Your SlideShare is downloading. ×
  • Like
Cybersecurity - Sam Maccherola
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cybersecurity - Sam Maccherola


Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados" …

Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"

Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc.

Brasília, 04 de agosto de 2010

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. A New Era in Incident Response and Data Auditing
    The Case for Cyberforensics
  • 2. Speaker
    Sam Maccherola
    • Vice President and General Manager, Public Sector for Guidance Software Inc.Contact Info: , (703) 657-7230
    • 3. Bio
    20+ years of government management and program development experience within the information technology and systems integration industry,
    At Guidance Software, manages strategic direction, as well as operational, sales, and business development for a growing global Government practice.
    Prior to Guidance Software:
    Vice President of Federal at ProSight Inc., responsible for overall strategic direction, as well as operations, sales and marketing components for the federal business unit.
    President of Tenix America and VP of Public Sector Sales for Tripwire, Inc. 
    Senior positions with Tumbleweed, Entrust Technologies, Inc., PLATINUM Technologies, and Legent Corp.
    Recognized as one of the 100 people in Government and Industry that made a positive difference in Government IT by a panel of Government and Industry leaders.
    Active participant in many associations that promote public-private sector information sharing and partnerships: AFCEA, ACT/IAC and ITAA
  • 4. Guidance Software, Inc.The World Leader in Digital Investigations
    Enterprise Ready, Market Proven Solutions
    Over 150 customers of EnCase® eDiscovery
    Over 650 customers of EnCase® Enterprise including:
    More than 100 of the Fortune 500 and over half of the Fortune 50
    Deployed on over 10 million desktops, laptops and servers
    The Leading Court-Validated Technology
    Used in thousands of cases worldwide
    Authenticated in over 50 published court cases and EnCase technology validated under Daubert/Frye
    Courts have taken “judicial notice” of the validity of EnCase software
    Top-ranked Software by Industry Analysts
    Gartner’s highest rating for eDiscovery Software
    Socha-Gelbmann’s Top 5 (highest category) for eDiscovery software
    Forrester calls it “The de-facto industry standard for remote desktop collection”
    Committed to Support your On-going Success
    World-Class Training and Certification Program
    Top-Ranked Professional Services Organization
  • 5. Government Agencies of AllSizes Rely on EnCase® Solutions
  • 6. Evolving Threats
    Perimeter defense is never enough
    With new technologies come new exploits
    Threats can also be internal and/or inadvertent
    A determined hacker will find a way (high end)
    Hacking has become “Productized” (low end)
  • 7. Key Trends
    • Per a recent Cisco Annual Security Report, statistics found included:
    • 8. the overall number of disclosed vulnerabilities grew by 11.5%.
    • 9. Vulnerabilities in virtualization technology nearly tripled - from 35 to 103 year-over-year
    • 10. attacks are becoming increasingly blended, cross-vector and targeted.
    • 11. Cisco says its researchers saw 90% growth in threats originating from legitimate domains,
    • 12. This year, numerous legitimate websites were infected with IFrames, malicious code injected by botnets that redirects visitors to malware-downloading sites, the company says.
  • 2008 Intelligence Community Statistics
    • 55% Increase in Remote Access Cyber Intrusions
    • 13. 52% Increase in Insider Cyber Intrusions
    • 14. 22% Increase in Credit Card Fraud
  • Verizon Data Breach Report
    Analysis of over 500 e-forensics audits:
    • 73% resulted from external sources
    • 15. 18% by insiders
    • 16. 39% implicated business partners
  • Blackhats: Threat Actors
    • Nation States
    • 17. 108 countries with dedicated cyber-attack organizations
    • 18. Dragon Bytes: Chinese Information War Theory & Practice
    • 19. Terrorists
