ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

•Download as PPTX, PDF•

3 likes•1,554 views

C

ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

Or Cohen – We Ankor 2014
or@we-can.co.il

Saturday, May 17, 2014 slide 2
• Many daily alerts, even after advanced aggregation and correlation.
• Investigating a server/workstation is not always possible due to lack
of physical access, tools, time or knowledge.
• Just starting an investigation may take hours or even days – long
after the initial alert was triggered.
• Relevant evidence are hard to collect and analyze.

• Start an investigation for every single alert within seconds.
• Get to every host in the network regardless of physical location.
• Collect and analyze relevant evidence.
• Get actionable and refined data from the investigated host ASAP.
Saturday, May 17, 2014 slide 3

• Automatically deploy (and remove) ECAT agents across the network.
• Automatically scan hosts with multiple scan configurations.
• Automatically collect scan results from ECAT with full analysis data.
• Automatically react to the presence of a suspicious module.
Saturday, May 17, 2014 slide 4

Saturday, May 17, 2014 slide 5
Now what?

Saturday, May 17, 2014 slide 6
Install ECAT Agent OnWS87771

Saturday, May 17, 2014 slide 6

Saturday, May 17, 2014 slide 6

Saturday, May 17, 2014 slide 6
Module Name: 6re1fyeg1109.exe
Module Path: C:$Recycle.BinS-1-5-21-1844237615-1604221776-
725345543-151746re1fyeg1109.exe
MD5: A87480D346E943491EE107CDB90D2860
Host Name: WS8771
Host IP: 10.2.34.123
Bytes In: 3211
Bytes Out: 7651819
Target IP: 27.1.34.79
Target Host: superEvil.info
Target Port: 21
OPSWAT Verdict: Clean
YARA Verdict: Infected - super_evil_malware_group
Certificate Status: Not Singed
HASH Lookup: Unknown
S.L: 49
Comment:Found Infected on 19/05/2014 by:
super_evil_malware_group

Saturday, May 17, 2014 slide 6
Module Name: 6re1fyeg1109.exe
MD5: A87480D346E943491EE107CDB90D2860

Saturday, May 17, 2014 slide 6
Module Name: 6re1fyeg1109.exe
MD5: A87480D346E943491EE107CDB90D2860
WS8291
WS8101
WS2151
iexplore.exe
svchost.exe
tempp.exe

Saturday, May 17, 2014 slide 6
WS8291
WS8101
WS2151
Module Name: 6re1fyeg1109.exe
MD5: A87480D346E943491EE107CDB90D2860

Saturday, May 17, 2014 slide 6
AVVendor
Module Name: 6re1fyeg1109.exe
MD5: A87480D346E943491EE107CDB90D2860

Or Cohen – We Ankor 2014

More Related Content

Similar to ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

How frequently does a good agile team deploy to production? Not every team is capable of deploying "on every commit". What does it take for a team to even start deploying at the end of each sprint, or each week, or each day? Most companies don't realize that deploying more frequently often requires both significant technical change as well as cultural change. In this talk, I'll guide you through what it takes to deploy more frequently, both from the technical side of setting up pipelines as well as the organizational side of removing red tape. I'll draw on the unique challenges that teams must overcome at each step of the way, from deploying once a month all the way down to full continuous delivery. If your team has been struggling to go faster, come see how you can change to get there. And if you already are at full continuous delivery, come see how to go even faster than that!

So you-want-to-go-faster

So you-want-to-go-faster

So you-want-to-go-faster

HP ArcSight & Ayehu eyeShare - Security Automation

HP ArcSight & Ayehu eyeShare - Security Automation

HP ArcSight & Ayehu eyeShare - Security Automation

PuppetConf 2016: Site Launch Automation: From Days to Minutes – Kristen Crawf...

PuppetConf 2016: Site Launch Automation: From Days to Minutes – Kristen Crawf...

PuppetConf 2016: Site Launch Automation: From Days to Minutes – Kristen Crawf...

Moving to Continuous Delivery without breaking everything

Moving to Continuous Delivery without breaking everything

Moving to Continuous Delivery without breaking everything

Measuring IPv6 using ad-based measurement

Measuring IPv6 using ad-based measurement

Measuring IPv6 using ad-based measurement

Network breaches are on the rise, and the consequences are getting more dire. Needless to say, you don't want to be the next Target.You've invested in security tools like firewalls and IPS systems. But today's stealthy attacks can still get through. When you suspect an attack, you need your insurance policy—network forensics. In this seminar, you'll learn how network forensics—network recording along with powerful search and analysis tools—can enable your in-house security team to track down, verify, and characterize attacks. You'll also learn about the requirements for effective forensics on today's 10G and 40G networks. And you'll learn some best practices for configuring captures to help you and your team pinpoint and remediate anomalous behavior that could signal an attack.

