When an attack strikes, or a suspected breach is underway, time
is everything. Unfortunately, alerts sent from intrusion detection systems,
security information and event managers (SIEM), data leak prevention tools and
others aren’t always the most accurate. Yet, every time consuming false alert
and lost moment is costly to the effectiveness of the IT security program.
The trouble is that historically initial forensic investigations
require detailed training. And that expertise isn’t always available at notice
- if you even have those skills readily available on staff.
Helping to automate incident response, without the need for
extensive forensic training, is one of the strongest points of EnCase
Cybersecurity. When you first suspect, or know, an attack is underway, the
first thing that needs to be accomplished is to validate the alerts as well as understand
the nature of the attack and the depth of its impact.
- Is the attack coming from:
- A malicious insider?
- A knowledgeable and determined outside attacker?
- A low-risk malware infection that’s not likely to have progressed beyond a single system?
- How many endpoints or servers are involved?
- How many hours, days, weeks, or months has the threat likely been
present?
These are questions that can truly only be answered after a
complete examination of affected systems. EnCase Cybersecurity helps security
teams do just that without deep forensics expertise, through its ability to
expose and automate forensic response actions in the console they are most used
to working in, such as a SIEM. This provides teams what they need not only to
validate, but also to have a working understanding of how the threat is
affecting any given endpoint, and to identify how deep the compromise does - or
doesn’t - go.
As a simple example, take an alert
type that runs a high false positive rate as a result of unpatched anti-virus
on the indicated system. Normally, validating this false positive requires
involvement from IT, and the time it takes for IT to obtain access to the
system and report back the status of the anti-virus software installed – this could
take several days. If a forensic incident response solution were integrated
into the alerting system, validating this false positive would be a simple matter
of automating a hash value look-up based on the hash value representing an
up-to-date anti-virus executable or related file – the entire process taking
mere seconds. This same concept can be used to validate malware detected
in-motion – that is to say, understand immediate if the attack was successful.
All of this is completed without biases or misguided assumptions
that cloud the judgment of many investigator’s during an investigation. The
forensic grade, disk-level visibility granted by EnCase Cybersecurity provides
teams a transparent, accurate view of what’s happening and what exists on
endpoints, from advanced malware to misplaced regulated data, and helps teams
to quickly understand the nature of attacks.
The tools are out there to help simplify incident response and
forensic analysis and in today’s threat landscape, and it's time more organizations
started using them.
No comments :
Post a Comment