This document discusses the need for cyber forensics capabilities to effectively respond to modern cybersecurity threats and incidents. It notes that traditional perimeter-based defenses are no longer sufficient, and that comprehensive endpoint visibility is needed to identify covert threats, attribute attacks, and limit data breaches. The document promotes the Guidance Software EnCase Cybersecurity solution as providing critical network-enabled incident response and forensic investigation capabilities for enterprises.
The Ultimate Guide to Choosing WordPress Pros and Cons
Cybersecurity - Sam Maccherola
1. A New Era in Incident Response and Data Auditing The Case for Cyberforensics
2.
3. Bio20+ years of government management and program development experience within the information technology and systems integration industry, At Guidance Software, manages strategic direction, as well as operational, sales, and business development for a growing global Government practice. Prior to Guidance Software: Vice President of Federal at ProSight Inc., responsible for overall strategic direction, as well as operations, sales and marketing components for the federal business unit. President of Tenix America and VP of Public Sector Sales for Tripwire, Inc. Senior positions with Tumbleweed, Entrust Technologies, Inc., PLATINUM Technologies, and Legent Corp. Recognized as one of the 100 people in Government and Industry that made a positive difference in Government IT by a panel of Government and Industry leaders. Active participant in many associations that promote public-private sector information sharing and partnerships: AFCEA, ACT/IAC and ITAA
4. Guidance Software, Inc.The World Leader in Digital Investigations Enterprise Ready, Market Proven Solutions Over 150 customers of EnCase® eDiscovery Over 650 customers of EnCase® Enterprise including: More than 100 of the Fortune 500 and over half of the Fortune 50 Deployed on over 10 million desktops, laptops and servers The Leading Court-Validated Technology Used in thousands of cases worldwide Authenticated in over 50 published court cases and EnCase technology validated under Daubert/Frye Courts have taken “judicial notice” of the validity of EnCase software Top-ranked Software by Industry Analysts Gartner’s highest rating for eDiscovery Software Socha-Gelbmann’s Top 5 (highest category) for eDiscovery software Forrester calls it “The de-facto industry standard for remote desktop collection” Committed to Support your On-going Success World-Class Training and Certification Program Top-Ranked Professional Services Organization
6. Evolving Threats Perimeter defense is never enough With new technologies come new exploits Threats can also be internal and/or inadvertent A determined hacker will find a way (high end) Hacking has become “Productized” (low end)
32. Let the Blood Loss Begin… 25 July 2010 U.S. National Security Advisor on Wikileaks Report on Afghanistan Says disclosure of classified information threatens U.S. national security
33. On a Normal Day, an AgencyGets Hit by upwards of 2.4M Attacks How effective is your security? 99.9%? 99% 12,000 - 24,000 attacks 99.9% 1200 - 2400 attacks through each day 99.99% 120 - 240 attacks Multiple technologies must be layered to get near 99.9% effective It is impossible to achieve impenetrability Even if you pulled the plug, they can take the hard drive…
34. Traditional Security is for Traditional Threats “Traditional security solutions are obsolete…the signature approach and other traditional methods of security are not keeping pace with the number of threats being created by online criminals.” “The days of traditional URL filtering are dead, we care about where users go and they all use the top 500 websites. We care about enforcing capable policy security and the content on pages is dynamic.” “It often takes up to 24- to 72-hours from the time a threat is identified, analyzed, and its signature is developed to the time it is finally delivered to the endpoint. While consumers and enterprises are playing the waiting game; their endpoints are exposed and vulnerable.” “The degree of difficulty for identifying malware targeting data is outpacing the innovation of traditional security vendors.”
