The document discusses the evolution of incident response and data auditing within cybersecurity, emphasizing the challenges posed by advanced threats, such as polymorphic malware and insider attacks. It highlights the importance of tools like Encase Cybersecurity for proactive data security, compliance auditing, and incident response, while also detailing the methods for malware detection and the significance of system deviation assessments. The need for continuous adaptation to new technologies and evolving tactics used by cybercriminals is underscored throughout the document.

1. A New Era in Incident Response and Data Auditing (cont.)The Case for Cyberforensics

2. Jim Butterworth, CPO USN (Ret.) (CFE/EnCE/GCIA/GSNA/GREM)Senior Director of Cyber Security, Guidance SoftwareCertified:Fraud Examiner (Spreadsheet Junkie)

3. Computer Forensic Examiner(Hex Junkie)

4. Intrusion Analyst (Packet Junkie)

5. Reverse Engineer (Code Junkie)

6. Systems and Network Auditor (Audit Junkie)

7. Superior Court Forensic Expert (Expert Witness Junkie)Experience:United States Navy Career: - Electronic/Information/Cyber Warfare & SIGINTSr. Cyber Advisor to US STRATCOM [Team BAH under USAMS]

8. Commercial Intrusion and Forensic Expert to US NAVY HQ [CACI]

9. 6 years in the cyber trenches on dirty networks (All Industries & International)© 2010 Guidance Software, Inc. All Rights Reserved. Speaker

10. Intellectual Property TheftInformation Warfare/Cyber Forensics for USSTRATCOM/US NAVYeDiscovery for Federal and State DepartmentsSabotage of Critical Infrastructure (Oil/Water/Gas)Network Sabotage to secure contractsMalware Analysis & 0-Day Incident Containment Phishing and PII theftEmployee Misuse of assets/access for personal gainField Experience in IR

11. Evolution of Threats Timeline

12. Primary Attack VectorsDigital insider attacks previously compromised systemsClient-side applications (applications running on desktop / end-user systems, including email readers, web browsers, media players, instant messengers, productivity tools such as MS Office, etc.)Operating systemsWeb applicationsWireless networks

13. 2009 Trends in Attacks Against .GOV SQL Injection and Cross-site ScriptingIsland Hopping-Unisys/DHSRemote User Compromise-VPN Attacks-Client Side AttacksPKI Compromise--Private Key TheftZero-Day Attacks/Drive By DownloadsAutomated Attack ToolsDigital Insider Attacks

14. Keeping UpTechnical Challenges:High profile attacks – Good vectors need concealmentC2 of malware is sophisticated, landscape changesWe’re not looking for a single file, many artifacts droppedDesigned to evade detectionDesigned to persist defensive techniquesWe’re trying to find the needle in the haystackNo Magic Pill to take or Silver Bullet to shootAnalysis is considered heavy liftingMalware exists a Tactical level, yet analyzed at Strategic level.But:“k0d3R2 r LA2y” (Coders are Lazy) – They reuse code… 

15. Evolving ThreatsPerimeter defense won’t stop itNew Technologies bring new ExploitsThreats can be Outside-In & Inside-OutA determined hacker will find a way (high end)Hacking has become “Productized” (low end)Nasty stuff is memory resident onlyBetter QA in some malware than COTSDesigned to be Resilient and Persistent!

16. Points to PonderIncident Response:Actions taken AFTER an event has been detectedThis is D/BDA (Digital/Battle Damage Assessment)Concentrates on restoral and damage controlIntelligence Preparation of the Cyber BattlefieldSurveillance & Recon Planning – What you bring…Terrain & Weather – What technology brings…Digital Order of Battle – What the enemy brings…Enemy Capability to impact or influence your operationsCyber Denial & Deception?Cyber Psyops?

