SlideShare a Scribd company logo

En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]

T
TechBiz Forense Digital

The document discusses automating incident response by integrating a SIEM with EnCase Cybersecurity. Automated response allows multiple alerts to be analyzed simultaneously, reduces costs, preserves critical data, and identifies the full extent of security breaches faster than manual response. The integration uses web APIs and WSDL to allow communication and calls between the SIEM and EnCase. The document provides examples of using web APIs and configuring the SIEM and EnCase to automate incident response workflows.

Technology
1 of 14
Download to read offline
EnCase Cybersecurity: Automating Incident May 22, 2012 Response Automating Incident Response Ambreesh Bhagtani Manager UI Development Automating Incident Response Topics 1.What is incident Response – Use Cases? 2.Comparing Manual v/s automated incident response 3.Understanding Web APIs 4.Overview of Arcsight 5.Data visibility 6.Q & A Page 2 Ambreesh Bhagtani, Guidance Software, Inc. 1
EnCase Cybersecurity: Automating Incident May 22, 2012 Response What is incident Response? Ability to respond to events and alerts in a timely fashion Incidents : •Malicious Attack. •Unauthorized Port Activity. •Unauthorized URL access. •Unauthorized USB account access. Page 3 Incident Response : Manual Page 4 Ambreesh Bhagtani, Guidance Software, Inc. 2
EnCase Cybersecurity: Automating Incident May 22, 2012 Response Drawbacks of Manual Response •The entire process can take from weeks to months •Single machine analyzed at a time •Critical data may be lost •Full extent of the breach is unknown •High Costs Page 5 Incident Response : Automated Page 6 Ambreesh Bhagtani, Guidance Software, Inc. 3
EnCase Cybersecurity: Automating Incident May 22, 2012 Response Benefits of Automating Incident Response •Analyze multiple alerts at the same time •Reduce Costs •Multiple Machines Analyzed •Faster Response •Critical Data preserved •Full extent of the breach identified Page 7 Incident Response Flow / Architecture. SIEM /IDS/IPS /DLP etc EnCase Cybersecurity Integration Code Page 8 Ambreesh Bhagtani, Guidance Software, Inc. 4
EnCase Cybersecurity: Automating Incident May 22, 2012 Response Web API’s Computers need a language to communicate! Applications Programming Interfaces – API’s Page 9 SOAP Request – Get Guidance Stock Price Host: www.stockprice.com Content-Type: application/soap+xml; charset=utf-8 < ?xml version="1.0"?> < soap:Enveloope> <m:GetStockPrice> <m:StockName>GUID</m:StockName> </m:GetStockPrice> </soap:Body> < /soap:Envelope> Page 10 Ambreesh Bhagtani, Guidance Software, Inc. 5
EnCase Cybersecurity: Automating Incident May 22, 2012 Response SOAP Response- Stock Price Response HTTP/1.1 200 OK Content-Type: application/soap+xml; charset=utf-8 Content-Length: nnn < ?xml version="1.0"?> <m:GetStockPriceResponse> <m:Price>800.00</m:Price> </m:GetStockPriceResponse> < /soap:Envelope> Page 11 WSDL – What is it ? <m:GetStockPrice> <m:StockName>IBM</m:StockName> </m:GetStockPrice> Web Service Definition Language Page 12 Ambreesh Bhagtani, Guidance Software, Inc. 6
EnCase Cybersecurity: Automating Incident May 22, 2012 Response WSDL – Operation <operation name="GetLastTradePrice"> <soap:operation > <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> </operation> Page 13 Exercise 1 – Call a Web API Objective – Get All Cases Assumption – Pre-created case Page 14 Ambreesh Bhagtani, Guidance Software, Inc. 7
EnCase Cybersecurity: Automating Incident May 22, 2012 Response Exercise 2 – Use SIEM to call Integration Code Page 15 Master Title Page 16 Ambreesh Bhagtani, Guidance Software, Inc. 8
EnCase Cybersecurity: Automating Incident May 22, 2012 Response Arcsight Integration UI Page 17 Master Title Event Configuration Page 18 Ambreesh Bhagtani, Guidance Software, Inc. 9
EnCase Cybersecurity: Automating Incident May 22, 2012 Response How it Works: Retrieving Results Master Title Request… 1./case “case 1” 2./source “safe – source” 3./ip “192.168.85.151” 4./event $event[eventId] -> variable to capture the eventId associated with the alert. 5./module snapshot 6./log true 7./demo Page 20 Ambreesh Bhagtani, Guidance Software, Inc. 10
EnCase Cybersecurity: Automating Incident May 22, 2012 Response Master Title Configure Response Page 21 Master Title Status of the Scan Page 22 Ambreesh Bhagtani, Guidance Software, Inc. 11
EnCase Cybersecurity: Automating Incident May 22, 2012 Response Master Title Set up the Response Page 23 Master Title Jobs are created..the examiner picks up the job. Page 24 Ambreesh Bhagtani, Guidance Software, Inc. 12
EnCase Cybersecurity: Automating Incident May 22, 2012 Response Forensic Analysis Forensics Report Page 25 Ambreesh Bhagtani, Guidance Software, Inc. 13
EnCase Cybersecurity: Automating Incident May 22, 2012 Response Type of Scan • SPA • Profiling • Entropy • Find identical files • Personal Information Identification • Find SSNs, credit card number… • Internet Artifacts • Find URLs Ambreesh Bhagtani, Guidance Software, Inc. 14