    • 20. Growing sophistication
    • 21. Hamas and Al Qaeda
    • 22. Ibrahim Samudra and Irhabi 007
    • 23. Organized Crime
    • 24. Cybercrime is big business aka RBN
    • 25. FBI: #1 criminal priority is cybercrime
  • Trends in Attacks Against .GOV
    • SQL Injection and Cross-site Scripting
    • 26. Island Hopping-Unisys/DHS
    • 27. Remote User Compromise-VPN Attacks-Client Side Attacks
    • 28. PKI Compromise--Private Key Theft
    • 29. Zero-Day Attacks
    • 30. Automated Attack Tools
    • 31. Digital Insider Attacks
  • Data is the Lifeblood of Government
    Vulnerabilities & Assessments
    PII & Medical Records
    Government Data
    Sensitive Projects & Schematics
    Epicenter of Risk
    Budgetary/ Procurement
    Defense Contracts
  • 32. Let the Blood Loss Begin…
    25 July 2010
    U.S. National Security Advisor on Wikileaks Report on Afghanistan
    Says disclosure of classified information threatens U.S. national security
  • 33. On a Normal Day, an AgencyGets Hit by upwards of 2.4M Attacks
    How effective is your security? 99.9%?
    99% 12,000 - 24,000 attacks
    99.9% 1200 - 2400 attacks through each day
    99.99% 120 - 240 attacks
    Multiple technologies must be layered to get near 99.9% effective
    It is impossible to achieve impenetrability
    Even if you pulled the plug, they can take the hard drive…
  • 34. Traditional Security is for Traditional Threats
    “Traditional security solutions are obsolete…the signature approach and other traditional methods of security are not keeping pace with the number of threats being created by online criminals.”
    “The days of traditional URL filtering are dead, we care about where users go and they all use the top 500 websites. We care about enforcing capable policy security and the content on pages is dynamic.”
    “It often takes up to 24- to 72-hours from the time a threat is identified, analyzed, and its signature is developed to the time it is finally delivered to the endpoint. While consumers and enterprises are playing the waiting game; their endpoints are exposed and vulnerable.”
    “The degree of difficulty for identifying malware targeting data is outpacing the innovation of traditional security vendors.”
  • 35. The CISO Knows this more than anyone
    “…there needs to be a continuing and stronger emphasis on protection and management of data, distinct from focusing too heavily on threats and attacks.”
    — Recommendations from the 2010 State of Cybersecurity from the Federal CISO’s Perspective — An (ISC)2 Report
    “Perimeter defenses are no longer effective, if they ever were. It’s harder to fight a war from the inside than maintaining the perimeter. It requires additional resources.”
    — John Wang, Security Architect,
  • 36. Over $40B Spent on FISMA since 2002 … not enough
    More checklists and standards
    Consensus Audit Guideline; CVE/OVAL; DISA GOLD/STIG; NSA/NIST NIAP (CCEVS EAL); DIACAP; FIPS; FISMA; ISO 17799; IEC 27002; GLBA; SOX; HIPAA; FDCC; SCAP; NERC’s CIP 009-2; and so on…
    Compliance is not an insurance policy against the unknown threat.
    Heartland Payment Systems
    Breach cost at $12.5M+
  • 37. History Repeats Itself
    Hannibal using the Roman Roads to cross the Alps
    40% Increase in Major Intrusions (US-CERT)
  • 38. The Challenge – The Starting Line
    You Are Here
  • 39. The Challenge – 1st Hour
    You Are Here
  • 40. The Challenge – 2nd Hour
    You Are Here
  • 41. The Challenge – 3rd Hour
    You Are Here
  • 42. The Challenge – Owned
    You Are Here
  • 43. Hosting Companies = Watering Holes
  • 44. Current Challenges in Cyber Defense
    Regardless of what you do…
    Attacks will continue 24/7/365
    Enemy at the Gates will continue to recon/infiltrate/exfiltrate
    Anonymity will challenge attribution
    Malware will be custom designed and used against you
    They live in 0-day environment
    Polymorphic Code is on the rise
    You need to be right 100% of the time
    How do you learn to defend if you never learn what happened or who you’re dealing with?
  • 45. Cyber Forensics is the Spear Tipof any Cybersecurity Initiative