17. “We originally thought of EnCase Enterprise as an e-forensic tool only. However, Guidance Software’s solutionaddresses virtually every aspect of information security and eDiscovery.”Litigation Counsel, DellEnCase® Enterprise – The Industry Standard Platform for Conducting Network Investigations

18. How it WorksEnCase Software ComponentsUtilizes exact same 800K endpoint service as EnCase Enterprise and EnCase eDiscoveryService runs on multiple versions of Windows, Unix-based, and NetWare operating systems

19. 128- bit AES encryption used for secure communication between componentsEnCase® EnterpriseThe ComponentsThe Examiner (with EnCase ProSuite)Installed on a computer from which authorized investigators perform examinations and auditsThe SAFE (Secure Authentication For EnCase®)Authenticates users, administers access rights, retain logs of EnCase activity, brokers communications and provides for secure data transmission The SAFE communicates with Examiners and Servlets using encrypted data streams, ensuring no information can be intercepted and interpretedThe ServletA small, passive software agent that gets installed on workstations and servers Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise Examiner to identify, preview, and acquire local and networked devices.Enterprise Concurrent ConnectionsEnterprise Concurrent Connections are secure virtual connections established between the Examiner and servers, desktops or laptops that are being investigatedSnapshot“Snapshot” technology enables the user to quickly scan thousands of computers to determine what processes are running and what was occurring on a system at a given point in time

20. IntroducingEnCase CybersecurityYou’ve been hacked—now what? Your data is leaving the building…Where was the malware?Where is it now?What’s it look like?Find it, where it went, what it morphed to, and remediate it.How do you stay in a trusted state? How do you ensure sensitive data is kept in check?Against “gold build”Regular scheduled assessmentsAnomalies become eventsRemediate

21. EnCase Cybersecurity provides…Network-enabled incident responseCyberforensic triage and analysis, attack attribution analysis, and remediationSystem deviation assessmentsExpose system integrity issues caused by anomalous or unknown threatsData policy enforcementIdentify and wipe PII/IP/Classified data from unauthorized endpointsWhy Risk Compromising Your Data?

22. Network-enabled Incident Response How it WorksYou’ve Been Compromised!EnCase Cybersecurity collects data from potentially affected machines for analysis……Which are then compared to the appropriate pre-defined system profiles…And further culled down by comparison to included whitelist databaseThe resulting confirmed malware is used as a basis for exact and near match scans in order to locate and remove the threat network-wide. This is where Entropy takes charge…The resulting set is analyzed against potentially relevant running processesLeaving a small set of highpriority binaries for deep analysis100110101

23. EnCase Enterprise vs. EnCase Cybersecurity – High Level OverviewLegendManual ProcessAutomated ProcessNot IncludedIncludedü******ü* No PST/NST Output** Includes PST/NST Output*** Limited SharePointsearch capabilitiesü

24. EnCase Cybersecurity How it Works…

25. EE Command Center Architecture

26. Sample Deployment TopologyWANMain Office AMain Office BTarget NodeTarget NodeSAFEExaminerTarget NodeTarget NodeTarget NodeTarget NodeTarget NodeAggregation DatabaseTarget NodeExaminerSAFETarget NodeTarget NodeTarget NodeTarget NodeExaminerBranch OfficeTarget NodeCompany Headquarters

27. How EnCase® Enterprise and EnCase Cybersecurity Integrate With the Network

28. Current Product CapabilitiesProactive Data Security & Compliance AuditingPII, PCI, etc. data leakage and risksReveal & detect internal threatsIdentify & validate external threats (including polymorphic malware)Reactive “Cyber forensic endpoint” incident responseResponding to & remediating advanced malware & Zero-day attacksReducing/minimize information security workflow complexityIntegration with SIEM tools, IDS/IPS systems, etc.Leverages investment in existing EnCase InfrastructureBuilt as an application on top of EnCase EnterpriseBuilt using ECC application framework

29. EnCase Cybersecurity provides…System deviation assessmentsExpose system integrity issues caused by anomalous or unknown threatsCreate Profiles of known good machinesStatic (on disk)Dynamic (in runtime)Integrate with Bit9 database for Application WhitelistingEnables proactive scheduled scans for system deviationsTrusted Computing Environments

30. How do you make the unknown known?Deviation assessments capture running processesUp to 10,000 nodes per hour!Compare against trusted baseline and whitelistAnalyze resulting set of unknown processesIdentify unapproved process or malwareUpdate baseline(s)Introducing EnCase® CybersecuritySystem Deviation Assessment

31. System Deviation AssessmentHow It WorksSystem Deviation AssessmentRegularly scheduled, rapid scans for anomalies across a range of endpointsRunning processes are gathered at lightning speed – up to 10,000 nodes per hour…And are then compared to the appropriate customer defined profiles…And further culled down by comparison to included whitelisting databaseGood processes can be added to the trusted profile(s). Unapproved processes can be remediated.Leaving a small set of processesfor further analysis100110101