Security Attack Analysis for Finding and Stopping Network Attacks

Security Attack Analysis for Finding and Stopping Network Attacks

Security Attack Analysis for Finding and Stopping Network Attacks

API Training 10 Nov 2014

API Training 10 Nov 2014

API Training 10 Nov 2014

Super chargeyourcontiniousintegrationdeployments

Super chargeyourcontiniousintegrationdeployments

Super chargeyourcontiniousintegrationdeployments

Supercharge Your Continuous Integration Deployments

Supercharge Your Continuous Integration Deployments

Supercharge Your Continuous Integration Deployments

Owasp joy of proactive security

Owasp joy of proactive security

Owasp joy of proactive security

Monitoring - When To start (or Metrics led development)

Monitoring - When To start (or Metrics led development)

Monitoring - When To start (or Metrics led development)

DjangoCon 2013 - How to Write Fast and Efficient Unit Tests in Django

DjangoCon 2013 - How to Write Fast and Efficient Unit Tests in Django

DjangoCon 2013 - How to Write Fast and Efficient Unit Tests in Django

Afcom how to move a data center

Afcom how to move a data center

Afcom how to move a data center

Rich Casselberry

Container Networking Challenges for Production Readiness

Container Networking Challenges for Production Readiness

Container Networking Challenges for Production Readiness

Production Challenges for Container Networking

Production Challenges for Container Networking

Production Challenges for Container Networking

Moving to Continuous Delivery Without Breaking Your Code

Moving to Continuous Delivery Without Breaking Your Code

Moving to Continuous Delivery Without Breaking Your Code

The Joy of Proactive Security

The Joy of Proactive Security

The Joy of Proactive Security

This paper discusses a method of employing bots instead of people to monitor servers or server rooms. A bot is a remote controlled computer or a remote controlled program. A bot is usually a malicious program which is an element of a botnet. A botnet is used for doing malicious things such as spreading spam mails or doing DDoS Attacks. We have made bots and we are using bots for doing beneficial things such as monitoring a server instead of doing malicious things. We are monitoring a web server in our campus using a bot. This bot is tweeting whether the server is running or not periodically on the twitter. We are also monitoring a server room in our campus using another bot. This bot shows managers transition of the room temperature and others.

Monitoring Servers, With a Little Help from my Bots

Monitoring Servers, With a Little Help from my Bots

Monitoring Servers, With a Little Help from my Bots

Takashi Yamanoue

Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program

Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program

Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program

Continuously Integrating Puppet

Continuously Integrating Puppet

Continuously Integrating Puppet

Similar to ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen (20)

So you-want-to-go-faster

So you-want-to-go-faster

So you-want-to-go-faster

HP ArcSight & Ayehu eyeShare - Security Automation

HP ArcSight & Ayehu eyeShare - Security Automation

HP ArcSight & Ayehu eyeShare - Security Automation

PuppetConf 2016: Site Launch Automation: From Days to Minutes – Kristen Crawf...

PuppetConf 2016: Site Launch Automation: From Days to Minutes – Kristen Crawf...

PuppetConf 2016: Site Launch Automation: From Days to Minutes – Kristen Crawf...

Moving to Continuous Delivery without breaking everything

Moving to Continuous Delivery without breaking everything

Moving to Continuous Delivery without breaking everything

Measuring IPv6 using ad-based measurement

Measuring IPv6 using ad-based measurement

Measuring IPv6 using ad-based measurement

Security Attack Analysis for Finding and Stopping Network Attacks

Security Attack Analysis for Finding and Stopping Network Attacks

Security Attack Analysis for Finding and Stopping Network Attacks

API Training 10 Nov 2014

API Training 10 Nov 2014

API Training 10 Nov 2014

Super chargeyourcontiniousintegrationdeployments

Super chargeyourcontiniousintegrationdeployments

Super chargeyourcontiniousintegrationdeployments

Supercharge Your Continuous Integration Deployments

Supercharge Your Continuous Integration Deployments

Supercharge Your Continuous Integration Deployments

Owasp joy of proactive security

Owasp joy of proactive security

Owasp joy of proactive security

Monitoring - When To start (or Metrics led development)

Monitoring - When To start (or Metrics led development)

Monitoring - When To start (or Metrics led development)

