EnCase Analytics Product Overview

Transcription

1 GUIDANCE SOFTWARE EnCase Analytics EnCase Analytics Product Overview Security Intelligence through Endpoint Analytics

2 GUIDANCE SOFTWARE EnCase Analytics EnCase Analytics Key Benefits Find unknown and undiscovered threats: Detect early signs of intrusion and anomalous activity on endpoints that evade perimeter security and signature-based detection (e.g. APTs, rootkits, polymorphic malware), before greater damage can be done. Expose hidden security holes: Schedule automated snapshot collection from tens to hundreds of thousands of nodes in a day, providing a comprehensive view into security risks and vulnerabilities across all endpoints in your enterprise. Proactively detect insider threats: Reveal and thoroughly investigate insider activity that typically cannot be discovered by traditional threat-detection tools because users have authorized credentials allowing access. Once found, determine attribution and assess mitigation strategies. Key Features Ongoing and on-demand data collection from enterprise-wide endpoints, including servers, laptops, desktops, mobile devices, and point-of-sale (POS) terminals Instant visualization of endpoint data and activities Search for anomalies based on historical collections Extensible architecture that allows for self-built applications or customization of out-of-the-box applications Integration with third-party data sources such as whitelists or threat intelligence Report-sharing and exporting as images, PDFs, or spreadsheet files Organizations like yours are well aware of the unavoidable threat that cyber-attacks and other unknown risks pose to systems and data, and have invested in signature, indicator, and heuristic-based security that DETECTION promises to alert and stop these threats. For years, security professionals have tried to build the proverbial security wall to be as high and as strong as possible, COLLECT ENDPOINT DATA; NEARLY HALF believe their 70 % but you have been limited to tools and methodology that can detect and alert but not the types useful for organizations are compromised on only known threats. As a result, even the most threat detection robust software can t guarantee the ability to keep Source: SANS 2014 Survey of Endpoint Intelligence of attacks are advanced threats like zero-days, rootkits, morphing malware, or insider LESSmalfeasance VISIBILITY INTO THAN ADVANCED from infiltrating the enterprise, leaving security professionals with only one option: to wait for a 20 % breach to happen. What might look like ENDPOINT an ordinary activity DATA to warning systems PERSISTENT protecting the perimeter could turn out to be a major threat matters to your network MOST and for cause extensive damage. THREATS Proactive security teams must now operate under the assumption threat that detection they have been compromised. /////////////////// REMEDIATION Today s advanced threats are breaking through traditional security defenses. ////////// Unapproved communication channels /////////////////////// Firewalls Known bad code behaviors Obvious phishing attempts ////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////// Intrusion Prevention Known static malware /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////// Spam Filter 54% YOUR DATA Known application exploits spend more than 2 HOURS returning machines to a trusted state To obtain insights into such unknown threats, most security intelligence tools in the market focus on structured data such as log files or network packets. However, simply monitoring network packets or looking at log files is not sufficient to detect the anomalous behavior of the emerging breed of threats. You need visibility into endpoints (servers and end-user devices) to get to the heart of the threats. Proactive Threat-Hunting with Endpoint Analytics EnCase Analytics changes the security workflow from waiting for an alert to threat hunting or proactively patrolling your endpoints looking for anomalies indicative of a breach. EnCase Analytics leverages the proven EnCase endpoint collection capability, adding security intelligence that exposes risk and threats that evade traditional detection technology, and it does so using insights derived from those terabytes of endpoint data. It provides a bird s-eye view of your endpoint risk through an interactive visual interface, so you can look for anomalous behavior in the system and quickly expose signs of intrusion. Anti Virus Overt unknown malware Rootkits, morphing malware, zero-days, targeted attacks, insider threats Configuration Management Vulnerability Assessment

3 The challenges of security analytics lie beyond just obtaining endpoint data. Even if you understand from which data you need to draw meaningful conclusions, and even if you have a way to gather it, how do you efficiently and effectively derive insights without complex and manual ETL (Extract, Transform, and Load) processes and programming? How do you present and share these insights with the non-technical, line-of-business stakeholders? EnCase Analytics offers an end-to-end solution to security analytics with: Automated Data Collection and Preparation Data collection and preparation are often the most time-consuming tasks of any analytics project and require a deep understanding of data sources, data models, and metadata. EnCase Analytics leverages the proven EnCase collection engine now in use on over 20 million devices. It delivers automated extract, transform, and load functions (ETL) and knows exactly which data is required for the analysis, freeing the security operations team from data preparation and allowing more time for analysis. No Data Scientists Required Through its interactive visualization interface, EnCase Analytics empowers enterprise security team to fine-tune various criteria, expose and draw complex relationships, and derive advanced endpoint intelligence in just seconds. It gives you the ability to quickly visualize your data from multiple dimensions, regardless of how large or disparate the data sets may be. Rapid Exposure of Malicious Activity No more idly waiting for threats to surface. With EnCase Analytics, you can monitor your enterprise-wide endpoints through the visual interface, allowing you to quickly obtain indication of security threats and manage security risks before they do damage to the organization. Quickly Remediate with EnCase Cybersecurity Once a breach is found, thorough investigation and remediation can be automated by using EnCase Cybersecurity. EnCase Analytics and EnCase Cybersecurity provide an integrated security solution enabling faster detection, assessment, remediation and recovery from security threats. Use Cases Discover possible access-policy violations by visualizing admin accounts that have initiated processes anywhere on the network, by domain Discover propagating and morphing malware by querying which processes are running at an abnormal rate within your network, which one has a unique hash value, and to which machines the process has proliferated NIST Cybersecurity Framework Alignment EnCase Analytics can assist in aligning with the detect function of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. DETECT: Anomalies and Events Anomalous activity is detected in a timely manner and the potential impact of events is understood. Data is aggregated and correlated Baseline is established and managed Events are analyzed for targets and methods Impact is determined Incident thresholds are established DETECT: Continuous Monitoring Information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. The network is monitored to detect threats Personnel activity is monitored to detect potential cybersecurity events Malicious code is detected External service provider activity is monitored to detect potential cybersecurity events

