GUIDANCE SOFTWARE EnCase Cybersecurity Complement Guide. EnCase Cybersecurity. Complement Guide



Similar documents
EnCase Cybersecurity. Network-enabled Incident Response and Endpoint Data Control through Cyberforensics. GUIDANCE SOFTWARE EnCase Cybersecurity

EnCase Enterprise For Corporations

EnCase Analytics Product Overview

EnCase Endpoint Security Product Overview

GUIDANCE SOFTWARE EnCase Portable. EnCase Portable. A Data Collection and Triage Solution that Anyone can Use

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Guidance Software Whitepaper. Best Practices for Integration and Automation of Incident Response using EnCase Cybersecurity

Incident Response. Six Best Practices for Managing Cyber Breaches.

End-user Security Analytics Strengthens Protection with ArcSight

How To Protect A Network From Attack From A Hacker (Hbss)

EnCase Cybersecurity In Action

Getting Ahead of Malware

24/7 Visibility into Advanced Malware on Networks and Endpoints

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

Host-based Intrusion Prevention System (HIPS)

Guidance Software Whitepaper. Best Practices for Integration and Incident Response Automation Using EnCase Endpoint Security

SECURITY BEGINS AT THE ENDPOINT

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Modular Network Security. Tyler Carter, McAfee Network Security

Guidance Software Whitepaper. Point-of-Sale Systems Endpoint Malware Detection and Remediation

Section 12 MUST BE COMPLETED BY: 4/22

EnCase ediscovery. Automatically search, identify, collect, preserve, and process electronically stored information across the network.

FISMA / NIST REVISION 3 COMPLIANCE

Guideline on Auditing and Log Management

SANS Top 20 Critical Controls for Effective Cyber Defense

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Whitepaper BEST PRACTICES FOR INTEGRATION AND AUTOMATION OF INCIDENT RESPONSE USING ENCASE ENDPOINT SECURITY

How To Buy Nitro Security

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Integrated Protection for Systems. João Batista Territory Manager

IBM QRadar Security Intelligence April 2013

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Fighting Advanced Threats

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Information Technology Solutions

Security Controls Implementation Plan

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

INTRUSION DETECTION SYSTEMS and Network Security

Symantec Security Information Manager Version 4.7

Cisco Advanced Malware Protection

Cisco Security Optimization Service

Ovation Security Center Data Sheet

Industrial Security for Process Automation

Endpoint Security: Moving Beyond AV

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Did you know your security solution can help with PCI compliance too?

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Avoiding the Top 5 Vulnerability Management Mistakes

5 Steps to Advanced Threat Protection

Verve Security Center

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Extreme Networks Security Analytics G2 Vulnerability Manager

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Proven LANDesk Solutions

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Technical Product Overview. Employing cloud-based technologies to address security risks to endpoint systems

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Analyzing HTTP/HTTPS Traffic Logs

Next Generation IPS and Reputation Services

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Security Management. Keeping the IT Security Administrator Busy

How To Manage Security On A Networked Computer System

Cisco Advanced Malware Protection for Endpoints

McAfee Server Security

Chapter 9 Firewalls and Intrusion Prevention Systems

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Concierge SIEM Reporting Overview

Protection Against Advanced Persistent Threats

Critical Security Controls

Devising a Server Protection Strategy with Trend Micro

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

WHITE PAPER. Best Practices for Securing Remote and Mobile Devices

Intrusion Detection Systems

The Hillstone and Trend Micro Joint Solution

Symantec Advanced Threat Protection: Network

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Carbon Black and Palo Alto Networks

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

IBM Endpoint Manager Product Introduction and Overview

Networking for Caribbean Development

Transcription:

GUIDANCE SOFTWARE EnCase Cybersecurity Complement Guide EnCase Cybersecurity Complement Guide