32. How it WorksStay in a Trusted StateProfile: Baseline a “trusted” configuration for each endpoint, using optional Bit9 databases to pinpoint suspicious contentAudit: Automatically search out sensitive IP and PII from any system on your network, exposing risk and enabling clean-upRestore: Return drifting or compromised configurations to a trusted state by deleting malware, inappropriate data, and unauthorized softwareEnforce and collect: Apply policies and remotely retrieve sensitive data capturing its metadata for evidence

33. System Deviation AssessmentHow do You Expose the Unknown?Assess: Scan endpoints against baselines to expose unknownsDetect: Unknowns become eventsSecure: Restore systems to baseline through remediation, update baseline(s)Respond: Analyze unknowns, identify malware or unapproved processes

34. How it Works…Maximize Operational ResourcesCode AnalysisFurther analysis of the malicious code to determine the full extent of the threat to the enterprise. Calculate Entropy value to find polymorphic iterations and remediate the threatTriageAfter basic analysis confirms the activity of the suspicious code, core functionality is used to further investigate the incident. (What? When? Who? How?)RAM AnalysisIf code is found to be out of profile, Snapshot and other analysis is done to determine if suspicious code is a threatSystem Profile and Analysis with Bit9Alert comes in and first response is to see if any code is out of profile on system(s) -- (RUN THIS DAILY)

35. MALWARE Detection and MitigationEnCase Cybersecurity includes:

36. Integration with Bit9 (Whitelist/blacklist)

37. Disregard known good files and processes from incident investigation

38. Uncover undiscovered/unknown files and processes

39. Integration with HBGary (Memory Analysis)

40. Code and behavioral analysis of running RAM or a single process

41. Provides intelligence on how any given process “does its thing”

42. Can determine if a piece of Malware is polymorphic, if it can transfer files, etc.

43. Identify capabilities of unknown processesEnCase Cybersecurity provides…Systems are changing dynamically (RAM)Preservation of the Digital Scene (Imaging)Preserve only relevant artifacts (Sparse Evidence File)Snapshot technology is fast (reveal hidden processes)Not limited to the Windows environment (Multiple OS)Data Volatility during IR

44. Malware’s Intended Consequence You are always vulnerable to the unknown…It is impossible to achieve impenetrabilityIf I can get you knocked of the grid, is that a mission kill?We like “Point & Click” & “Idiot Proofed”Automated Solutions that are easy to operate and subsequently, easy to circumvent. (Plug & Pray)Appliance based sensors that you just set and forget… (Plug and Prey)Puts you in perpetual catch up modeIt is called a “0-Day” for a reasonThey know you can’t patch against the unknown…

45. Current Methods for Finding MalwareHashingMD5/SHA Formats Context Triggered Piecewise Hashing (ie, rolling hash)“Fuzzy Hashing” Easy to foolSignature based detectionRelies on Hashes or other Code fragments Computationally expensive, takes timeDeep Packet Inspection / Stream AnalysisChecking it coming in and going out

46. Traditional Detection MethodsAntivirus software has been around since the dawn of the computer virusTraditional methods – signature based“Usually” the signature is a sequence of bytes found in code

47. Antivirus software scans files using these signature(s).

48. Considered simple “Static Analysis”

49. In traditional methods signature is mostly “syntactic”, i.e., fixed artifactHow to find signature?Traditional method involves manual analysis of code

50. Binary is scanned structurally and reverse engineered

51. Code is analyzed to find an unique characteristics to be used as a signature Traditional Detection Methods (cont.)Methods seen in viruses a long time agoStealth viruses – Hides changes in the system and therefore the virus by showing original stateOligomorphic viruses – Encrypts body with varying forms and has a constant decryption routinePolymorphic viruses – Contains varying encrypted body and has several copies of decryption (polymorphic)Metamorphic viruses – Uses various code morphing techniques to create new instances that are different in code but identical in nature.Current generation of malware use “Obfuscation” techniques evolved from the above principles to evade signature based schemes. (Bit shifting, XORing, etc…)Code obfuscation is used to evade “static analysis”

52. Polymorphic CodeWhen creating a new instance, the malware uses code encryption to encrypt its body (Payload)Different keys are used in different instances so body is different sequence of bytesSimple signatures that are just sequences of bytes in the body are fooledPolymorphic DecryptionSeveral algorithmsUses Code obfuscation Signature changes constantly.