DjangoCon 2013 - How to Write Fast and Efficient Unit Tests in Django

DjangoCon 2013 - How to Write Fast and Efficient Unit Tests in Django

DjangoCon 2013 - How to Write Fast and Efficient Unit Tests in Django

Afcom how to move a data center

Afcom how to move a data center

Afcom how to move a data center

Container Networking Challenges for Production Readiness

Container Networking Challenges for Production Readiness

Container Networking Challenges for Production Readiness

Production Challenges for Container Networking

Production Challenges for Container Networking

Production Challenges for Container Networking

Moving to Continuous Delivery Without Breaking Your Code

Moving to Continuous Delivery Without Breaking Your Code

Moving to Continuous Delivery Without Breaking Your Code

The Joy of Proactive Security

The Joy of Proactive Security

The Joy of Proactive Security

Monitoring Servers, With a Little Help from my Bots

Monitoring Servers, With a Little Help from my Bots

Monitoring Servers, With a Little Help from my Bots

Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program

Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program

Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program

Continuously Integrating Puppet

Continuously Integrating Puppet

Continuously Integrating Puppet

Recently uploaded

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

AXA XL - Insurer Innovation Award Americas 2024

AXA XL - Insurer Innovation Award Americas 2024

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Real Time Object Detection Using Open CV

Real Time Object Detection Using Open CV

Real Time Object Detection Using Open CV

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

A Beginners Guide to Building a RAG App Using Open Source Milvus

A Beginners Guide to Building a RAG App Using Open Source Milvus

A Beginners Guide to Building a RAG App Using Open Source Milvus

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Automating Google Workspace (GWS) & more with Apps Script

Automating Google Workspace (GWS) & more with Apps Script

Automating Google Workspace (GWS) & more with Apps Script

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

Why Teams call analytics are critical to your entire business

Why Teams call analytics are critical to your entire business

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Manulife - Insurer Transformation Award 2024

Manulife - Insurer Transformation Award 2024

Manulife - Insurer Transformation Award 2024

The Digital Insurer

Recently uploaded (20)

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

AXA XL - Insurer Innovation Award Americas 2024

AXA XL - Insurer Innovation Award Americas 2024

AXA XL - Insurer Innovation Award Americas 2024

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Real Time Object Detection Using Open CV

Real Time Object Detection Using Open CV

Real Time Object Detection Using Open CV

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

A Beginners Guide to Building a RAG App Using Open Source Milvus

A Beginners Guide to Building a RAG App Using Open Source Milvus

A Beginners Guide to Building a RAG App Using Open Source Milvus

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Automating Google Workspace (GWS) & more with Apps Script

Automating Google Workspace (GWS) & more with Apps Script

Automating Google Workspace (GWS) & more with Apps Script

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

AWS Community Day CPH - Three problems of Terraform

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

Why Teams call analytics are critical to your entire business

Why Teams call analytics are critical to your entire business

Why Teams call analytics are critical to your entire business

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Manulife - Insurer Transformation Award 2024

Manulife - Insurer Transformation Award 2024

Manulife - Insurer Transformation Award 2024

ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

1. Or Cohen – We Ankor 2014 or@we-can.co.il

2. Saturday, May 17, 2014 slide 2 • Many daily alerts, even after advanced aggregation and correlation. • Investigating a server/workstation is not always possible due to lack of physical access, tools, time or knowledge. • Just starting an investigation may take hours or even days – long after the initial alert was triggered. • Relevant evidence are hard to collect and analyze.

3. • Start an investigation for every single alert within seconds. • Get to every host in the network regardless of physical location. • Collect and analyze relevant evidence. • Get actionable and refined data from the investigated host ASAP. Saturday, May 17, 2014 slide 3

4. • Automatically deploy (and remove) ECAT agents across the network. • Automatically scan hosts with multiple scan configurations. • Automatically collect scan results from ECAT with full analysis data. • Automatically react to the presence of a suspicious module. Saturday, May 17, 2014 slide 4

5. Saturday, May 17, 2014 slide 5 Now what?

6. Saturday, May 17, 2014 slide 6 Install ECAT Agent OnWS87771

7. Saturday, May 17, 2014 slide 6

8. Saturday, May 17, 2014 slide 6

9. Saturday, May 17, 2014 slide 6 Module Name: 6re1fyeg1109.exe Module Path: C:$Recycle.BinS-1-5-21-1844237615-1604221776- 725345543-151746re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860 Host Name: WS8771 Host IP: 10.2.34.123 Bytes In: 3211 Bytes Out: 7651819 Target IP: 27.1.34.79 Target Host: superEvil.info Target Port: 21 OPSWAT Verdict: Clean YARA Verdict: Infected - super_evil_malware_group Certificate Status: Not Singed HASH Lookup: Unknown S.L: 49 Comment:Found Infected on 19/05/2014 by: super_evil_malware_group

10. Saturday, May 17, 2014 slide 6 Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860

11. Saturday, May 17, 2014 slide 6 Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860 WS8291 WS8101 WS2151 iexplore.exe svchost.exe tempp.exe

12. Saturday, May 17, 2014 slide 6 WS8291 WS8101 WS2151 Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860

13. Saturday, May 17, 2014 slide 6 AVVendor Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860

14. Or Cohen – We Ankor 2014