Recommended

"Compliance First" or "Security First"
"Compliance First" or "Security First""Compliance First" or "Security First"
"Compliance First" or "Security First"
Anton Chuvakin
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
Amazon Web Services
 
Securing Android
Securing AndroidSecuring Android
Securing Android
Marakana Inc.
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud Webinar
TechBiz Forense Digital
 
Hub Culture Group Overview : Ven, HubID, Pavilions
Hub Culture Group Overview : Ven, HubID, PavilionsHub Culture Group Overview : Ven, HubID, Pavilions
Hub Culture Group Overview : Ven, HubID, Pavilions
Hub Culture
 
Writ340 sa
Writ340 saWrit340 sa
Writ340 sa
npham87
 
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesVerisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence Services
TechBiz Forense Digital
 
Presentation of Global Visions (2)
Presentation of Global Visions (2)Presentation of Global Visions (2)
Presentation of Global Visions (2)
andershage
 

Recommended

"Compliance First" or "Security First"
"Compliance First" or "Security First""Compliance First" or "Security First"
"Compliance First" or "Security First"
Anton Chuvakin
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
Amazon Web Services
 
Securing Android
Securing AndroidSecuring Android
Securing Android
Marakana Inc.
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud Webinar
TechBiz Forense Digital
 
Hub Culture Group Overview : Ven, HubID, Pavilions
Hub Culture Group Overview : Ven, HubID, PavilionsHub Culture Group Overview : Ven, HubID, Pavilions
Hub Culture Group Overview : Ven, HubID, Pavilions
Hub Culture
 
Writ340 sa
Writ340 saWrit340 sa
Writ340 sa
npham87
 
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesVerisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence Services
TechBiz Forense Digital
 
Presentation of Global Visions (2)
Presentation of Global Visions (2)Presentation of Global Visions (2)
Presentation of Global Visions (2)
andershage
 
Casos de sucesso
Casos de sucessoCasos de sucesso
Casos de sucesso
TechBiz Forense Digital
 
Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)
TechBiz Forense Digital
 
10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter
TechBiz Forense Digital
 
Artigo crime virtual
Artigo crime virtualArtigo crime virtual
Artigo crime virtual
mrojr
 
16 03 - institucional
16 03 - institucional16 03 - institucional
16 03 - institucional
TechBiz Forense Digital
 
Cnasi sp apresentação marcelo souza
Cnasi sp apresentação marcelo souzaCnasi sp apresentação marcelo souza
Cnasi sp apresentação marcelo souza
TechBiz Forense Digital
 
