This document discusses the need for cyber forensics capabilities to effectively respond to modern cybersecurity threats and incidents. It notes that traditional perimeter-based defenses are no longer sufficient, and that comprehensive endpoint visibility is needed to identify covert threats, attribute attacks, and limit data breaches. The document promotes the Guidance Software EnCase Cybersecurity solution as providing critical network-enabled incident response and forensic investigation capabilities for enterprises.

1. A New Era in Incident Response and Data AuditingThe Case for Cyberforensics

2. Speaker Sam MaccherolaVice President and General Manager, Public Sector for Guidance Software Inc.Contact Info: sam.maccherola@GuidanceSoftware.com , (703) 657-7230

3. Bio20+ years of government management and program development experience within the information technology and systems integration industry, At Guidance Software, manages strategic direction, as well as operational, sales, and business development for a growing global Government practice.Prior to Guidance Software:Vice President of Federal at ProSight Inc., responsible for overall strategic direction, as well as operations, sales and marketing components for the federal business unit. President of Tenix America and VP of Public Sector Sales for Tripwire, Inc. Senior positions with Tumbleweed, Entrust Technologies, Inc., PLATINUM Technologies, and Legent Corp.Recognized as one of the 100 people in Government and Industry that made a positive difference in Government IT by a panel of Government and Industry leaders. Active participant in many associations that promote public-private sector information sharing and partnerships: AFCEA, ACT/IAC and ITAA

4. Guidance Software, Inc.The World Leader in Digital InvestigationsEnterprise Ready, Market Proven SolutionsOver 150 customers of EnCase® eDiscoveryOver 650 customers of EnCase® Enterprise including:More than 100 of the Fortune 500 and over half of the Fortune 50Deployed on over 10 million desktops, laptops and serversThe Leading Court-Validated TechnologyUsed in thousands of cases worldwideAuthenticated in over 50 published court cases and EnCase technology validated under Daubert/FryeCourts have taken “judicial notice” of the validity of EnCase softwareTop-ranked Software by Industry Analysts Gartner’s highest rating for eDiscovery SoftwareSocha-Gelbmann’s Top 5 (highest category) for eDiscovery softwareForrester calls it “The de-facto industry standard for remote desktop collection” Committed to Support your On-going SuccessWorld-Class Training and Certification Program Top-Ranked Professional Services Organization

5. Government Agencies of AllSizes Rely on EnCase® Solutions

6. Evolving ThreatsPerimeter defense is never enoughWith new technologies come new exploitsThreats can also be internal and/or inadvertentA determined hacker will find a way (high end)Hacking has become “Productized” (low end)

7. Key TrendsPer a recent Cisco Annual Security Report, statistics found included:

8. the overall number of disclosed vulnerabilities grew by 11.5%.

9. Vulnerabilities in virtualization technology nearly tripled - from 35 to 103 year-over-year

10. attacks are becoming increasingly blended, cross-vector and targeted.

11. Cisco says its researchers saw 90% growth in threats originating from legitimate domains,

12. This year, numerous legitimate websites were infected with IFrames, malicious code injected by botnets that redirects visitors to malware-downloading sites, the company says.2008 Intelligence Community Statistics55% Increase in Remote Access Cyber Intrusions

13. 52% Increase in Insider Cyber Intrusions

14. 22% Increase in Credit Card FraudVerizon Data Breach ReportAnalysis of over 500 e-forensics audits:73% resulted from external sources

15. 18% by insiders

16. 39% implicated business partnersBlackhats: Threat ActorsNation States

17. 108 countries with dedicated cyber-attack organizations

18. Dragon Bytes: Chinese Information War Theory & Practice

19. Terrorists

20. Growing sophistication

21. Hamas and Al Qaeda

22. Ibrahim Samudra and Irhabi 007

23. Organized Crime

24. Cybercrime is big business aka RBN

25. FBI: #1 criminal priority is cybercrimeTrends in Attacks Against .GOVSQL Injection and Cross-site Scripting

26. Island Hopping-Unisys/DHS

27. Remote User Compromise-VPN Attacks-Client Side Attacks

28. PKI Compromise--Private Key Theft

29. Zero-Day Attacks

30. Automated Attack Tools

31. Digital Insider AttacksData is the Lifeblood of GovernmentVulnerabilities & AssessmentsClassifiedInformationPII & Medical RecordsGovernment DataSensitive Projects & SchematicsEpicenter of RiskTroop MovementsBudgetary/ ProcurementDefense Contracts

32. Let the Blood Loss Begin…25 July 2010U.S. National Security Advisor on Wikileaks Report on AfghanistanSays disclosure of classified information threatens U.S. national security

33. On a Normal Day, an AgencyGets Hit by upwards of 2.4M AttacksHow effective is your security? 99.9%?99% 12,000 - 24,000 attacks99.9% 1200 - 2400 attacks through each day99.99% 120 - 240 attacks Multiple technologies must be layered to get near 99.9% effective It is impossible to achieve impenetrabilityEven if you pulled the plug, they can take the hard drive…

34. Traditional Security is for Traditional Threats“Traditional security solutions are obsolete…the signature approach and other traditional methods of security are not keeping pace with the number of threats being created by online criminals.”“The days of traditional URL filtering are dead, we care about where users go and they all use the top 500 websites. We care about enforcing capable policy security and the content on pages is dynamic.”“It often takes up to 24- to 72-hours from the time a threat is identified, analyzed, and its signature is developed to the time it is finally delivered to the endpoint. While consumers and enterprises are playing the waiting game; their endpoints are exposed and vulnerable.”“The degree of difficulty for identifying malware targeting data is outpacing the innovation of traditional security vendors.”