GUIDANCE SOFTWARE EnCase Cybersecurity Complement Guide To truly secure an enterprise, a comprehensive approach to network security requires a defense-in-depth approach; multiple layers of defense placed throughout the network to address potential vulnerabilities and to monitor major ingress and egress points. Each of the security components, or processes, feeds reactive intelligence to the other components/processes. The result is continuous updating to the enterprise security posture and a defense in depth strategy. In addition to self-contained malware identification, audit, response and data preservation capabilities, EnCase Cybersecurity adds value to other security technologies through its ability to audit information on endpoint devices and provide meaningful response capabilities to a comprehensive network security plan. This document provides insight into the products and solutions that contribute to a comprehensive approach to network security, and how EnCase Cybersecurity software adds value to existing security investments and initiatives. This document answers the following questions: In what areas can EnCase Cybersecurity complement existing investments in enterprise security? What products (by name) does EnCase Cybersecurity complement? There are an overwhelming number of products on the market today that solve one or more security processes in some way. Therefore, this document references only those solutions typically associated by the industry and vendor specification, for each respective section.

Block/ Quarantine These technologies are designed to actively block or take corrective action against known bad or sensitive data based on pre-defined rules and criteria (firewalls, AV, DLP, IPS, NAC) or passively prevent the reading of sensitive data (encryption). AV scanners generally also contain a response component in the form of user notification and removal of the binary that was a known piece of malware. Enterprise Firewalls Intrusion Prevention Systems (IPS) Enterprise Antivirus Fortinet Check Point Juniper Endpoint Protection Cisco ASA 5500 McAfee Network Security Platform TippingPoint IPS Endpoint Protection NitroGuard IPS Sourcefire McAfee VirusScan Enterprise Endpoint Protection Trend Micro OfficeScan Sophos Kaspersky Anti- Virus A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria. EnCase Cybersecurity can be used to audit firewall policies by scanning the network endpoints for sensitive or malicious data that should be blocked by the firewall. An Intrusion prevention system (IPS) is a network security device that monitors network and/ or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. EnCase Cybersecurity can determine if unknown threats have successfully averted the defenses of an intrusion prevention system and verify whether the responses of an IPS have been successful in protecting a targeted host. This is accomplished via a connection (either direct or through a SIM) to the IPS, allowing EnCase to collect information from the affected machine at the time the alert is generated and to perform subsequent scans to ensure the malicious data was in fact blocked. Antivirus (or anti-virus) software is used to prevent, detect, and remove malware, including computer viruses, worms, and trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware. EnCase Cybersecurity is able to find and remediate both rootkits and covert malware, such as iterations of polymorphic malware. Operating at the kernel level, the software can identify data the operating system is blind to and is able to destroy hidden processes and hooks used by rootkits and other types of covert malware. It complements existing antivirus and malware protection systems by identifying and remediating covert processes that signaturebased detection tools are ill-equipped to address. EnCase Cybersecurity Entropy Near Match Analysis, application descriptors, hash sets, machine profiles and Snapshot technology enable an enterprise to quickly identify and remediate malicious code not yet detectable by antivirus solutions nor ranked by reputational methods of detecting suspicious data. These zero-day exploits and worms commonly slide under the detection of antivirus systems because they do not match known signatures. EnCase complements existing antivirus software by providing a means to quickly identify these covert threats, their scope and source and remediate machines that have been compromised. After determining that a security event took place, EnCase Cybersecurity can analyze computers across an enterprise to find other machines compromised by worms, zero-day exploits or trojans that share any similarity with an identified piece of malware through Entropy Near Match Analysis. This technology can also be used to find iterations of polymorphic malware if a single iteration has been identified.

