Whitepaper BEST PRACTICES FOR INTEGRATION AND AUTOMATION OF INCIDENT RESPONSE USING ENCASE ENDPOINT SECURITY



Similar documents
Guidance Software Whitepaper. Best Practices for Integration and Incident Response Automation Using EnCase Endpoint Security

Guidance Software Whitepaper. Best Practices for Integration and Automation of Incident Response using EnCase Cybersecurity

SECURITY BEGINS AT THE ENDPOINT

EnCase Endpoint Security Product Overview

Whitepaper MANAGING INSIDER THREATS THROUGH ENDPOINT DETECTION AND RESPONSE

SANS Top 20 Critical Controls for Effective Cyber Defense

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

EnCase Analytics Product Overview

IBM QRadar Security Intelligence April 2013

QRadar SIEM and FireEye MPS Integration

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

Guidance Software Whitepaper. Point-of-Sale Systems Endpoint Malware Detection and Remediation

IBM Security Intelligence Strategy

IBM SECURITY QRADAR INCIDENT FORENSICS

How To Buy Nitro Security

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

CyberArk Privileged Threat Analytics. Solution Brief

Cisco Advanced Malware Protection for Endpoints

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

Endpoint Threat Detection without the Pain

Cisco Advanced Malware Protection for Endpoints

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

End-user Security Analytics Strengthens Protection with ArcSight

The webinar will begin shortly

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Requirements When Considering a Next- Generation Firewall

Cisco Advanced Malware Protection

Unified Security, ATP and more

WildFire. Preparing for Modern Network Attacks

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

What is Security Intelligence?

Content Security: Protect Your Network with Five Must-Haves

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Vulnerability Management

Incident Response. Six Best Practices for Managing Cyber Breaches.

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Protecting against cyber threats and security breaches

Continuous Network Monitoring

The Benefits of an Integrated Approach to Security in the Cloud

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Carbon Black and Palo Alto Networks

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

IBM Security IBM Corporation IBM Corporation

IBM Security QRadar Vulnerability Manager

IBM Security re-defines enterprise endpoint protection against advanced malware

The SIEM Evaluator s Guide

Boosting enterprise security with integrated log management

Win the race against time to stay ahead of cybercriminals

Introducing IBM s Advanced Threat Protection Platform

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Extreme Networks Security Analytics G2 Vulnerability Manager

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Q1 Labs Corporate Overview

24/7 Visibility into Advanced Malware on Networks and Endpoints

Cisco Cyber Threat Defense - Visibility and Network Prevention

The Hillstone and Trend Micro Joint Solution

1 Introduction Product Description Strengths and Challenges Copyright... 5

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

Advanced Threats: The New World Order

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

QRadar SIEM and Zscaler Nanolog Streaming Service

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Advanced Endpoint Protection Overview

The Sophos Security Heartbeat:

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

How To Protect Your Network From Attack From A Network Security Threat

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

FIVE PRACTICAL STEPS

IBM Security QRadar Risk Manager

Symantec Advanced Threat Protection: Network

Endpoint Security for DeltaV Systems

Incident Response. Six Best Practices for Managing Cyber Breaches. Nick Pollard, Senior Director Professional Services EMEA / APAC, Guidance Software

INSERT COMPANY LOGO HERE

How To Create An Insight Analysis For Cyber Security

High End Information Security Services

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

Security Intelligence Services.

Payment Card Industry Data Security Standard

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

SIEM Orchestration. How McAfee Enterprise Security Manager can drive action, automate remediation, and increase situational awareness

Breaking down silos of protection: An integrated approach to managing application security

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Transcription:

Whitepaper BEST PRACTICES FOR INTEGRATION AND AUTOMATION OF INCIDENT RESPONSE USING ENCASE ENDPOINT SECURITY

60% [of organizations] plan to automate incident remediation within 24 months - SANS Endpoint Survey, 2014 40% of practitioners were concerned about improved integration of security technologies - EMA Research Report, The Evolution of Data Driven Security, 2014 EXECUTIVE SUMMARY Information Security (InfoSec) teams are overwhelmed with the constant deluge of attacks from a rapidly growing, increasingly complex threat landscape. These threats combined with the vanishing perimeter, BYOD, the rising number of insider incidents and a host of other social and technological changes, have driven an exponential rise in corporate security risk. Consequently, organizations are investing in more tools to address known gaps in their security and ultimately combat threats. The modern InfoSec landscape is creating too many alerts and false positives with too many disparate security components. This compounded with the scarcity of IT resources make these problems untenable. It is virtually impossible to respond to every alert, so InfoSec teams must decipher what is happening in organizational networks and prioritize what is important enough to take action. Integration and automation is the key to conquering all these problems. SANS Institute recently concluded that with the combination of overwhelming data volumes and challenges in gathering and correlating operational and security data, [organizations] clearly need an integrated way to organize their reporting data. 1 Only through an automated integrated approach can organizations effectively overcome the overwhelming barrage of security threats. This paper addresses how EnCase Endpoint Security is providing organizations with integrated approaches that enable real-time automation and elimination, or at least substantial reductions in false positives. EnCase technology facilitates the integration of Guidance Software products with other tools in an organization s IT security arsenal to address a myriad of security challenges. Also included is a use case illustrates how a customer addresses a polymorphic malware problem and reduces false positives in an integrated automated environment. INTRODUCTION The threat landscape is continually evolving. Attacks launched by perpetrators are growing increasingly complex and their tools more sophisticated. Consequently, organizations are investing in people, processes and technology designed to counteract the sophisticated threats and prevent malicious access to networks and endpoints. The volume of alerts generated from disparate point solutions, however, adversely impact the effectiveness of information security investments. Attacks continue to compromise the sensitive data of well-defended networks while security teams are overwhelmed with a backlog of countless alerts. EnCase Endpoint Security can be integrated with most Security technologies with out-of-the-box integrations available for the leading providers in Security Incident Event Management (SIEM), Log Analysis, APT Detection, Network Security Analytics, and Intrusion Detection System (IDS). Integrating third-party Security alerting technology systems with EnCase Endpoint Security facilitates faster detection and more effective remediation of advanced malware threats against enterprise systems, but the greatest value lies in the automation strategies achieved through the integration. Well-designed integration and automation strategies ease management, enable effective prioritization and response to the deluge of alerts with limited security resources, eliminate the false positives that plague InfoSec groups, and ultimately increase productivity of security team analysts. Ideally, InfoSec should have the ability to: Quickly understand which alerts are meaningful Initiate automatic response actions for those deemed to pose the most risk to valuable digital assets 1 2014, SANS Security Analytics Survey Address these threats without bringing down business-critical systems 2

NOT ALL INTEGRATIONS ARE EQUAL Strategic Advantage in Leveraging the Endpoint endpoints through its servlet technology. The servlet provides unique and powerful kernel-level access across multiple operating systems with complete visibility into the endpoint including encrypted data, unallocated, hidden data, the registry, system data, devices, and memory. This component enables a deep and powerful insight and control over the activities of machines, potential threats, malware and viruses exposing root vulnerabilities. The servlet dramatically diminishes the time to respond, enables response without disruption to system activities, and is pre-configured with security controls for easy deployment and peace of mind. This provides a rich and powerful environment upon which to integrate and automate SIEM, Log analysis, APT Detection, Network Security Analytics, IDS and other security technologies with incident response systems to build a robust and cohesive information security solution. Enabling Integration and Automation with EnCase Endpoint Security EnCase Endpoint Security currently include prebuilt integrations with Splunk, McAfee Data Exchange Layer (DXL), LogRhythm, HP ArcSight ESM and HP ArcSight Express, IBM QRadar, FireEye, Palo Alto Networks Wildfire, Blue Coat Security Analytics, Lastline, and Cisco FirePOWER. Integrations with other Security technologies can be developed by the Guidance Software Professional Services team. These integrated environments enable InfoSec teams to: Prioritize security events and alerts Detect and dismiss false positives Immediately validate the efficacy of a information security events Zero in on the source and root cause of a threat Locate variations of a threat anywhere on the network Determine impact to sensitive data Get complete visibility into all endpoints for advanced Incident Response Integrate with existing processes and tools These integrations enable automation support of EnCase Endpoint Security features including: IP Range Zone Mapping: Dedicate EnCase Endpoint Security resources that are within the closest proximity to target endpoints by configuring Zones in EnCase Endpoint Security. Verification of Suspect of Blacklisted Files: EnCase Endpoint Security can search for and verify the existance of suspect files listed within a third-party event or alert criteria using the VerifybyHash scan. In addition, an external blacklist database can also be integrated into the System Analysis and Profile module to identify known bad instances of files or processes from the target endpoints. Internet Artifacts and Registry Scans: Search endpoints for valuable information from internet browsers, windows history, and registry hives, which can validate user actions, the root cause of a threat, and persistence mechanisms by accessing normal files or recovering deleted data. Sensitive Data Discovery: The Personal Identifiable Information module allows a keyword search for any type of keyword such as personnel names, credit cards, Government IDs and many others across designated endpoints to verify the existence and possibly ex-filtration of data. 3