Cases forense[2]
Cases forense[2]Cases forense[2]
Cases forense[2]
TechBiz Forense Digital
 
Manual de aplicação de marca - TechBiz Forense Digital
Manual de aplicação de marca - TechBiz Forense DigitalManual de aplicação de marca - TechBiz Forense Digital
Manual de aplicação de marca - TechBiz Forense Digital
TechBiz Forense Digital
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
ASFWS 2011 - Secure software development for mobile devices
ASFWS 2011 - Secure software development for mobile devicesASFWS 2011 - Secure software development for mobile devices
ASFWS 2011 - Secure software development for mobile devices
Cyber Security Alliance
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
Priyanka Aash
 
Appsec Introduction
Appsec IntroductionAppsec Introduction
Appsec Introduction
Mohamed Ridha CHEBBI, CISSP
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
Satria Ady Pradana
 
How to design good APIs
How to design good APIsHow to design good APIs
How to design good APIs
André Vieira
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
Abhishek Singh
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021
Alexandre Rebert
 
From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
Satria Ady Pradana
 
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBMArrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS UK
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Cloud Security Alliance, UK chapter
 
SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2
SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2 SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2
SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2
SAP PartnerEdge program for Application Development
 
Deconstructing Monoliths with Domain Driven Design
Deconstructing Monoliths with Domain Driven DesignDeconstructing Monoliths with Domain Driven Design
Deconstructing Monoliths with Domain Driven Design
VMware Tanzu
 
JVM Multitenancy (JavaOne 2012)
JVM Multitenancy (JavaOne 2012)JVM Multitenancy (JavaOne 2012)
JVM Multitenancy (JavaOne 2012)
Graeme_IBM
 

More Related Content

Viewers also liked

Casos de sucesso
Casos de sucessoCasos de sucesso
Casos de sucesso
TechBiz Forense Digital
 
Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)
TechBiz Forense Digital
 
10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter
TechBiz Forense Digital
 
Artigo crime virtual
Artigo crime virtualArtigo crime virtual
Artigo crime virtual
mrojr
 
16 03 - institucional
16 03 - institucional16 03 - institucional
16 03 - institucional
TechBiz Forense Digital
 
Cnasi sp apresentação marcelo souza
Cnasi sp apresentação marcelo souzaCnasi sp apresentação marcelo souza
Cnasi sp apresentação marcelo souza
TechBiz Forense Digital
 
Cases forense[2]
Cases forense[2]Cases forense[2]
Cases forense[2]
TechBiz Forense Digital
 
Manual de aplicação de marca - TechBiz Forense Digital
Manual de aplicação de marca - TechBiz Forense DigitalManual de aplicação de marca - TechBiz Forense Digital
Manual de aplicação de marca - TechBiz Forense Digital
TechBiz Forense Digital
 

Viewers also liked (8)

Casos de sucesso
Casos de sucessoCasos de sucesso
Casos de sucesso
 
Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)Artigo velasquez (combate a crimes digitais)
Artigo velasquez (combate a crimes digitais)
 
10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter10 atributos que o seu firewall precisa ter
10 atributos que o seu firewall precisa ter
 
Artigo crime virtual
Artigo crime virtualArtigo crime virtual
Artigo crime virtual
 
16 03 - institucional
16 03 - institucional16 03 - institucional
16 03 - institucional
 
Cnasi sp apresentação marcelo souza
Cnasi sp apresentação marcelo souzaCnasi sp apresentação marcelo souza
Cnasi sp apresentação marcelo souza
 
Cases forense[2]
Cases forense[2]Cases forense[2]
Cases forense[2]
 
Manual de aplicação de marca - TechBiz Forense Digital
Manual de aplicação de marca - TechBiz Forense DigitalManual de aplicação de marca - TechBiz Forense Digital
Manual de aplicação de marca - TechBiz Forense Digital
 

Similar to En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]

Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
ASFWS 2011 - Secure software development for mobile devices
ASFWS 2011 - Secure software development for mobile devicesASFWS 2011 - Secure software development for mobile devices
ASFWS 2011 - Secure software development for mobile devices
Cyber Security Alliance
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
Priyanka Aash
 
Appsec Introduction
Appsec IntroductionAppsec Introduction
Appsec Introduction
Mohamed Ridha CHEBBI, CISSP
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
Satria Ady Pradana
 
How to design good APIs
How to design good APIsHow to design good APIs
How to design good APIs
André Vieira
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
Abhishek Singh
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021
Alexandre Rebert
 
From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
Satria Ady Pradana
 
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBMArrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS UK
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Cloud Security Alliance, UK chapter
 
SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2
SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2 SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2
SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2
SAP PartnerEdge program for Application Development
 
Deconstructing Monoliths with Domain Driven Design
Deconstructing Monoliths with Domain Driven DesignDeconstructing Monoliths with Domain Driven Design
Deconstructing Monoliths with Domain Driven Design
VMware Tanzu
 
JVM Multitenancy (JavaOne 2012)
JVM Multitenancy (JavaOne 2012)JVM Multitenancy (JavaOne 2012)
JVM Multitenancy (JavaOne 2012)
Graeme_IBM
 
Continuous delivery on the cloud
Continuous delivery on the cloudContinuous delivery on the cloud
Continuous delivery on the cloud
Anand B Narasimhan
 
Web Performance Acceleration with Strangeloop AS1000
Web Performance Acceleration with Strangeloop AS1000Web Performance Acceleration with Strangeloop AS1000
Web Performance Acceleration with Strangeloop AS1000
Thomas Stensitzki
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
Ammar WK
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
CA API Management
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 
Google App Engine Update 2012
Google App Engine Update 2012Google App Engine Update 2012
Google App Engine Update 2012
David Chandler
 

Similar to En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode] (20)

Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
ASFWS 2011 - Secure software development for mobile devices
ASFWS 2011 - Secure software development for mobile devicesASFWS 2011 - Secure software development for mobile devices
ASFWS 2011 - Secure software development for mobile devices
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
 
Appsec Introduction
Appsec IntroductionAppsec Introduction
Appsec Introduction
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
 
How to design good APIs
How to design good APIsHow to design good APIs
How to design good APIs
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021
 
From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
 
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBMArrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
 
SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2
SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2 SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2
SAP NetWeaver Cloud Platform - Virtual Bootcamp - Part 2
 
Deconstructing Monoliths with Domain Driven Design
Deconstructing Monoliths with Domain Driven DesignDeconstructing Monoliths with Domain Driven Design
Deconstructing Monoliths with Domain Driven Design
 
JVM Multitenancy (JavaOne 2012)
JVM Multitenancy (JavaOne 2012)JVM Multitenancy (JavaOne 2012)
JVM Multitenancy (JavaOne 2012)
 
Continuous delivery on the cloud
Continuous delivery on the cloudContinuous delivery on the cloud
Continuous delivery on the cloud
 
Web Performance Acceleration with Strangeloop AS1000
Web Performance Acceleration with Strangeloop AS1000Web Performance Acceleration with Strangeloop AS1000
Web Performance Acceleration with Strangeloop AS1000
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Google App Engine Update 2012
Google App Engine Update 2012Google App Engine Update 2012
Google App Engine Update 2012
 

More from TechBiz Forense Digital

Insa cyber intelligence_2011-1
Insa cyber intelligence_2011-1Insa cyber intelligence_2011-1
Insa cyber intelligence_2011-1
TechBiz Forense Digital
 
Apresentação SegInfo
Apresentação SegInfoApresentação SegInfo
Apresentação SegInfo
TechBiz Forense Digital
 
NetWitness
NetWitnessNetWitness
NetWitness
TechBiz Forense Digital
 
Palantir
PalantirPalantir
Palantir
TechBiz Forense Digital
 
Online fraud report_0611[1]
Online fraud report_0611[1]Online fraud report_0611[1]
Online fraud report_0611[1]
TechBiz Forense Digital
 