35. The CISO Knows this more than anyone“…there needs to be a continuing and stronger emphasis on protection and management of data, distinct from focusing too heavily on threats and attacks.”— Recommendations from the 2010 State of Cybersecurity from the Federal CISO’s Perspective — An (ISC)2 Report“Perimeter defenses are no longer effective, if they ever were. It’s harder to fight a war from the inside than maintaining the perimeter. It requires additional resources.”— John Wang, Security Architect,NASA

36. Over $40B Spent on FISMA since 2002 … not enoughMore checklists and standardsConsensus Audit Guideline; CVE/OVAL; DISA GOLD/STIG; NSA/NIST NIAP (CCEVS EAL); DIACAP; FIPS; FISMA; ISO 17799; IEC 27002; GLBA; SOX; HIPAA; FDCC; SCAP; NERC’s CIP 009-2; and so on…Compliance is not an insurance policy against the unknown threat.Heartland Payment SystemsBreach cost at $12.5M+

37. History Repeats ItselfHannibal using the Roman Roads to cross the Alps40% Increase in Major Intrusions (US-CERT)

38. The Challenge – The Starting LineYou Are Here

39. The Challenge – 1st HourYou Are Here

40. The Challenge – 2nd HourYou Are Here

41. The Challenge – 3rd HourYou Are Here

42. The Challenge – OwnedYou Are Here

43. Hosting Companies = Watering Holes

44. Current Challenges in Cyber DefenseRegardless of what you do…Attacks will continue 24/7/365Enemy at the Gates will continue to recon/infiltrate/exfiltrateAnonymity will challenge attributionMalware will be custom designed and used against youThey live in 0-day environmentPolymorphic Code is on the riseYou need to be right 100% of the timeHow do you learn to defend if you never learn what happened or who you’re dealing with?

45. Cyber Forensics is the Spear Tipof any Cybersecurity InitiativeIdentify covert/undiscovered threats: dynamically adaptive patented technology gives InfoSec the advantage against new threats:Polymorphic MalwarePacked filesOther advanced hacking techniquesAttribute new attacks to older attacks, invaluable in attributing malware to an attackerComplete visibility into endpoint risk with the ability to target static and live data to locate sensitive informationFind and remediate malware: risk mitigation by wiping sensitive information, malware and malware artifacts from hard drives, RAM and the Windows RegistryPowerful investigative capabilities allow organizations to audit for PII (e.g., credit card numbers, account numbers, etc.), and perform internal investigations such as those dealing with fraud or HR matters

46. 2010 Cybersecurity Survey (Continued)Endpoint was used in all of the top 3 insider theft mechanisms

47. 44% Laptops

48. 42% Copied information to mobile device

49. 38% Downloaded information to home computer)38%42%44%

50. 2010 Cybersecurity Survey (Continued)Incident response and internal forensics can make a difference28% of events resulted in legal or law enforcement action35% could not pursue legal action due to lack of evidence29% could not identify the individuals responsible

51. The Endpoint Needs Comprehensive Visibility Endpoint VisibilityCyberPreparednessMultiple OS and File Systems;See through Data at rest solutions;Packed and compressed; DataUniverse is ever expandingSpeed,Mobility,Adaptability Data ProtectionTargeted search &remediation; DLP;Encryption, etcInfinite digital reach;Speed of cyber, notUPS/FedEx; Adaptivemalware identification& recovery

52. The Missing Layer in Defense in Depth …Incident Response at the Forensic Level with Endpoint VisibilityEnCase Cybersecurity provides…Enterprise-wide incident responseCyberforensic triage and in-depth analysis, attack attribution analysis, and remediationSystem deviation assessmentsExpose system integrity issues caused by unknown threatsData policy enforcementIdentify and wipe PII/Classified data from unauthorized endpoints

53. Information Security ChallengesProactively identifying and addressing covert/unknown threatsDetermining the capabilities and purpose of unknown files or running processesIdentifying and recovering from known malware and/or polymorphic malwareSignature-based detection tools are insufficient when faced with code that morphs to evade detectionQuickly triaging and containing an identified threatLocating and rapidly responding to data leakage (PII, IP, etc.)Compliance with data protection and breach notification lawsDetermining the “State of the Network” by comparing known profiles to data on systems

54. The PastOne Computer at a timeDays, weeks, and monthsto get the dataCostly & Time ConsumingThe gathered intelligencewas valuable, but useless

55. The PastEnCase Field Intelligence Module (FIM)One computer over the network. (2004)

56. The PastSearching only onetarget at a time.??

57. EnCase Cybersecurity provides…Network-enabled incident responseCyberforensic triage and analysis, attack attribution analysis, and remediationSystem deviation assessmentsExpose system integrity issues caused by anomalous or unknown threatsData policy enforcementIdentify and wipe PII/IP/Classified data from unauthorized endpoints A Cyber Forensics Approach

58. The PresentEnterprise Forensics

59. The PresentAutomation of searchingmultiple targets in parallel.Pre-defined Critera

60. The PresentAutomation of searching forcompromises and malware.

61. Benefits & Features of Cyber Forensics

62. Questions/ThoughtsToday, how do you…Identify unknown or covert threats?Limit the risk exposure presented by sensitive information?Respond to a suspected threat? Limit the scope of a data breach?Ensure endpoints remain in a trusted state?Address and scale technologyand processes to include file servers, email servers,semi-structured data repositories?

63. Thank you