Volatile Data Snapshot: Is unique to EnCase and collects live data from designated endpoints detailing an unprecedented amount of system activity that can be used to validate any type of alert from third-party perimeter, network and even endpoint based security technologies. CopyJob: Allows any pre-configured EnCase Endpoint Security job to be leveraged as an automated response upon receipt of the appropriate information from a third-party security technology. For example, a job that includes both a Registry and a System Profile and Analysis scans can be automated when a behavior-based alert is triggered in order to expose any unknown processes that might be responsible for the behavior on the target endpoint. In addition to the continuously evolving pre-packaged integrations, custom integrations are enabled through the EnCase Endpoint Security Enterprise Service Bus (ESB). ENCASE ENTERPRISE SERVICE BUS EnCase Endpoint Security provides a four-layer ESB architecture for receiving and responding to XML requests that trigger various types of EnCase Endpoint Security jobs. The diagram below shows the flow of a third-party SIEM request across the four ESB layers to EnCase Endpoint Security. SIEM: This is a message that comes from a third-party SIEM in its current, standardized format. Listener: This layer interprets the alert and normalizes it to one of several tasks from a preselected menu of tasks available from EnCase Endpoint Security. API: This translates the requested task into a set of instructions for EnCase Endpoint Security to perform. Logic: This translates the instructions to EnCase Endpoint Security Business Logic for processing. Figure 1: ESB Architecture. The EnCase Endpoint Security ESB is included with the various Web components during the EnCase Endpoint Security installation process. 4

HOW IT WORKS Functionality and sequence of events are variable based on the integration, but in a typical integration a third-party SIEM request triggers an EnCase Endpoint Security job. The EnCase Endpoint Security ESB listener may respond with a simple reply, such as task complete or a SIEM ID to an EnCase Endpoint Security Web link, and other responses can be programmed. An integrated solution can automate functions as specialized as insider attacks, but focusing on malware detection, a typical scenario looks like this: 1. Previously undiagnosed polymorphic malware passes from a perpetrator through the IDS and firewall to an end user. 2. The malware triggers alerts as it passes through the IDS and firewall, which are sent to the SIEM. 3. The SIEM sends the IP addresses of recipient endpoints and the hash values detected by the IDS and/or Firewall to EnCase Endpoint Security. 4. EnCase Endpoint Security then automatically scans the infected endpoint, checks for a host of anomalies, such as signs of packing and compile times, and collects appropriate system activity based on defined rules. Information includes running processes, hash entropy signature, DLLs, open ports, network connections, evidence of sensitive data and a host of other pertinent points as defined by the job type. 5. EnCase Endpoint Security compares the scan against the previous scans, uncovers anomalies, and allows security teams to validate the threat, and remediate all instances of the detected malicious file using patented technology available directly from a web-based console. Figure 2: EnCase Cybersecurity automated response. 5