Ata srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessAta srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessTechBiz Forense Digital
 
Road Show - Arcsight ETRM
Road Show - Arcsight ETRMRoad Show - Arcsight ETRM
Road Show - Arcsight ETRM
TechBiz Forense Digital
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
TechBiz Forense Digital
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
TechBiz Forense Digital
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
TechBiz Forense Digital
 
Access data
Access dataAccess data
Access data
TechBiz Forense Digital
 
01 11- alexandre atheniense
01 11- alexandre atheniense01 11- alexandre atheniense
01 11- alexandre atheniense
TechBiz Forense Digital
 
Avanços tecnológicos em perícia computacional e resposta a incidentes
Avanços tecnológicos em perícia computacional e resposta a incidentesAvanços tecnológicos em perícia computacional e resposta a incidentes
Avanços tecnológicos em perícia computacional e resposta a incidentes
TechBiz Forense Digital
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
TechBiz Forense Digital
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
Institucional TechBiz Forense Digital
Institucional TechBiz Forense DigitalInstitucional TechBiz Forense Digital
Institucional TechBiz Forense Digital
TechBiz Forense Digital
 

More from TechBiz Forense Digital (16)

Insa cyber intelligence_2011-1
Insa cyber intelligence_2011-1Insa cyber intelligence_2011-1
Insa cyber intelligence_2011-1
 
Apresentação SegInfo
Apresentação SegInfoApresentação SegInfo
Apresentação SegInfo
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Palantir
PalantirPalantir
Palantir
 
Online fraud report_0611[1]
Online fraud report_0611[1]Online fraud report_0611[1]
Online fraud report_0611[1]
 
Ata srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitnessAta srp 015 2010 v1 - marinha - netwitness
Ata srp 015 2010 v1 - marinha - netwitness
 
Road Show - Arcsight ETRM
Road Show - Arcsight ETRMRoad Show - Arcsight ETRM
Road Show - Arcsight ETRM
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
Access data
Access dataAccess data
Access data
 
01 11- alexandre atheniense
01 11- alexandre atheniense01 11- alexandre atheniense
01 11- alexandre atheniense
 
Avanços tecnológicos em perícia computacional e resposta a incidentes
Avanços tecnológicos em perícia computacional e resposta a incidentesAvanços tecnológicos em perícia computacional e resposta a incidentes
Avanços tecnológicos em perícia computacional e resposta a incidentes
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Institucional TechBiz Forense Digital
Institucional TechBiz Forense DigitalInstitucional TechBiz Forense Digital
Institucional TechBiz Forense Digital
 

Recently uploaded

Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 

Recently uploaded (20)

Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 

En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]