GUIDANCE SOFTWARE Continued Block/ Quarantine Network Access Control Data Loss Prevention and Content Scanners Encryption File, Disk & Email Cisco Juniper Websense McAfee SmartFilter RSA/EMC VERICEPT Verdasys Varonis PGP Disk PC Guardian Encryption+ PGP mail EFS BestCrypt Utimaco BitLocker Drive Encryption WinMagic Network Access Control (NAC) tools use a set of protocols to define and implement a policy that describes how to secure access to a network by devices when they initially attempt to access the network. When a computer connects to the network, it is not permitted to access anything unless it complies with a set standard, including anti-virus protection level, system update level and configuration. While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues. Once the standard is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system. EnCase Cybersecurity can be used to in conjunction with NAC technology to detect if any malware has been introduced to a computer via USB or other local means before allowing a computer to computer to connect to the network, as NAC technology has no visibility into risk presented by unstructured data. EnCase Cybersecurity can automatically verify not only the integrity of static files on a system, but also the running processes on that system. It can gather additional information apart from configuration settings such as data from the registry, file system and network settings to identify if a machine s integrity has been compromised. Content Scanners and Data Loss Prevention (DLP) tools identify, monitor, and protect data in use (e.g., endpoint actions) and data in motion (e.g., network actions), through deep content inspection and with a centralized management framework. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information. Once an event has been identified by one of these systems, EnCase Cybersecurity can analyze the user s machine, providing crucial information (Internet history, Web cache, keyword search) to validate whether a policy violation took place. EnCase Cybersecurity can be used to scan network endpoints for sensitive or unauthorized data, complementing technologies that specialize in the analysis of data in motion. Once sensitive or unauthorized data is identified that poses a risk to the organization, EnCase Cybersecurity is able to remotely collect and wipe that data, mitigating the risk that the data could be compromised from that endpoint. EnCase Cybersecurity can be used to audit DLP technology policies by scanning the network endpoints for data that should be blocked by the DLP. In addition, EnCase Cybersecurity can ensure a clean house in advance of implementing data-in-motion DLP to reduce the chance of an employee having sensitive business data to begin with. Subsequent audits ensure the data-in-motion DLP is configured properly. Encryption technologies transform information (referred to as plaintext) using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. EnCase Cybersecurity allows security analysts to determine whether encrypted data exists on computers in the enterprise that could be a violation of corporate policy. As encryption technologies are also used by malicious entities to hide information and tools that could be used for unauthorized activities, EnCase Cybersecurity lets you analyze encrypted data on both stand-alone and domain-authenticated systems through partnerships with several leading encryption providers. EnCase Cybersecurity lets security analysts view and analyze mounted encrypted volumes as logical drives if opened by the suspect during the time of investigation. EnCase Cybersecurity validates encryption is working by verifying the randomness of the allegedly encrypted file(s).

Alert Alerting technologies either scan network traffic for malicious activity and policy violations using pre-defined criteria or scan endpoint configuration settings to detect anomalies. Some detection technologies gather and correlate alerts from point solutions to reduce false positives and triage suspected network intrusions based on the alerts grabbed from other detection technologies. Other technologies are primarily used to keep track of past threats and the actions that were taken to correct those threats. Intrusion Detection Systems (IDS) Vulnerability assessment and management Network Intrusion Detection Systems (NIDS) Snort IBM ISS TippingPoint Host-based Intrusion Detection Systems (HIDS) Zone Alarm Cisco CSA Host IDS BigFix Sourcefire N-Stalker Web Application 2009 Tenable Nessus Proventia Network Enterprise Scanner Retina SAINT An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic EnCase Cybersecurity can be used to respond to events through an automated process, or to respond manually. It can be integrated with an existing IDS solution for an automated, real-time incident response process, known as a Snapshot, which is triggered when an alert is received. Immediate analysis from the source and target machine reveal details of known, unknown and hidden processes, TCP network socket information, open files, device drivers, services and more - revealing whether machines have been compromised and virtually eliminating false positives. Subsequent automated Snapshots are triggered shortly after the event to show attack results in times slices, so you know whether the event actually occurred, and if so, its impact and origin. You can also use the same Snapshot capability to quickly isolate and respond to security incidents manually. After confirming that a security event took place, EnCase Cybersecurity can be used to analyze computers across your entire enterprise to find other machines compromised by the same or similar worm, zero-day exploit or trojan. Vulnerability scanners and vulnerability assessment tools are designed to actively search for and map systems for weaknesses in an application, computer or network. Typically these technologies scan and look for active IP addresses, open ports, open shares, unused user accounts, running operating systems, running applications, etc. to identify and report on potential vulnerabilities discovered based on canned criteria and vulnerability tests. Some scanners can also remotely deploy missing patches and service packs. Some specific application scanners, such as web application security scanners, can detect vulnerabilities by actually performing common attacks. Before or after performing application vulnerability scans, EnCase Cybersecurity can be used to verify common library files that applications depend on are not feeding misinformation to the application and ultimately the application scanner. An example of this is using EnCase Cybersecurity to verify DLLs that are relied upon by various applications to execute and run are known good DLLs and not DLLs injected with malicious data. EnCase Cybersecurity assesses from a host point of view as opposed to a network point of view to audit for unauthorized or malicious programs running or unauthorized communications taking place. It also allows the user to identify unknown or hidden programs that may be zero-day exploits. As network vulnerability scanners rely on the endpoint (host) response to identify running services, applications and configuration settings, this information can be misleading or incorrect if the machine is compromised.