53. Detection of Polymorphic CodeCommercial Antivirus Software is challenged to detect polymorphic malware (viruses and trojans) in real timeSignature is created to detect MUTEX code segments (vendors may take days…)Virtualization is used to Command & Control code execution to find a detectable sequence in the bodyAPT Malware employs anti-reversing techniques to defeat code analysis (Detection of sandbox & virtualization = Morph)Polymorphic wormsCyber speed is expressed in milliseconds

54. Current Methods for Finding Malware (including polymorphic)HashingMD5/SHA Formats Context Triggered Piecewise Hashing (ie, rolling hash)“Fuzzy Hashing” Easy to foolSignature based detectionRelies on Hashes or other Code fragments Computationally expensive, takes timeDeep Packet InspectionIndexing DOESN’T scale to EnterpriseCode mutation used to change malware attributes makes identification difficult

55. Behavioral DetectionBehavior based detection is mostly dynamic analysis basedStatic analysis may be combined (Streams)Sandboxed code executionSome malware exhibit identifiable run-time behavior, for exampleSpyware that hijack browserBot programs that access C2 serverAdware that may show popups and adsPrincipleDefine “templates” of bad behaviorUse run-time monitoring to find matchRun-time monitoring is mostly system call, API or an observable behavior

56. Traditional Hash AlgorithmsTake an unlimited number of bytes and construct a fixed size digestAB 15 73 2F DE CB 3C 2A 14 7B 34 FF File ContentsFF DE CB 15 73 2F 3C 2A 14 7BDE 2F 3C CB 15 73 2A 142F 3C CB 15 73 2AHash AlgorithmHash Value2F3CF732F3CFFDECB152A147B2F3CF56

57. Hash PropertiesTwo files with the same hash will almost certainly have the same contents and sizeGreat for detecting exact file matchesIf a singe byte changes, the hash value changes completelyActually 50% on averageThe hash value has no “meaning”One cannot infer information about the file from the value of the hashGood for securityExamplesCRC32, MD5, SHA1, SHA256

58. What is entropy?Ordered SystemUnordered SystemLow EntropyHigh Entropy

59. What about for files?Ordered FileUnordered File010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101019283784736284725104816351947164823264583264612864836413743385713091470450913497583048913408975013876473465132409873443847251048163519471648232645832648913408975013876473465137103891340897501387647346513837847368472510481635194716482326454847251048163519471648232645832648913408975013876473465137103385713091470450913497583048913408975013876473465132409873443010101018472510481635194716482326489134089750138764734651363837847362847251048163519471648232645832646128648364137433857385713091470450913497583048913408975013876473465132409873443Low EntropyHigh Entropy

60. Entropy value range (bits per byte)Blank0.0TextEXEPictureCompressedEncryptedRandom8.0

61. Commanding MALWARE remotely

62. Using Entropy to find Polymorphism

63. Network-enabled Incident ResponseUsing Entropy to Detect Advanced ThreatsWhich binaries are most similar to the suspected malware?Use Case for Entropy There is great value in the detection of specific files, and this is accomplished well with a conventional hash value; however, there are many situations where you might what to find files that are similar to files in a set, but not identical.Near MatchesDocuments that have been changed slightly but have different hash values due to edits, opening and saving with or without edits, which can change embedded metadata.Polymorphic malwareA “mutated” executable that spreads throughout the networkDifferent executables with same codeExecutables with the same source code that were compiled with different settings or version numbersEmail forwardingEmail software often concatenates “quoting” sequences to an email body when you reply or forward the mail. Even though the body text is “essentially the same” metadata changes will change the hash values

64. Data is the Lifeblood of GovernmentIntellectual PropertyClassifiedInformationGovernment DataEpicenter of RiskPersonnelDataSchematicsHuman ResourcesBudgetaryDefense Contracts

65. Cyber Criminals are after Your Data$202 Per Consumer Record

66. $600 Billion IP Theft a Year Globally

67. Across all industries, data loss is a growing challengeEnCase® CybersecurityData Risk and Spillage AssessmentHow do you ensure sensitive data is kept in check?Do you have or have you purchased a DLP solution?Is it network based? Host based?Are you using it to block data?How do you remediate risk & enforce policies?