    Identify covert/undiscovered threats: dynamically adaptive patented technology gives InfoSec the advantage against new threats:
    Polymorphic Malware
    Packed files
    Other advanced hacking techniques
    Attribute new attacks to older attacks, invaluable in attributing malware to an attacker
    Complete visibility into endpoint risk with the ability to target static and live data to locate sensitive information
    Find and remediate malware: risk mitigation by wiping sensitive information, malware and malware artifacts from hard drives, RAM and the Windows Registry
    Powerful investigative capabilities allow organizations to audit for PII (e.g., credit card numbers, account numbers, etc.), and perform internal investigations such as those dealing with fraud or HR matters
  • 46. 2010 Cybersecurity Survey (Continued)
    • Endpoint was used in all of the top 3 insider theft mechanisms
    • 47. 44% Laptops
    • 48. 42% Copied information to mobile device
    • 49. 38% Downloaded information to home computer)
  • 50. 2010 Cybersecurity Survey (Continued)
    Incident response and internal forensics can make a difference
    28% of events resulted in legal or law enforcement action
    35% could not pursue legal action due to lack of evidence
    29% could not identify the individuals responsible
  • 51. The Endpoint Needs Comprehensive Visibility
    Multiple OS and File Systems;
    See through Data at rest solutions;
    Packed and compressed; Data
    Universe is ever expanding
    Targeted search &remediation; DLP;
    Encryption, etc
    Infinite digital reach;
    Speed of cyber, not
    UPS/FedEx; Adaptivemalware identification& recovery
  • 52. The Missing Layer in Defense in Depth …
    Incident Response at the Forensic Level with Endpoint Visibility
    EnCase Cybersecurity provides…
    Enterprise-wide incident response
    Cyberforensic triage and in-depth analysis, attack attribution analysis, and remediation
    System deviation assessments
    Expose system integrity issues caused by unknown threats
    Data policy enforcement
    Identify and wipe PII/Classified data from unauthorized endpoints
  • 53. Information Security Challenges
    Proactively identifying and addressing covert/unknown threats
    Determining the capabilities and purpose of unknown files or running processes
    Identifying and recovering from known malware and/or polymorphic malware
    Signature-based detection tools are insufficient when faced with code that morphs to evade detection
    Quickly triaging and containing an identified threat
    Locating and rapidly responding to data leakage (PII, IP, etc.)
    Compliance with data protection and breach notification laws
    Determining the “State of the Network” by comparing known profiles to data on systems
  • 54. The Past
    One Computer at a time
    Days, weeks, and monthsto get the data
    Costly & Time Consuming
    The gathered intelligencewas valuable, but useless
  • 55. The Past
    EnCase Field Intelligence Module (FIM)
    One computer over the network. (2004)
  • 56. The Past
    Searching only onetarget at a time.
  • 57. EnCase Cybersecurity provides…
    Network-enabled incident response
    Cyberforensic triage and analysis, attack attribution analysis, and remediation
    System deviation assessments
    Expose system integrity issues caused by anomalous or unknown threats
    Data policy enforcement
    Identify and wipe PII/IP/Classified data from unauthorized endpoints
    A Cyber Forensics Approach
  • 58. The Present
    Enterprise Forensics
  • 59. The Present
    Automation of searchingmultiple targets in parallel.
    Pre-defined Critera
  • 60. The Present
    Automation of searching forcompromises and malware.
  • 61. Benefits & Features of Cyber Forensics
  • 62. Questions/Thoughts
    Today, how do you…
    Identify unknown or covert threats?
    Limit the risk exposure presented by sensitive information?
    Respond to a suspected threat?
    Limit the scope of a data breach?
    Ensure endpoints remain in a trusted state?
    Address and scale technologyand processes to include file servers, email servers,semi-structured data repositories?
  • 63. Thank you