35. The CISO Knows this more than anyone “…there needs to be a continuing and stronger emphasis on protection and management of data, distinct from focusing too heavily on threats and attacks.” — Recommendations from the 2010 State of Cybersecurity from the Federal CISO’s Perspective — An (ISC)2 Report “Perimeter defenses are no longer effective, if they ever were. It’s harder to fight a war from the inside than maintaining the perimeter. It requires additional resources.” — John Wang, Security Architect, NASA
36. Over $40B Spent on FISMA since 2002 … not enough More checklists and standards Consensus Audit Guideline; CVE/OVAL; DISA GOLD/STIG; NSA/NIST NIAP (CCEVS EAL); DIACAP; FIPS; FISMA; ISO 17799; IEC 27002; GLBA; SOX; HIPAA; FDCC; SCAP; NERC’s CIP 009-2; and so on… Compliance is not an insurance policy against the unknown threat. Heartland Payment Systems Breach cost at $12.5M+
37. History Repeats Itself Hannibal using the Roman Roads to cross the Alps 40% Increase in Major Intrusions (US-CERT)
44. Current Challenges in Cyber Defense Regardless of what you do… Attacks will continue 24/7/365 Enemy at the Gates will continue to recon/infiltrate/exfiltrate Anonymity will challenge attribution Malware will be custom designed and used against you They live in 0-day environment Polymorphic Code is on the rise You need to be right 100% of the time How do you learn to defend if you never learn what happened or who you’re dealing with?
45. Cyber Forensics is the Spear Tipof any Cybersecurity Initiative Identify covert/undiscovered threats: dynamically adaptive patented technology gives InfoSec the advantage against new threats: Polymorphic Malware Packed files Other advanced hacking techniques Attribute new attacks to older attacks, invaluable in attributing malware to an attacker Complete visibility into endpoint risk with the ability to target static and live data to locate sensitive information Find and remediate malware: risk mitigation by wiping sensitive information, malware and malware artifacts from hard drives, RAM and the Windows Registry Powerful investigative capabilities allow organizations to audit for PII (e.g., credit card numbers, account numbers, etc.), and perform internal investigations such as those dealing with fraud or HR matters
50. 2010 Cybersecurity Survey (Continued) Incident response and internal forensics can make a difference 28% of events resulted in legal or law enforcement action 35% could not pursue legal action due to lack of evidence 29% could not identify the individuals responsible
51. The Endpoint Needs Comprehensive Visibility Endpoint Visibility CyberPreparedness Multiple OS and File Systems; See through Data at rest solutions; Packed and compressed; Data Universe is ever expanding Speed, Mobility, Adaptability Data Protection Targeted search &remediation; DLP; Encryption, etc Infinite digital reach; Speed of cyber, not UPS/FedEx; Adaptivemalware identification& recovery
52. The Missing Layer in Defense in Depth … Incident Response at the Forensic Level with Endpoint Visibility EnCase Cybersecurity provides… Enterprise-wide incident response Cyberforensic triage and in-depth analysis, attack attribution analysis, and remediation System deviation assessments Expose system integrity issues caused by unknown threats Data policy enforcement Identify and wipe PII/Classified data from unauthorized endpoints
53. Information Security Challenges Proactively identifying and addressing covert/unknown threats Determining the capabilities and purpose of unknown files or running processes Identifying and recovering from known malware and/or polymorphic malware Signature-based detection tools are insufficient when faced with code that morphs to evade detection Quickly triaging and containing an identified threat Locating and rapidly responding to data leakage (PII, IP, etc.) Compliance with data protection and breach notification laws Determining the “State of the Network” by comparing known profiles to data on systems
54. The Past One Computer at a time Days, weeks, and monthsto get the data Costly & Time Consuming The gathered intelligencewas valuable, but useless
55. The Past EnCase Field Intelligence Module (FIM) One computer over the network. (2004)
57. EnCase Cybersecurity provides… Network-enabled incident response Cyberforensic triage and analysis, attack attribution analysis, and remediation System deviation assessments Expose system integrity issues caused by anomalous or unknown threats Data policy enforcement Identify and wipe PII/IP/Classified data from unauthorized endpoints A Cyber Forensics Approach
62. Questions/Thoughts Today, how do you… Identify unknown or covert threats? Limit the risk exposure presented by sensitive information? Respond to a suspected threat? Limit the scope of a data breach? Ensure endpoints remain in a trusted state? Address and scale technologyand processes to include file servers, email servers,semi-structured data repositories?