The following use case illustrates an EnCase integrated solution in action. USE CASE Despite layers of security, a large corporation was frustrated by polymorphic malware persistently infiltrating the network and compromising endpoints. The malware was generating a high volume of false positives, drowning out legitimate alerts. Traditional scans were revealing nothing. Prior to integration, analysts would run both scheduled and on-demand scans on groups of endpoints with EnCase Endpoint Security and automatically remediate malware on those that were infected. Although their response time was significantly reduced with EnCase Endpoint Security, but the high number of endpoints and persistent attacks from numerous vectors necessitated a more proactive approach. Integrated Solution: EnCase Endpoint Security and HP ArcSight Once the IT group integrated HP ArcSight ESM with EnCase Endpoint Security. False positives were reduced to actionable alerts and a group of potentially infected machines was promptly identified. The screenshot in Figure 3 illustrates an overview of the investigations which provide an at-a-glance view of the endpoint security posture. Analysts view all EnCase Endpoint Security investigations, giving them visibility into what investigations are open, closed or rejected, the machines with the most number of incidents, as well as the source of the alert (i.e. SIEM or manual), which triggered the investigation. Custom reports can also be generated to provide further graphical representations of the vast volume of data collected. Figure 3: EnCase Endpoint Security Investigations Overview provides a graphical representation of investigation status, machines with alerts, and the source of alerts in the upper pane, with a filterable detailed list provided in the bottom pane. Users can hover over bubbles for machine-specific details. 6

Based on data gathered from multiple perimeter security devices, the HP ArcSight ESM triggers intelligent alerts based on pre-defined policies. A policy is a set of rules or conditions that define an outcome based on the collated event data for a particular alert. Having identified a malicious file that has traversed the network, EnCase Endpoint Security performs a volatile data snapshot, which is triggered when an alert is received from the HP ArcSight ESM. Immediate analysis from the target machines reveals details of known, unknown, and hidden processes, TCP network socket information, open files, device drivers, services and more, revealing whether an endpoint have been compromised, and virtually eliminating false positives. Automated voaltile data snapshots can be compared with previous or ongoing volatile data snapshots show attack results in time slices, allowing security analysts to confirm that the event actually occurred, and its impact and origin. With a specific group of endpoints identified as targets where a specific file may have landed, HP ArcSight ESM sends an intelligent alert to EnCase Endpoint Security to run the VerifybyHash job. This confirms whether the hash value of the file within the HP Arsight ESM alert matches the hash value of any of the files on the targets. EnCase Endpoint Security validates the existence of the file in quesiton and forensically collects a copy for security analysts to review. The integrated solution includes an automated, real-time incident response process. Upon approval, EnCase Endpoint Security automatically remediates the identified files and all variants on each endpoint. The entire incident response process has been reduced to minutes. SUMMMARY / CONCLUSION Information security breaches are inevitable, the complexity of the threat landscape is growing more complex, and the sheer volume of alerts is growing exponentially. The speed at which breaches are identified and resolved, progress of infectious malware halted, access and exfiltration of sensitive data stopped, and threats remediated will make significant difference in controlling risk, costs, and exposure during an incident. An integrated automated solution at the endpoint is the key. The EnCase Endpoint Security automated response solution enables fast results simultaneiously across a large number of endpoints and third-party alerts to ensure operational efficiency in your security team. The organization cited in this paper realized significant value and efficiency when they integrated HP ArcSight investments with EnCase Endpoint Security. 7

ABOUT GUIDANCE SOFTWARE (NASDAQ: GUID) At Guidance, we exist to turn chaos and the unknown into order and the known so that companies and their customers can go about their daily lives as usual without worry or disruption, knowing their most valuable information is safe and secure. Makers of EnCase, the gold standard in digital investigations and endpoint data security, Guidance provides a missioncritical foundation of applications that have been deployed on an estimated 25 million endpoints and work in concert with other leading enterprise technologies from companies such as Cisco, Intel, Box, Dropbox, Blue Coat Systems, and LogRhythm. Our field-tested and court-proven solutions are used with confidence by more than 70 of the Fortune 100 and hundreds of agencies worldwide. Get to know us at guidancesoftware.com. Guidance Software, EnCase, EnScript, EnCE, EnCEP, Linked Review, EnPoint and Tableau are trademarks owned by Guidance Software and may not be used without prior written permission. All other trademarks and copyrights are the property of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information