68. Its not always on purpose

69. There is no shortage either…

70. This network had just undergone a survey…Some of the spill data was over 5 years old…Network had undergone a “technology refresh” 3 yrs previouslyHow do you transfer files from one server to the next?Drag & DropBackup tapesCopy to removable drivesSo, classified data was migrated… However, in the interest of full disclosure…#1 - No TS on UNCLAS#2 - Only 2 real scary leaks#3 - Unit tool swift action to contain & reportReal Life Example #1 (cont.)

71. Performing large enterprise sweep during IntrusionFind malicious code on machinesLook at naming convention of machineIndicates machine is(was) on class networkWas machine improperly connected to domain?Was machine wiped and never renamed?Good news…IT personnel reapportioned asset, removed HDDRenaming was done via sticker on top of computer…Real Life Example #2

72. containing leakageExfiltration techniquesStore to USB Thumb driveEmail it to the “other” accountXOR the data (Bit Shifting)Encrypt itCollect and compress (ZIP/RAR) Covert Tunnel it using proprietary packersOn a network share, how do you know who accessed a compromised file?Link file analysisMatching files searchIf you clean a shared repository, have you adequately contained?Can a user save a file to their own desktop?

73. Creating your expressionsTypes of data

74. Formatted message traffic

75. Typical Office type documents

76. Video of classified operations

77. Email communications

78. Photos and imagery

79. Reference material

80. .xls of space/safe combinations

81. Prior to remediation

82. After remediation

83. File flagged as deleted.Data wiped with zeros

84. Data-B-GoneAs a side note, no entry was created in the INFO2 file and the Recycler was untouched.

85. Data Risk and Spillage AssessmentHow do You Ensure Sensitive Data is Kept in Check?Define: Create search criteria for relevant sensitive dataIdentify: Automatically search systems for sensitive dataEnforce: Collect and/or wipe sensitive data from unauthorized locationsAssess: Map data found to data policies

86. In addition to malware and suspicious activity, EnCase Cybersecurity can expose and remediate errant sensitive dataOngoing risk assessments for PII/IP and Classified SpillageConfigurable for your specific data formats (e.g., contract numbers)Light passive driver as opposed to a heavy and active agentForensic-grade disk level visibility and validationRisk mitigation and policy enforcement through remediationData Risk and Spillage AssessmentData Remediation & Policy Enforcement

87. EnCase Cybersecurity provides…An open, web-services API to enable third-party applications to trigger investigative/forensic functions, so that automated incident response can be performed.It is optimized when triggered by a SIM/SIEM wherein threshold, prioritization and coverage are all weighted within the requesting sensor. Automated Incident Response

88. Automated Incident Response

89. Feature RoadmapJob SchedulingJob RecurrenceExaminer AffinitySecurity Centric User InterfaceWeb UIProcess AutomationAPI Based integration with SIEM, IDS, IPS toolsInitial integration with ArcSightServices based offering with other IDS vendorsEnhanced Reporting

90. Automated Incident Response

91. EnCaseCybersecurity AIRS module will functionally provide:An API to allow data flow between AIRS and 3rd Party security applications.The ability to automate routine job cueing and execution based on both internal (manual) and external (Semi-Automatic) triggered events.The ability to schedule job execution at a user selectable frequency and reoccurrence.Extension of pre-configured job modules that are to run based upon class of event trigger received into the cue, or as defined by the operator upon manual entry.