GUIDANCE SOFTWARE Continued Alert Configuration Management and Assessment Tools Security Information Management Tools (SIM) TripWire SolarWinds Orion NCM Novell Arcsight Security Information Manager NetIQ Security Manager NetForensics Intellitactics LogLogic Configurations Management and Assessment Tools enable the process of identifying and defining the Configuration Items in a system (such as registry settings), recording and reporting the status of Configuration Items and Requests For Change, and verifying the completeness and correctness of Configuration Items. EnCase Cybersecurity can automatically verify not only the integrity of static files on a system, but also the running processes on that system. It can gather additional information apart from configuration settings such as data from the registry, file system and network settings to identify if a machine s integrity has been compromised. EnCase Cybersecurity can be configured to audit against configuration settings unique to any given organization as defined by an XML database in an automated fashion. Security information management (SIM) is the industry-specific term in computer security referring to the collection of data from disparate security technologies, network tiers, and event logs turning security data into prioritized, actionable information for trend analysis. SIM products generally comprise software agents running on the computers that are to be monitored, communicating with a centralized server acting as a security console, sending it information about security-related events, which displays reports, charts, and graphs of that information, often in real time. EnCase Cybersecurity can be used to respond to various types of alerts and validate whether a security event actually happened. Although the SIM tool does advanced correlation across many systems to generate the alert, it still does not validate from the target host perspective whether an event did take place and the extent of the compromise. EnCase Cybersecurity enables you to take that final response step after an event has been identified by accepting alerts generated by SIM tools and automatically taking a Snapshot of the affected systems volatile data at the moment the alert is generated and subsequent Snapshots to see how the machine state changes over time from that point. If a malicious process is detected, EnCase Cybersecurity can be used to return that machine to a trusted state, and to sweep the rest of the network for the same or similar threat that set off the original alert. EnCase Cybersecurity can be used to schedule regular scans against past threats to not only ensure the same threat isn t reintroduced to the network, but also to ensure no threats similar to past threats are introduced into the network.

