Uploaded bycohen88or
PPTX, PDF1,572 views

ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

The document discusses the need to quickly investigate security alerts from across a network. It proposes automatically deploying agents across systems to scan for suspicious modules in real time. This would allow starting investigations within seconds of an alert, collecting evidence from any host, and getting actionable data to respond. The system would then automatically detect and react to potentially infected modules.

Embed presentation

Downloaded 29 times
Or Cohen – We Ankor 2014 or@we-can.co.il
Saturday, May 17, 2014 slide 2 • Many daily alerts, even after advanced aggregation and correlation. • Investigating a server/workstation is not always possible due to lack of physical access, tools, time or knowledge. • Just starting an investigation may take hours or even days – long after the initial alert was triggered. • Relevant evidence are hard to collect and analyze.
• Start an investigation for every single alert within seconds. • Get to every host in the network regardless of physical location. • Collect and analyze relevant evidence. • Get actionable and refined data from the investigated host ASAP. Saturday, May 17, 2014 slide 3
• Automatically deploy (and remove) ECAT agents across the network. • Automatically scan hosts with multiple scan configurations. • Automatically collect scan results from ECAT with full analysis data. • Automatically react to the presence of a suspicious module. Saturday, May 17, 2014 slide 4
Saturday, May 17, 2014 slide 5 Now what?
Saturday, May 17, 2014 slide 6 Install ECAT Agent OnWS87771
Saturday, May 17, 2014 slide 6
Saturday, May 17, 2014 slide 6
Saturday, May 17, 2014 slide 6 Module Name: 6re1fyeg1109.exe Module Path: C:$Recycle.BinS-1-5-21-1844237615-1604221776- 725345543-151746re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860 Host Name: WS8771 Host IP: 10.2.34.123 Bytes In: 3211 Bytes Out: 7651819 Target IP: 27.1.34.79 Target Host: superEvil.info Target Port: 21 OPSWAT Verdict: Clean YARA Verdict: Infected - super_evil_malware_group Certificate Status: Not Singed HASH Lookup: Unknown S.L: 49 Comment:Found Infected on 19/05/2014 by: super_evil_malware_group
Saturday, May 17, 2014 slide 6 Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860
Saturday, May 17, 2014 slide 6 Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860 WS8291 WS8101 WS2151 iexplore.exe svchost.exe tempp.exe
Saturday, May 17, 2014 slide 6 WS8291 WS8101 WS2151 Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860
Saturday, May 17, 2014 slide 6 AVVendor Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860
Or Cohen – We Ankor 2014

More Related Content

PPTX
Developing a New Affordable DC Motor Laboratory Kit for an Existing Undergrad...
byRebecca Reck
 
PDF
Reduce Test Automation Execution Time by 80%
byTechWell
 
PDF
Who Watches the Watchmen - Arup Chakrabarti, PagerDuty - DevOpsDays Tel Aviv ...
byDevOpsDays Tel Aviv
 
PPTX
12 Days of Coding Errors
byErika Barron
 
PDF
Serverless computing henry been - logging instrumentation dashboards alerts
byHenry Been
 
PDF
Neptune : Re-thinking Incident Response Automation
byKiran Gollu
 
PDF
Security Insights at Scale
byRaffael Marty
 
PPTX
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
byRaffael Marty
 
Developing a New Affordable DC Motor Laboratory Kit for an Existing Undergrad...
byRebecca Reck
 
Reduce Test Automation Execution Time by 80%
byTechWell
 
Who Watches the Watchmen - Arup Chakrabarti, PagerDuty - DevOpsDays Tel Aviv ...
byDevOpsDays Tel Aviv
 
12 Days of Coding Errors
byErika Barron
 
Serverless computing henry been - logging instrumentation dashboards alerts
byHenry Been
 
Neptune : Re-thinking Incident Response Automation
byKiran Gollu
 
Security Insights at Scale
byRaffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
byRaffael Marty
 

Recently uploaded

PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PPT
Introduction to Risk Based Inspection API-580 & 581
byumerfaiz99
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Introduction to Risk Based Inspection API-580 & 581
byumerfaiz99
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 

Featured

PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
PDF
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
PDF
Everything You Need To Know About ChatGPT
byExpeed Software
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
PDF
Skeleton Culture Code
bySkeleton Technologies
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
PDF
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
PPTX
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
PDF
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
PDF
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
PDF
Getting into the tech field. what next
byTessa Mero
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
PDF
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
Everything You Need To Know About ChatGPT
byExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
Skeleton Culture Code
bySkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
Getting into the tech field. what next
byTessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 

ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

  • 1.
    Or Cohen –We Ankor 2014 or@we-can.co.il
  • 2.
    Saturday, May 17,2014 slide 2 • Many daily alerts, even after advanced aggregation and correlation. • Investigating a server/workstation is not always possible due to lack of physical access, tools, time or knowledge. • Just starting an investigation may take hours or even days – long after the initial alert was triggered. • Relevant evidence are hard to collect and analyze.
  • 3.
    • Start aninvestigation for every single alert within seconds. • Get to every host in the network regardless of physical location. • Collect and analyze relevant evidence. • Get actionable and refined data from the investigated host ASAP. Saturday, May 17, 2014 slide 3
  • 4.
    • Automatically deploy(and remove) ECAT agents across the network. • Automatically scan hosts with multiple scan configurations. • Automatically collect scan results from ECAT with full analysis data. • Automatically react to the presence of a suspicious module. Saturday, May 17, 2014 slide 4
  • 5.
    Saturday, May 17,2014 slide 5 Now what?
  • 6.
    Saturday, May 17,2014 slide 6 Install ECAT Agent OnWS87771
  • 7.
    Saturday, May 17,2014 slide 6
  • 8.
    Saturday, May 17,2014 slide 6
  • 9.
    Saturday, May 17,2014 slide 6 Module Name: 6re1fyeg1109.exe Module Path: C:$Recycle.BinS-1-5-21-1844237615-1604221776- 725345543-151746re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860 Host Name: WS8771 Host IP: 10.2.34.123 Bytes In: 3211 Bytes Out: 7651819 Target IP: 27.1.34.79 Target Host: superEvil.info Target Port: 21 OPSWAT Verdict: Clean YARA Verdict: Infected - super_evil_malware_group Certificate Status: Not Singed HASH Lookup: Unknown S.L: 49 Comment:Found Infected on 19/05/2014 by: super_evil_malware_group
  • 10.
    Saturday, May 17,2014 slide 6 Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860
  • 11.
    Saturday, May 17,2014 slide 6 Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860 WS8291 WS8101 WS2151 iexplore.exe svchost.exe tempp.exe
  • 12.
    Saturday, May 17,2014 slide 6 WS8291 WS8101 WS2151 Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860
  • 13.
    Saturday, May 17,2014 slide 6 AVVendor Module Name: 6re1fyeg1109.exe MD5: A87480D346E943491EE107CDB90D2860
  • 14.
    Or Cohen –We Ankor 2014