En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]
Upcoming SlideShare
Loading in...5
×
 

En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]

on

  • 769 views

Resposta automatizada a incidentes de segurança com EnCase Cybersecurity + SIEM

Resposta automatizada a incidentes de segurança com EnCase Cybersecurity + SIEM

Statistics

Views

Total Views
769
Views on SlideShare
726
Embed Views
43

Actions

Likes
0
Downloads
10
Comments
0

1 Embed 43

http://forensedigital.com.br 43

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode] En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode] Document Transcript

  • EnCase Cybersecurity: Automating Incident May 22, 2012Response Automating Incident Response Ambreesh Bhagtani Manager UI Development Automating Incident Response Topics 1.What is incident Response – Use Cases? 2.Comparing Manual v/s automated incident response 3.Understanding Web APIs 4.Overview of Arcsight 5.Data visibility 6.Q & A Page 2Ambreesh Bhagtani, Guidance Software, Inc. 1
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response What is incident Response? Ability to respond to events and alerts in a timely fashion Incidents : •Malicious Attack. •Unauthorized Port Activity. •Unauthorized URL access. •Unauthorized USB account access. Page 3 Incident Response : Manual Page 4Ambreesh Bhagtani, Guidance Software, Inc. 2
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response Drawbacks of Manual Response •The entire process can take from weeks to months •Single machine analyzed at a time •Critical data may be lost •Full extent of the breach is unknown •High Costs Page 5 Incident Response : Automated Page 6Ambreesh Bhagtani, Guidance Software, Inc. 3 View slide
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response Benefits of Automating Incident Response •Analyze multiple alerts at the same time •Reduce Costs •Multiple Machines Analyzed •Faster Response •Critical Data preserved •Full extent of the breach identified Page 7 Incident Response Flow / Architecture. SIEM /IDS/IPS /DLP etc EnCase Cybersecurity Integration Code Page 8Ambreesh Bhagtani, Guidance Software, Inc. 4 View slide
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response Web API’s Computers need a language to communicate! Applications Programming Interfaces – API’s Page 9 SOAP Request – Get Guidance Stock Price Host: www.stockprice.com Content-Type: application/soap+xml; charset=utf-8 < ?xml version="1.0"?> < soap:Enveloope> <m:GetStockPrice> <m:StockName>GUID</m:StockName> </m:GetStockPrice> </soap:Body> < /soap:Envelope> Page 10Ambreesh Bhagtani, Guidance Software, Inc. 5
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response SOAP Response- Stock Price Response HTTP/1.1 200 OK Content-Type: application/soap+xml; charset=utf-8 Content-Length: nnn < ?xml version="1.0"?> <m:GetStockPriceResponse> <m:Price>800.00</m:Price> </m:GetStockPriceResponse> < /soap:Envelope> Page 11 WSDL – What is it ? <m:GetStockPrice> <m:StockName>IBM</m:StockName> </m:GetStockPrice> Web Service Definition Language Page 12Ambreesh Bhagtani, Guidance Software, Inc. 6
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response WSDL – Operation <operation name="GetLastTradePrice"> <soap:operation > <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> </operation> Page 13 Exercise 1 – Call a Web API Objective – Get All Cases Assumption – Pre-created case Page 14Ambreesh Bhagtani, Guidance Software, Inc. 7
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response Exercise 2 – Use SIEM to call Integration Code Page 15 Master Title Page 16Ambreesh Bhagtani, Guidance Software, Inc. 8
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response Arcsight Integration UI Page 17 Master Title Event Configuration Page 18Ambreesh Bhagtani, Guidance Software, Inc. 9
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response How it Works: Retrieving Results Master Title Request… 1./case “case 1” 2./source “safe – source” 3./ip “192.168.85.151” 4./event $event[eventId] -> variable to capture the eventId associated with the alert. 5./module snapshot 6./log true 7./demo Page 20Ambreesh Bhagtani, Guidance Software, Inc. 10
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response Master Title Configure Response Page 21 Master Title Status of the Scan Page 22Ambreesh Bhagtani, Guidance Software, Inc. 11
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response Master Title Set up the Response Page 23 Master Title Jobs are created..the examiner picks up the job. Page 24Ambreesh Bhagtani, Guidance Software, Inc. 12
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response Forensic Analysis Forensics Report Page 25Ambreesh Bhagtani, Guidance Software, Inc. 13
  • EnCase Cybersecurity: Automating Incident May 22, 2012Response Type of Scan • SPA • Profiling • Entropy • Find identical files • Personal Information Identification • Find SSNs, credit card number… • Internet Artifacts • Find URLsAmbreesh Bhagtani, Guidance Software, Inc. 14