  • 1. EnCase Cybersecurity: Automating Incident May 22, 2012 Response Automating Incident Response Ambreesh Bhagtani Manager UI Development Automating Incident Response Topics 1.What is incident Response – Use Cases? 2.Comparing Manual v/s automated incident response 3.Understanding Web APIs 4.Overview of Arcsight 5.Data visibility 6.Q & A Page 2 Ambreesh Bhagtani, Guidance Software, Inc. 1
  • 2. EnCase Cybersecurity: Automating Incident May 22, 2012 Response What is incident Response? Ability to respond to events and alerts in a timely fashion Incidents : •Malicious Attack. •Unauthorized Port Activity. •Unauthorized URL access. •Unauthorized USB account access. Page 3 Incident Response : Manual Page 4 Ambreesh Bhagtani, Guidance Software, Inc. 2
  • 3. EnCase Cybersecurity: Automating Incident May 22, 2012 Response Drawbacks of Manual Response •The entire process can take from weeks to months •Single machine analyzed at a time •Critical data may be lost •Full extent of the breach is unknown •High Costs Page 5 Incident Response : Automated Page 6 Ambreesh Bhagtani, Guidance Software, Inc. 3
  • 4. EnCase Cybersecurity: Automating Incident May 22, 2012 Response Benefits of Automating Incident Response •Analyze multiple alerts at the same time •Reduce Costs •Multiple Machines Analyzed •Faster Response •Critical Data preserved •Full extent of the breach identified Page 7 Incident Response Flow / Architecture. SIEM /IDS/IPS /DLP etc EnCase Cybersecurity Integration Code Page 8 Ambreesh Bhagtani, Guidance Software, Inc. 4
  • 5. EnCase Cybersecurity: Automating Incident May 22, 2012 Response Web API’s Computers need a language to communicate! Applications Programming Interfaces – API’s Page 9 SOAP Request – Get Guidance Stock Price Host: www.stockprice.com Content-Type: application/soap+xml; charset=utf-8 < ?xml version="1.0"?> < soap:Enveloope> <m:GetStockPrice> <m:StockName>GUID</m:StockName> </m:GetStockPrice> </soap:Body> < /soap:Envelope> Page 10 Ambreesh Bhagtani, Guidance Software, Inc. 5
  • 6. EnCase Cybersecurity: Automating Incident May 22, 2012 Response SOAP Response- Stock Price Response HTTP/1.1 200 OK Content-Type: application/soap+xml; charset=utf-8 Content-Length: nnn < ?xml version="1.0"?> <m:GetStockPriceResponse> <m:Price>800.00</m:Price> </m:GetStockPriceResponse> < /soap:Envelope> Page 11 WSDL – What is it ? <m:GetStockPrice> <m:StockName>IBM</m:StockName> </m:GetStockPrice> Web Service Definition Language Page 12 Ambreesh Bhagtani, Guidance Software, Inc. 6
  • 7. EnCase Cybersecurity: Automating Incident May 22, 2012 Response WSDL – Operation <operation name="GetLastTradePrice"> <soap:operation > <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> </operation> Page 13 Exercise 1 – Call a Web API Objective – Get All Cases Assumption – Pre-created case Page 14 Ambreesh Bhagtani, Guidance Software, Inc. 7
  • 8. EnCase Cybersecurity: Automating Incident May 22, 2012 Response Exercise 2 – Use SIEM to call Integration Code Page 15 Master Title Page 16 Ambreesh Bhagtani, Guidance Software, Inc. 8
  • 9. EnCase Cybersecurity: Automating Incident May 22, 2012 Response Arcsight Integration UI Page 17 Master Title Event Configuration Page 18 Ambreesh Bhagtani, Guidance Software, Inc. 9
  • 10. EnCase Cybersecurity: Automating Incident May 22, 2012 Response How it Works: Retrieving Results Master Title Request… 1./case “case 1” 2./source “safe – source” 3./ip “192.168.85.151” 4./event $event[eventId] -> variable to capture the eventId associated with the alert. 5./module snapshot 6./log true 7./demo Page 20 Ambreesh Bhagtani, Guidance Software, Inc. 10
  • 11. EnCase Cybersecurity: Automating Incident May 22, 2012 Response Master Title Configure Response Page 21 Master Title Status of the Scan Page 22 Ambreesh Bhagtani, Guidance Software, Inc. 11
  • 12. EnCase Cybersecurity: Automating Incident May 22, 2012 Response Master Title Set up the Response Page 23 Master Title Jobs are created..the examiner picks up the job. Page 24 Ambreesh Bhagtani, Guidance Software, Inc. 12
  • 13. EnCase Cybersecurity: Automating Incident May 22, 2012 Response Forensic Analysis Forensics Report Page 25 Ambreesh Bhagtani, Guidance Software, Inc. 13
  • 14. EnCase Cybersecurity: Automating Incident May 22, 2012 Response Type of Scan • SPA • Profiling • Entropy • Find identical files • Personal Information Identification • Find SSNs, credit card number… • Internet Artifacts • Find URLs Ambreesh Bhagtani, Guidance Software, Inc. 14