4 How it Works 1) Fast Collection Collection engine extracts volatile data from all endpoint Uses enterprise-proven servlet deployed on 20 million endpoints Endpoint data stored in a staging database 2) Processing & Aggregation Data is transformed and loaded into analytics database Pre-built or custom-built query created against the analytics database 3) Secure Analysis through Visualization Results are presented through the interactive visualizations Perform threat hunting using visualizations, validating anomalies that are indicative of threats Reports can be shared with non-technical stakeholders Easy Customization Built with an extensible architecture, EnCase Analytics allows for customizations at multiple levels: Data model layer: Open data model allows customization of the analytics database to extract and maintain information needed for specific queries and use cases Query engine layer: A multi-dimensional query engine allows ad-hoc slicing and dicing and drill-downs on any level of detail retrieved from endpoints, so that security analysts can identify and research anomalies in relationships of data previously considered uncorrelated Visualization layer: In addition to having access to multiple pre-built visualizations of different endpoint data and trends, security analysts can create their own custom visualizations to depict relationships between different security data points important to their security posture in an intuitive fashion. Get Guidance Leverage the expertise of our Advisory Consultants to take full advantage of your EnCase Analytics deployment. Our team of experts can help you with: Installation Integration with other systems Dashboard augmentation Report customization Training Guidance Software has differentiated itself by providing not only an application designed to expose security risks, but, more importantly, analytics that can be queried in a multitude of ways so businesses can find their own needles in their endpoint haystacks, for uses above and beyond security. - Javvad Malik, Senior Analyst, Enterprise Security Practice, 451 Research Flexible Integration To produce a comprehensive picture of potential security threats within the enterprise, EnCase Analytics can not only collect data from any endpoint in the enterprise, but can also integrate data from third-party security tools such as SIEM technologies, threat intelligence feeds, whitelisting or blacklisting sources, and more. As a result, EnCase Analytics provides even deeper insights into previously unknown security risks and potential threats before they have a chance to do serious damage to the enterprise. Become Proactive Threat Hunters The time has come to transform our organizations from prey into proactive threat hunters. Security teams like yours need visibility into activity across corporate endpoints, as well as the ability to forensically investigate anomalies and threats. Baselining and finding anomalies with EnCase Analytics helps you focus only on actual threats to sensitive information. Then EnCase Cybersecurity can help determine the fastest path to stopping and remediating those threats as swiftly as possible.

5 Example Use Case: Reveal APT Attacks Step 1: Investigate network connections to geographic locations Visualization: Chart of the network connections initiated by enterprise-wide endpoints, categorized by connection destination (pie charts) and the number of connections per process (bubble chart). Detected Anomaly: Communications with China Step 2: Determine unusual processes with connections to China Visualization: Chart showing machine, user, and processes running in China. Step 3: Respond and Remediate with EnCase Cybersecurity 1. Test the hash to determine if it is malware 2. Determine whether sensitive data is located on that machine 3. Find out whether the account has been compromised or a policy violation exists 4. Remediate the affected endpoints Detected Anomaly: Although browsers chrome.exe, firefox.exe, iexplorer.exe seem ordinary; the ntoskml. exe service with the FilePath \windows\ system32 seems problematic.

6 Our Customers Guidance Software s customers are corporations and government agencies in a wide variety of industries, such as financial and insurance services, technology, defense contracting, pharmaceutical, manufacturing and retail. Representative customers include Allstate, Chevron, FBI, Ford, General Electric, Honeywell, NATO, Northrop Grumman, Pfizer, SEC, UnitedHealth Group and Viacom. About Guidance Software (NASDAQ: GUID) Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase Enterprise platform is used by numerous government agencies, more than 65 percent of the Fortune 100, and more than 40 percent of the Fortune 500, to conduct digital investigations of servers, laptops, desktops and mobile devices. Built on the EnCase Enterprise platform are market-leading electronic discovery and cyber security solutions, EnCase ediscovery, EnCase Cybersecurity, and EnCase Analytics, which empower organizations to respond to litigation discovery requests, perform sensitive data discovery for compliance purposes, conduct speedy and thorough security incident response, and reveal previously hidden advanced persistent threats or malicious insider activity. For more information about Guidance Software, visit EnCase, EnScript, FastBloc, EnCE, EnCEP, Guidance Software and Tableau are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks and copyrights referenced in this press release are the property of their respective owners.