The “Road to CEIC 2013” is a series of blog posts on all things CEIC, before, during, and after, from an insider’s point of view.
Day One of @CEIC_Conf started early. We had staff breakfast at 7:30 AM. Over breakfast, I was privileged to have a preview of David Shaver’s lab Following an Intrusion Through a Microsoft Operating System (Automated and Manual) – May 20th, 1:30 PM – 3:00 PM. Dave is a Special Agent for the SIGTARP and we served together in the US Army Criminal Investigation Command (CID). He is one of the foremost experts in digital investigations, and he will take you through an incident response with EnCase® and freeware tools.
Afterward, I worked with Jason Fredrickson and Jamey Tubbs to install the EnCase Analytics server for Jason’s presentation Leveraging Endpoint Data to Solve Big Business Problems with EnCase Analytics, which took place today from 4:30 PM to 6:00 PM. As I left Jason’s session room, I found motivated attendees lined up before 9:00am, ready for Registration to open.
After helping Jason, I assisted Josh Beckett, product manager for EnCase Cybersecurity, with creating a whitelist of all known good files on a machine in the Cybersecurity and Compliance lab. The whitelist is a matching files set containing the file name, MD5 hash value and file size. With this whitelist, Josh was able to create a System Profile in EnCase® Cybersecurity for the lab machines; and utilizing the System Profile and Analysis module, he will be able to quickly find any and all executables running or on the file system, which were introduced after the base build. Blacklists of known malware can also be added. This is a very powerful tool for locating unknown threats, including zero day malware. Each of the 77 lab machines has an EnCase Cybersecurity Examiner Service installed. When we ran the System Profile and Analysis job and a Snapshot job against all of the lab machines, it was exciting to see the Global database efficiently distribute the job tasks to each of the Examiner Services. This is true Enterprise scalability, as seen in the image below, with 137 individual tasks managed on the dozens of Examiners. You can join me for Josh’s lab tomorrow morning (May 20th), Cybersecurity 101 – 8:00 AM to 9:15 AM. Next, Aaron Bennett and I did a live walk through of our lab for tomorrow, How to Configure and Use SQL with EnCase Cybersecurity – May 20th 11:00 AM to 12:00 PM.
The Exhibit Hall opened at 1:00 PM, the first time before the Keynote Address. Attendees were able to have a first look at the 50 partners who are, as president and CEO Victor Limongelli later described in his Keynote, part of the collaboration of the Good Guys in protecting data. The Keynote began at 3:00 PM, with Alex Andrianopoulos, vice president of marketing. Alex shared a number of noteworthy facts:
- CEIC attendees come from 44 countries, with significant representation from Canada, the United Kingdom, France, South Korea and Brazil
- There are 10 tracks, 83 speakers, 103 sessions, 432 lab machines, representing over 200,000 session seat hours
- The CISO Summit on Defending the Enterprise was expanded to include Chief Legal Officers; with 40+ CISOs and CLOs, and speakers from Dell, Best Buy and Nissan
- The CEIC Exhibit Hall Theater is open this year, with short presentations by Guidance Software, FireEye, HBGary and immixGroup
- A CEIC 2013 Cartoon Caption Contest is on Facebook through the end of May, with an iPad to be awarded for person submitting the caption with the most ‘likes’
- CEIC Live Studio is available, where you can record a 15 minute interview of how your EnCase skills helped you close a case, win at trial or thwart a cyber-attack
- Guidance Software is here to stay in Orlando, FL; announcing the opening of a training facility to serve the southeastern United States
- CEIC will be back in Las Vegas in 2014 at Caesar’s Palace, and you can lock in the best CEIC registration price at $695 before you leave Orlando
Alex then passed the stage to Victor, who proclaimed Guidance Software is “Open for Business”. Victor shared how there is no single tool or solution to solve the many challenges in digital investigations. The good guys need to work together, through integration and interoperability. To prove his point, he shared the stage with Ashar Aziz, CTO and Founder of FireEye, who described the partnership and integration between EnCase Cybersecurity and FireEye wMPS.
Victor continued his address with how EnCase is an open platform, highlighting the EnCase® App Central ecosystem that continues to grow, with free and paid EnPacks and partners’ applications. He continued with a discussion of Forensics at Scale, where massive amounts of data are captured in the course of integrated and automated incident response, creating an opportunity for Big Data Analytics. Victor officially introduced EnCase® Analytics, an entirely new approach to expose threats that bypass detection-based security, including a demonstration of several use cases of potentially malicious user and file activity. Key capabilities include:
- Rapid analysis of massive amounts of data gathered across endpoints
- Expose patterns and anomalies indicative of real risks and threats to data
- Looks across all endpoints and servers; not constrained by signatures, indicators, behaviors or heuristics
- Presents information in a highly visual manner, providing a ‘Bird’s-eye View’ into hard-to-detect irregular or unauthorized activity
Endpoint and server data is the richest source of intelligence closest to potentially malicious activity. The initial release of EnCase Analytics will focus on incident response data, and Phase II will bring Analytics to EnCase® eDiscovery and Data Audit. Continuing with his theme of ‘Open for Business’, Victor summarized three key strategies for the EnCase Open Platform:
- EnCase App Central
- Open Enterprise Service Bus for EnCase Cybersecurity integrations
- Open Data Models for EnCase Analytics
The Welcoming Reception rounded out the official schedule for Sunday. Fresh pasta dishes were prepared on the spot, with great music and live entertainment. It was wonderful to see so many experts and practitioners in a single venue. The CEIC 2013 app is proving to be quite popular. I connected with friends and peers from around the Globe, even before their arrival today. “Checking In” to sessions, places and Exhibitor booths quickly became trendy and competitive; and I’ve been bumped down to 10th place on the leaderboard. In addition to the App, there are several other new additions to CEIC, including the Buy EnCase Now kiosk. Customers have long asked for the ability to purchase EnCase at CEIC. If you stop by the kiosk before the end of the conference you will receive a free Tableau T35u USB 3.0 Bridge and EnCase Portable v4 & SMS for one year, with the purchase of EnCase Forensic v7 & SMS for one year.
At CEIC 2012, EnCase App Central was announced. This year there is a kiosk for developers to demonstrate and sell their Apps.
As the day winds down, I’m back in the Cybersecurity and Compliance lab, where Sam Yoon (solution consultant at FireEye), Joe Murin, Aaron Bennett, David Lyman and Josh Beckett are installing the FireEye wMPS appliance into the network, and integrating it with EnCase Cybersecurity for the lab Building an Integrated Response Capability with EnCase Cybersecurity – May 21st 1:30 PM to 3:00 PM. The Good Guys are working together!
Senior Director, Curriculum Development