security Analytics, Lastline, and Cisco FirePOWER. Integrations with other Security technologies can be developed by the Guidance Software Professional Services team. These integrated environments enable InfoSec teams to: Prioritize security events and alerts Detect and dismiss false positives Immediately validate the efficacy of a information security events Zero in on the source and root cause of a threat Locate variations of a threat anywhere on the network Determine impact to sensitive data Get complete visibility into all endpoints for advanced Incident Response Integrate with existing processes and tools These integrations enable automation support of EnCase Endpoint Security features including: IP Range Zone Mapping: Dedicate EnCase Endpoint Security resources that are within the closest proximity to target endpoints by configuring Zones in EnCase Endpoint Security. Verification of Suspect of Blacklisted Files: EnCase Endpoint Security can search for and verify the existance of suspect files listed within a third-party event or alert criteria using the VerifybyHash scan. In addition, an external blacklist database can also be integrated into the System Analysis and Profile module to identify known bad instances of files or processes from the target endpoints. Internet Artifacts and Registry Scans: Search endpoints for valuable information from internet browsers, windows history, and registry hives, which can validate user actions, the root cause of a threat, and persistence mechanisms by accessing normal files or recovering deleted data. Endpoint Security Software WP IR Integration/Automation Best Practices 3

4 Sensitive Data Discovery: The Personal Identifiable Information module allows a keyword search for any type of keyword such as personnel names, credit cards, Government IDs and many others across designated endpoints to verify the existence and possibly ex-filtration of data. Volatile Data Snapshot: Is unique to EnCase and collects live data from designated endpoints detailing an unprecedented amount of system activity that can be used to validate any type of alert from third-party perimeter, network and even endpoint based security technologies. CopyJob: Allows any pre-configured EnCase Endpoint Security job to be leveraged as an automated response upon receipt of the appropriate information from a third-party security technology. For example, a job that includes both a Registry and a System Profile and Analysis scans can be automated when a behavior-based alert is triggered in order to expose any unknown processes that might be responsible for the behavior on the target endpoint. In addition to the continuously evolving pre-packaged integrations, custom integrations are enabled through the EnCase Endpoint Security Enterprise Service Bus (ESB). EnCase Enterprise Service Bus EnCase Endpoint Security provides a four-layer ESB architecture for receiving and responding to XML requests that trigger various types of EnCase Endpoint Security jobs. The diagram below shows the flow of a third-party SIEM request across the four ESB layers to EnCase Endpoint Security. SIEM: This is a message that comes from a third-party SIEM in its current, standardized format. Listener: This layer interprets the alert and normalizes it to one of several tasks from a preselected menu of tasks available from EnCase Endpoint Security. API: This translates the requested task into a set of instructions for EnCase Endpoint Security to perform. Logic: This translates the instructions to EnCase Endpoint Security Business Logic for processing. Endpoint Security Software WP IR Integration/Automation Best Practices 4

5 Figure 1: ESB Architecture. The EnCase Endpoint Security ESB is included with the various Web components during the EnCase Endpoint Security installation process. Endpoint Security Software WP IR Integration/Automation Best Practices 5

6 How It Works Functionality and sequence of events are variable based on the integration, but in a typical integration a third-party SIEM request triggers an EnCase Endpoint Security job. The EnCase Endpoint Security ESB listener may respond with a simple reply, such as task complete or a SIEM ID to an EnCase Endpoint Security Web link, and other responses can be programmed. An integrated solution can automate functions as specialized as insider attacks, but focusing on malware detection, a typical scenario looks like this: 1. Previously undiagnosed polymorphic malware passes from a perpetrator through the IDS and firewall to an end user. 2. The malware triggers alerts as it passes through the IDS and firewall, which are sent to the SIEM. 3. The SIEM sends the IP addresses of recipient endpoints and the hash values detected by the IDS and/or Firewall to EnCase Endpoint Security. 4. EnCase Endpoint Security then automatically scans the infected endpoint, checks for a host of anomalies, such as signs of packing and compile times, and collects appropriate system activity based on defined rules. Information includes running processes, hash entropy signature, DLLs, open ports, network connections, evidence of sensitive data and a host of other pertinent points as defined by the job type. 5. EnCase Endpoint Security compares the scan against the previous scans, uncovers anomalies, and allows security teams to validate the threat, and remediate all instances of the detected malicious file using patented technology available directly from a web-based console. Figure 2: EnCase Cybersecurity automated response. Endpoint Security Software WP IR Integration/Automation Best Practices 6

