Cutting Through the Cyber "Fog of War"

Anthony Di Bello Most people are familiar with the phrase Fog of War, which refers to the uncertainty present in the heat of military operations. That same “fog of war” is also present in the cyber battlefields of today. Without the right insight, it’s next to impossible to tell what constitutes an attack, let alone what attacks have successfully hit their endpoints. Today’s advanced threats are multi-dimensional, rapidly evolving and stealthy.

And they often hit endpoints quickly, sometimes through little known zero day vulnerabilities found in browsers, operating systems, and other applications, they’ll sit clandestinely and await instructions, which may be to exfiltrate data of value, burrow deeper into the infrastructure, launch attacks on others, or wait for a more opportune time to strike.

It may be startling to many, but faith in traditional defenses to fight these attacks is often misguided as anti-virus, intrusion detection and prevention systems, firewalls, and other old-line defenses fail to block, let alone identify these attacks and provide quick visibility into what is occurring on their network.

Guidance Software has recently partnered with FireEye, Inc. to help clear away the fog by integrating communications between their Malware Protection System (MPS) Appliances, which analyzes and protects network traffic with our EnCase Cybersecurity software, which secures the endpoint. Together, the two solutions provide a clear view into attempted attacks.

One of the first things customers of our partner FireEye explain, as soon as they install the FireEye MPS Appliance, is that they can suddenly see things they couldn’t see before, such as numerous bad outbound and inbound communications they previously had no idea were underway.

But seeing the threats is much different than being able to understand precisely what they’re doing on the endpoint. Security and IT managers need to know if malicious traffic is a threat to their networks and infrastructure, and if any of these attacks have successfully compromised an endpoint.

This is where the FireEye-Guidance relationship comes in. When the FireEye MPS Appliance identifies nefarious traffic, the integration with EnCase Cybersecurity makes it possible to automatically validate if the attacks detected over the wire had successfully penetrated into any systems attached to the network.

This integration between FireEye and EnCase Cybersecurity provides customers with everything they need to scope and remedy compromised endpoints.

To achieve this we’ve built an Enterprise Service Bus (ESB), a way to communicate, with other technologies. With the new integration, EnCase Cybersecurity listens for FireEye MPS to report on detected events via an XML feed that is translated by the listener service. With just IP address information and hash values related to the FireEye detected event, EnCase Cybersecurity will first validate whether or not the attack successfully compromised the indicated endpoint(s). Once it confirms the presence of malware, additional information related to the attack with be collected and presented to the security analyst via a thin client review capability. By capturing attack artifacts and indicators in this manner at the time of the alert, the security team can be confident that have a complete picture of the attack, and a wealth of information for which to triage, determine risk exposure, and accelerate remediation efforts.

Without this network to endpoint view provided by the FireEye MPS Appliance and EnCase CyberSecurity, there’s no realistic way to tell if exploits and attacks are harmless to an infrastructure (such as exploits targeting an OS that is non-existent on a network), or if some other countermeasure such as a firewall rule or intrusion-prevention system has successfully blocked an attack. 

Additionally, EnCase Cybersecurity, is grabbing all of the data about the state of the machine, including what processes are running in RAM, what services and system libraries are running, who is authenticated to the machine, and more. With that information, the security analyst not only understands what systems are truly at-risk, but they know what they need to know to more deeply understand the attack and what is truly at-risk.

What this coupling of FireEye and EnCase technology does is clear much of the fog associated with all of the data that pounds security analyst management console screens everyday. And it makes it possible for them to make clear, well informed decisions all the way through remediation. For more information about the Guidance Software and FireEye collaboration, check out our press release, and download the datasheet.