EnCase Cybersecurity: Automating Incident                             May 22, 2012Response                      Automating...
EnCase Cybersecurity: Automating Incident                                 May 22, 2012Response         What is incident Re...
EnCase Cybersecurity: Automating Incident                       May 22, 2012Response         Drawbacks of Manual Response ...
EnCase Cybersecurity: Automating Incident                                     May 22, 2012Response         Benefits of Aut...
EnCase Cybersecurity: Automating Incident                       May 22, 2012Response         Web API’s               Compu...
EnCase Cybersecurity: Automating Incident                       May 22, 2012Response         SOAP Response- Stock Price Re...
EnCase Cybersecurity: Automating Incident                                                 May 22, 2012Response         WSD...
EnCase Cybersecurity: Automating Incident                 May 22, 2012Response         Exercise 2 – Use SIEM to call Integ...
EnCase Cybersecurity: Automating Incident    May 22, 2012Response            Arcsight Integration UI                      ...
EnCase Cybersecurity: Automating Incident                                 May 22, 2012Response            How it Works:   ...
EnCase Cybersecurity: Automating Incident                    May 22, 2012Response         Master Title                    ...
EnCase Cybersecurity: Automating Incident                      May 22, 2012Response         Master Title                  ...
EnCase Cybersecurity: Automating Incident                  May 22, 2012Response         Forensic Analysis                 ...
EnCase Cybersecurity: Automating Incident              May 22, 2012Response            Type of Scan            •    SPA   ...
Upcoming SlideShare
Loading in …5
×

En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]

817 views
670 views

Published on

Resposta automatizada a incidentes de segurança com EnCase Cybersecurity + SIEM

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
817
On SlideShare
0
From Embeds
0
Number of Embeds
54
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]

  1. 1. EnCase Cybersecurity: Automating Incident May 22, 2012Response Automating Incident Response Ambreesh Bhagtani Manager UI Development Automating Incident Response Topics 1.What is incident Response – Use Cases? 2.Comparing Manual v/s automated incident response 3.Understanding Web APIs 4.Overview of Arcsight 5.Data visibility 6.Q & A Page 2Ambreesh Bhagtani, Guidance Software, Inc. 1
  2. 2. EnCase Cybersecurity: Automating Incident May 22, 2012Response What is incident Response? Ability to respond to events and alerts in a timely fashion Incidents : •Malicious Attack. •Unauthorized Port Activity. •Unauthorized URL access. •Unauthorized USB account access. Page 3 Incident Response : Manual Page 4Ambreesh Bhagtani, Guidance Software, Inc. 2
  3. 3. EnCase Cybersecurity: Automating Incident May 22, 2012Response Drawbacks of Manual Response •The entire process can take from weeks to months •Single machine analyzed at a time •Critical data may be lost •Full extent of the breach is unknown •High Costs Page 5 Incident Response : Automated Page 6Ambreesh Bhagtani, Guidance Software, Inc. 3
  4. 4. EnCase Cybersecurity: Automating Incident May 22, 2012Response Benefits of Automating Incident Response •Analyze multiple alerts at the same time •Reduce Costs •Multiple Machines Analyzed •Faster Response •Critical Data preserved •Full extent of the breach identified Page 7 Incident Response Flow / Architecture. SIEM /IDS/IPS /DLP etc EnCase Cybersecurity Integration Code Page 8Ambreesh Bhagtani, Guidance Software, Inc. 4
  5. 5. EnCase Cybersecurity: Automating Incident May 22, 2012Response Web API’s Computers need a language to communicate! Applications Programming Interfaces – API’s Page 9 SOAP Request – Get Guidance Stock Price Host: www.stockprice.com Content-Type: application/soap+xml; charset=utf-8 < ?xml version="1.0"?> < soap:Enveloope> <m:GetStockPrice> <m:StockName>GUID</m:StockName> </m:GetStockPrice> </soap:Body> < /soap:Envelope> Page 10Ambreesh Bhagtani, Guidance Software, Inc. 5
  6. 6. EnCase Cybersecurity: Automating Incident May 22, 2012Response SOAP Response- Stock Price Response HTTP/1.1 200 OK Content-Type: application/soap+xml; charset=utf-8 Content-Length: nnn < ?xml version="1.0"?> <m:GetStockPriceResponse> <m:Price>800.00</m:Price> </m:GetStockPriceResponse> < /soap:Envelope> Page 11 WSDL – What is it ? <m:GetStockPrice> <m:StockName>IBM</m:StockName> </m:GetStockPrice> Web Service Definition Language Page 12Ambreesh Bhagtani, Guidance Software, Inc. 6
  7. 7. EnCase Cybersecurity: Automating Incident May 22, 2012Response WSDL – Operation <operation name="GetLastTradePrice"> <soap:operation > <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> </operation> Page 13 Exercise 1 – Call a Web API Objective – Get All Cases Assumption – Pre-created case Page 14Ambreesh Bhagtani, Guidance Software, Inc. 7
  8. 8. EnCase Cybersecurity: Automating Incident May 22, 2012Response Exercise 2 – Use SIEM to call Integration Code Page 15 Master Title Page 16Ambreesh Bhagtani, Guidance Software, Inc. 8
  9. 9. EnCase Cybersecurity: Automating Incident May 22, 2012Response Arcsight Integration UI Page 17 Master Title Event Configuration Page 18Ambreesh Bhagtani, Guidance Software, Inc. 9
  10. 10. EnCase Cybersecurity: Automating Incident May 22, 2012Response How it Works: Retrieving Results Master Title Request… 1./case “case 1” 2./source “safe – source” 3./ip “192.168.85.151” 4./event $event[eventId] -> variable to capture the eventId associated with the alert. 5./module snapshot 6./log true 7./demo Page 20Ambreesh Bhagtani, Guidance Software, Inc. 10
  11. 11. EnCase Cybersecurity: Automating Incident May 22, 2012Response Master Title Configure Response Page 21 Master Title Status of the Scan Page 22Ambreesh Bhagtani, Guidance Software, Inc. 11
  12. 12. EnCase Cybersecurity: Automating Incident May 22, 2012Response Master Title Set up the Response Page 23 Master Title Jobs are created..the examiner picks up the job. Page 24Ambreesh Bhagtani, Guidance Software, Inc. 12
  13. 13. EnCase Cybersecurity: Automating Incident May 22, 2012Response Forensic Analysis Forensics Report Page 25Ambreesh Bhagtani, Guidance Software, Inc. 13
  14. 14. EnCase Cybersecurity: Automating Incident May 22, 2012Response Type of Scan • SPA • Profiling • Entropy • Find identical files • Personal Information Identification • Find SSNs, credit card number… • Internet Artifacts • Find URLsAmbreesh Bhagtani, Guidance Software, Inc. 14

×