7 The following use case illustrates an EnCase integrated solution in action. Use Case Despite layers of security, a large corporation was frustrated by polymorphic malware persistently infiltrating the network and compromising endpoints. The malware was generating a high volume of false positives, drowning out legitimate alerts. Traditional scans were revealing nothing. Prior to integration, analysts would run both scheduled and on-demand scans on groups of endpoints with EnCase Endpoint Security and automatically remediate malware on those that were infected. Although their response time was significantly reduced with EnCase Endpoint Security, but the high number of endpoints and persistent attacks from numerous vectors necessitated a more proactive approach. Integrated Solution: EnCase Endpoint Security and HP ArcSight Once the IT group integrated HP ArcSight ESM with EnCase Endpoint Security. False positives were reduced to actionable alerts and a group of potentially infected machines was promptly identified. The screenshot in Figure 3 illustrates an overview of the investigations which provide an at-a-glance view of the endpoint security posture. Analysts view all EnCase Endpoint Security investigations, giving them visibility into what investigations are open, closed or rejected, the machines with the most number of incidents, as well as the source of the alert (i.e. SIEM or manual), which triggered the investigation. Custom reports can also be generated to provide further graphical representations of the vast volume of data collected. Figure 3: EnCase Endpoint Security Investigations Overview provides a graphical representation of investigation status, machines with alerts, and the source of alerts in the upper pane, with a filterable detailed list provided in the bottom pane. Users can hover over bubbles for machine-specific details. Endpoint Security Software WP IR Integration/Automation Best Practices 7

8 Based on data gathered from multiple perimeter security devices, the HP ArcSight ESM triggers intelligent alerts based on pre-defined policies. A policy is a set of rules or conditions that define an outcome based on the collated event data for a particular alert. Having identified a malicious file that has traversed the network, EnCase Endpoint Security performs a volatile data snapshot, which is triggered when an alert is received from the HP ArcSight ESM. Immediate analysis from the target machines reveals details of known, unknown, and hidden processes, TCP network socket information, open files, device drivers, services and more, revealing whether an endpoint have been compromised, and virtually eliminating false positives. Automated volatile data snapshots can be compared with previous or ongoing volatile data snapshots show attack results in time slices, allowing security analysts to confirm that the event actually occurred, and its impact and origin. With a specific group of endpoints identified as targets where a specific file may have landed, HP ArcSight ESM sends an intelligent alert to EnCase Endpoint Security to run the VerifybyHash job. This confirms whether the hash value of the file within the HP Arsight ESM alert matches the hash value of any of the files on the targets. EnCase Endpoint Security validates the existence of the file in quesiton and forensically collects a copy for security analysts to review. The integrated solution includes an automated, real-time incident response process. Upon approval, EnCase Endpoint Security automatically remediates the identified files and all variants on each endpoint. The entire incident response process has been reduced to minutes. Summmary / Conclusion Information security breaches are inevitable, the complexity of the threat landscape is growing more complex, and the sheer volume of alerts is growing exponentially. The speed at which breaches are identified and resolved, progress of infectious malware halted, access and exfiltration of sensitive data stopped, and threats remediated will make significant difference in controlling risk, costs, and exposure during an incident. Establishing response automation at the endpoint through the integration of best-of-breed tools is the key. The EnCase Endpoint Security automated response solution enables fast results simultaneously across a large number of endpoints and third-party alerts to ensure operational efficiency in your security team. The organization cited in this paper realized significant value and efficiency when they integrated HP ArcSight investments with EnCase Endpoint Security. Endpoint Security Software WP IR Integration/Automation Best Practices 8

9 About Guidance Software (NASDAQ: GUID) Guidance Software is recognized worldwide as the industry leader in endpoint investigation solutions for security incident response, e-discovery and forensic analysis. Its EnCase Enterprise platform, deployed on an estimated 25 million endpoints, is used by more than 70 percent of the Fortune 100, more than 45 percent of the Fortune 500, and numerous government agencies to conduct digital investigations of servers, laptops, desktops and mobile devices. Built on the EnCase Enterprise platform are market-leading IT security, IT help desk, and electronic discovery solutions, EnCase Endpoint Security, EnCase Remote Recovery + and EnCase ediscovery. For more information about Guidance Software, visit This paper is provided as an informational resource only. The information contained in this document should not be considered or relied upon legal counsel or advice. EnCase, EnScript, FastBloc, EnCE, EnCEP, Guidance Software, LinkedReview, EnPoint and Tableau are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks and copyrights are the property of their respective owners.