The “Road to CEIC 2013” is a series of blog posts on all things CEIC, before, during, and after, from an insider’s point of view.
The first full day @CEIC_Conf 2013 began with breakfast at 7:00 AM, accessed by a trip down memory lane on the Blue Carpet with Guidance Software™ | EnCase® “Through the Years.” It reminded me of some of the historical displays I enjoy reading at airports while waiting for my flight, such as in the Hong Kong terminals, and it brought me a lot of nostalgia. It has been an honor to be part of this Winning Team for the past 12 years.
The Cybersecurity and Compliance lab track started off at 8:00 AM with Cybersecurity 101 by Josh Beckett, product manager for EnCase® Cybersecurity. I saw an opportunity to assist, and jumped on the mouse during the hands-on portion of the lab with EnCase Cybersecurity; while Josh led the attendees through use cases of Snapshot capture of volatile evidence, such as running processes, open ports, open files, logged on users, etc.; investigating live registry keys; and reporting on potential personal identifying information, including international credit cards.
After a brief break, the Industry Keynote was delivered by General Michael Hayden, who discussed the emerging global cyber-attack threats. General Hayden is a retired, four-star United States Air Force General, former Director of the Central Intelligence Agency, and former Director of the National Security Agency, a position that made him the highest-ranking military intelligence officer in the American armed forces. One of the most poignant take-aways was the security formula he received from an FBI agent: Risk = Threats (future) x Vulnerabilities (past) x Consequences (present). Bringing any one value on the right side of the equation to or near zero will eliminate or greatly reduce risk. You can rarely be better than 80% on preventing Vulnerabilities, so putting your efforts in making your network more self-aware of foreign threats will reduce Consequences, and allow you to operate while compromised. General Hayden also spoke about the emerging Threat intelligence in the private sector and the need for the ability to “hit back” at attackers; with most attacks coming from China and Russia. He lauded the companies who are filling the gaps the U.S. government cannot fill, as privacy concerns limit the reach of the government into cyberspace.
After General Hayden’s remarks, it was time to return to the sessions before lunch. Aaron Bennett and I delivered our lab How to Configure and Use SQL with EnCase Cybersecurity. I provided “color” and insights from my experiences, as Aaron led the attendees through creating, managing, and troubleshooting global databases and investigation data stores. We empowered them with the skills and resources to work with their database administrators or administer the EnCase Cybersecurity databases themselves, whichever policy is in place at their organization.
Lunch was in the Exhibit Hall, where attendees could interact with the 50+ conference sponsors, comprising the partnership of Good Guys. Outside the Exhibit Hall, the CEIC Live Studio was in operation, where attendees were recording 15-minute interviews with Anthony Di Bello (manager of strategic alliances) on how their EnCase skills helped them close a case, win at trial or thwart a cyber-attack; with Brigitte Engel (director of corporate communications) deftly managing the scheduling.
Inside the Exhibit Hall, we enjoyed a Brazilian style lunch and dessert buffet. It seemed everywhere I turned; I bumped into a former colleague, student or partner. It was a joy to catch up and reflect on how far we have come as an industry, together. We all are on the same side in this battle: the good guys; and although our employers might change over the years, that cooperation and professionalism should always remain constant.
I cut my lunch short to connect with Colby Clark and Darrell Switzer of FishNet Security, to confirm the lab setup still met all of their requirements for Incident Response 2.0 – Rapid Triage, Containment, and Remediation with FireAmp and EnCase. Colby and I worked together in Guidance Software’s R&D and Professional Services divisions; and it has been a privilege to help him and his team members learn how to leverage EnCase Cybersecurity for their practice. Colby was also quoted in the press release on EnCase® Analytics this morning: "For those of us on the front-line responsible for catching new, hard-to-detect security threats that bypass the perimeter, time to detection is very important," said Colby Clark, director of Incident Management for FishNet Security. "EnCase Analytics is a new tool we can leverage to help customers locate these hard-to-spot-threats before they do irreparable damage to the business. It also simplifies comparative analysis across machines to identify malicious anomalies and enumerate emerging threats as they begin spreading throughout an enterprise, so they can be stopped early."
I went over to the Advance Forensics lab to support my CID Army buddy Dave Shaver in his session Following an Intrusion Through a Microsoft Operating System (Automated and Manual). Dave led the attendees through a malware investigation with EnCase® Forensic, EnScripts®, manual validation and freeware tools, including ones he created himself. Dave is one of the most giving persons in the industry, always willing to freely share his knowledge, experience, and tools. Dave created his presentation, including the evidence files and tools he provided to the attendees, in only two weeks; filling in for a presenter who unexpectedly passed away this month. Our thoughts and prayers are with the family of this practitioner, who was well regarded in our community.
The last session of the day for me was Using EnCase® Analytics to Indentify Connections Between Seemingly Unrelated Data to Expose a Breach, led by Alfred Chung, EnCase Analytics product manager, and supported by Jason Fredrickson, senior director of enterprise applications, and Ryan Stinson, lead software developer for EnCase Analytics. Ryan’s father, Larry Stinson, recruited me into Guidance Software as a part-time instructor in 2000; and I know he is proud of what Ryan has accomplished. A team of instructors and I jumped in to help Alfred, Jason, and Ryan with starting the EnCase Analytics VMware image and Tableau® business intelligence software on each machine for the lab session. Alfred led the attendees in the hand-on lab with EnCase Analytics, including using the pre-created report applications and making their own custom reports. At the end of the lab, Jason challenged Alfred to create a new report application for all of the open ports on the network, sorted by the ports with the most processes attached, with the underlying processes data viewable with a double click. Alfred did it with the lab attendees in a few minutes, using the flexible Tableau desktop software. It was a powerful demonstration of how Guidance Software’s newest product will help you manage risk and compliance in your enterprise, by aggregating all the endpoint data EnCase collects into a central location and presenting it in intuitive data visualizations. Nothing like impromptu problem-solving, just like the real world!
The Happy Hour was the capstone for the day, where the CEIC Live Studio went mobile with Brigitte, capturing the stories of EnCase in Action.
Attendees, sponsors and staff enjoyed an open bar, great food and roving appetizers, with countless opportunities to network.
In the Exhibit Hall Theater, James Habben (instructor and EnScript creator) and Robert Bond (EnCase® Forensicorensic marketing manager) presented on the growth and future of EnCase App Central. There are so many business opportunities in the open platform of EnCase products!
I wrapped up my day in the Cybersecurity and Compliance lab, coordinating to ensure everything is ready for the next full day of labs. Many folks asked me where I will be tomorrow. Well, let me check my Agenda on the CEIC App...you will find it below. See you tomorrow!
Senior Director, Curriculum Development