92. 3rd Party Application Programming Interface (API)Full APIWill accept inbound event Queuing Will provide outbound job resultsOpen API ensures open framework User writes own connectorsUser uses Professional Services to write connectorArcSight out of the boxPartnered

93. Triggered job creation and executionTemplates jobs that will ingest target dataConduct SnapshotPreserve dataImage DriveImage MemoryPerform System Profile Collection & Subsequent AnalysisPerform Configuration Assessment (DISA STIG/FDCC)Perform PII/IP AuditPerform Entropy Remediation

94. Triggered job creation and executionAutomatically QueueRun the jobAutomaticSemi-AutomaticManual OverrideAlert ThresholdAsset PrioritizationEvent SeverityDistributed Command Center InfrastructureRemote Examiner ServiceJobs assigned by region/AD Forest/segment, etc…

95. Job schedulingMinimize bandwidth impact of intensive operationsIe, Full Disk ImagingAssign jobs based upon network infrastructureKeep jobs within segmentsCreation of reoccurring jobsSet up periodicity and intervals

96. Job statusWhich jobs are runningWhich jobs have completedWhich jobs remain in the Queue

97. Job ResultsViewable via Web Interface within CybersecurityOpen API pushes results to requesting sensorOptional write results to Database

98. User Interface and Report GeneratorResults delivered to “non experts” via web interfaceConsolidate and Simplify ResultsProvide Report Generation of items of interestExport significant items for archive

99. Saturation Safeguards / “Run Now” Operator OverrideSet Job Queue to auto runRun continuously as licensing permitsPreconfigured batch limitSpool like jobs and run concurrentlyOperator will be able to select and override Immediately trigger jobs.

100. Job Refresh / Export XML to 3rd PartyRefresh Job Status Alert 3rd Party Solution that jobs have completedExport XML to:Database3rd Party Solution Ready to review

101. Major Defense ContractorUS MilitaryFederal and State DepartmentsCritical Infrastructure (Oil/Water/Gas)UK Office of Govt CommerceNATOFinancial IndustryBio ResearchReal World Use Cases

102. You’ve been compromised — now what? Your data is leaving the building…Is the threat internal or external?Inadvertent or malicious?Was there malware involved?Where was is?Where is it now?What’s it look like?Can you ….Find it, know where it went, what it morphed to, and remediate it?What’s Your Incident Response Plan Today?

103. EnCase® Cybersecurity Complements& Augments Other Security TechnologiesBlock/QuarantineAuditDLPSymantec

104. Websense

105. RSA/EMCCapabilities: IDspre-definedcontent; alerts(claims blocking)Limitations: Requires complexpolicies that are easily circumvented; rarely used to blockIPSTippingPoint

106. McAfee

107. SourcefireCapabilities: Blocksdata associatedwith knownattack methodsLimitations: Morphingthreats evadethis signature-based tech.EncryptionUtimaco

108. WinMagic

109. PGPCapabilities: Maystop unauthorizedusers fromaccessing dataLimitations: Canbe used to hidedata; disk-basedencryption doesnot protectrunning systemsAVSymantec

110. McAfee

111. Trend MicroCapabilities: Identifies andblocks knownmalwareLimitations: Cannot detect orblock unknownmalware; issignature-basedFirewallFortinet

112. Check Point

113. JuniperCapabilities: Rulebased, this first linedefense blocks unauthorized accessLimitations: Phishing and common web siteattacks easilycircumvent; no helpvs. insider threatNACCisco

114. Juniper

115. SymantecCapabilities: preventsaccess to networkunless user meets pre-defined criteriaLimitations: Cannotprotect againstmalware introducedvia USB or optical drive; no visibility Into unstructured dataTriage suspicious or sensitive data

116. Identify internal/ external threats

117. Collect IP/PII

118. Wipe IP/PII; Remediate malicious dataProactiveperimeterendpointAlertResponseIDSIBM ISS

119. Snort

120. TippingPointCapabilities: Alert ondata associatedwith knownattack methodsLimitations: Morphingthreats evade this signature-based tech.; cannot respondto alerts effectivelyVA/VMBigFix

121. Sourcefire

122. TenableCapabilities: Alert on known application or network specificvulnerabilitiesLimitations: Cannot detectunknown vulnerabilities(application or network configuration); cannot respond to alerts effectively SEIM/SIMArcSight

123. RSA

124. CiscoCapabilities: correlate data from a variety of alertingtechnologiesLimitations: Cannotcollect data or respond to alertseffectivelyConfig. Mgmt. TripWire

125. SolarWinds

126. NovellCapabilities: Alert on OS and network device settings that are not configured properlyLimitations: Has novisibility into unstructured data; cannot respond to alerts effectivelyAlert response

127. Triage suspicious data

128. Identify threats

129. Analyze risk

130. Remediate malicious dataReactive

131. Thank you