Audit & Response EnCase Cybersecurity allows an organization to take definitive action against incidents identified by alerting technologies and against sensitive data that is identified in unauthorized locations. EnCase Cybersecurity can also identify and respond to malware or policy violations that slip past blocking and alerting technologies. Audit, Response and Recovery EnCase Cybersecurity EnCase Cybersecurity complements and augments existing information security tools that aim either to block or quarantine data such as firewalls, intrusion prevention systems, antivirus, or data loss prevention tools or that trigger or correlate alerts, such as intrusion detection systems, configuration management, or SIM and SIEM tools. EnCase Cybersecurity provides: The ability to identify and analyze undiscovered threats, such as polymorphic or metamorphic malware, packed files, and other advanced hacking techniques that evade traditional network- or host-based defenses. Powerful investigative capabilities so that an organization can search across its network for sensitive or confidential data, such as credit card numbers, account numbers, or intellectual property Risk mitigation by wiping sensitive or confidential data from unauthorized locations, and removing malware and malware artifacts from hard drives, RAM, and the Windows Registry on laptops, desktops, and servers Visibility into endpoint risk, leveraging disk-level forensic access of data on endpoints, with the ability to compare endpoints against a trusted baseline and/or an included hash database (both whitelist and blacklist) EnCase Cybersecurity Complements and Augments both and Reactive Security Technologies Proactive Block/Quarantine Audit Firewall Fortinet Check Point Juniper Capabilities: Rule based, this first line defense blocks unauthorized access Limitations: Phishing and common web site attacks easily circumvent; no help vs. insider threat IPS TippingPoint McAfee Sourcefire Capabilities: Blocks data associated with known attack methods Limitations: Morphing threats evade this signature-based tech AV McAfee Trend Micro Capabilities: Identifies and blocks known malware Limitations: Cannot detect or block unknown malware; is signature-based NAC Cisco Juniper Capabilities: prevents access to network unless user meets pre-defined criteria Limitations: Cannot protect against malware introduced via USB or optical drive; no visibility into unstructured data DLP Websense RSA/EMC Capabilities: IDs pre-defined content; alerts (claims blocking) Limitations: Requires complex policies that are easily circumvented; rarely used to block Encryption Ultimaco WinMagic PGP Capabilities: May stop unauthorized users from accessing data Limitations: Can be used to hide data; disk-based encryption does not protect running systems Triage suspicious or sensitive data Identify internal/ external threats Collect IP/PII Wipe IP/PII Remediate malicious data Reactive Alert Response IDS IBM ISS Snort TippingPoint Capabilities: Alert on data associated with known attack methods Limitations: Morphing threats evade this signature-based tech; cannot respond to alerts effectively VA/VM BigFix Sourcefire Tenable Capabilities: Alert on known application or network specific vulnerabilities Limitations: Cannot detect unknown vulnerabilities (application or network configuration); cannot respond to alerts effectively Config. Mgmt. TripWire SolarWinds Novell Capabilities: Alert on OS and network device settings that are not configured properly Limitations: Has no visibility into unstructured data; cannot respond to alerts effectively SEIM/SIM ArcSight RSA Cisco Capabilities: Correlate data from a variety of alerting technologies Limitations: Cannot collect data or respond to alerts effectively Alert response Triage suspicious data Identify threats Analyze risk Remediate malicious code

www.guidancesoftware.com Our Customers Guidance Software s customers are corporations and government agencies in a wide variety of industries, such as financial and insurance services, technology, defense contracting, pharmaceutical, manufacturing and retail. Our EnCase customer base includes more than 100 of the Fortune 500 and over half of the 50, including: Allstate, Chevron, Ford, General Electric, Honeywell, Mattel, Northrop Grumman, Pfizer, UnitedHealth Group, Viacom and Wachovia. About Guidance Software (GUID) Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase platform provides the foundation for government, corporate and law enforcement organizations to conduct thorough, network-enabled, and court-validated computer investigations of any kind, such as responding to ediscovery requests, conducting internal investigations, responding to regulatory inquiries or performing data and compliance auditing - all while maintaining the integrity of the data. There are more than 35,000 licensed users of the EnCase technology worldwide, and thousands attend Guidance Software s renowned training programs annually. Validated by numerous courts, corporate legal departments, government agencies and law enforcement organizations worldwide, EnCase has been honored with industry awards and recognition from eweek, SC Magazine, Network Computing, and the Socha-Gelbmann survey. For more information about Guidance Software, visit www.guidancesoftware.com. 2009 Guidance Software, Inc. All Rights Reserved. EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. ECS BR 9070-13002

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information