tag:blogger.com,1999:blog-27310691161873166732023-11-16T07:55:00.239-08:00Endpoint IntelligenceAnonymoushttp://www.blogger.com/profile/05219056359611084358noreply@blogger.comBlogger151125tag:blogger.com,1999:blog-2731069116187316673.post-62248089027064820462016-05-20T17:33:00.001-07:002016-05-20T17:33:41.259-07:00We've Moved! Visit Our New Blog<div class="p1">
<span class="s1">We’ve got a fresh new look! </span></div>
<div class="p1">
<br /></div>
<div class="p1">
Please visit us at our NEW blog: <span class="s2"><a href="https://www.guidancesoftware.com/resources/blogs">https://www.guidancesoftware.com/resources/blogs</a></span></div>
guidancesoftware101http://www.blogger.com/profile/13513583878393331499noreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-628727240346732022016-02-10T08:35:00.000-08:002016-02-10T08:35:01.543-08:00Thoughts on $19B Cybersecurity National Action PlanYesterday President Obama signed two executive orders on cybersecurity to strengthen the government’s defenses against cyber attacks and protect citizens’ personal information kept by the government.<br />
<br />
Obama asked for $19 billion for cybersecurity efforts in his budget request, a 35 percent increase from current levels, with $3 billion requested to “kick-start an overhaul of federal computer systems.” The Cybersecurity National Action Plan will ensure:<br />
•<span class="Apple-tab-span" style="white-space: pre;"> </span>Americans have the security tools they need to protect their identities online<br />
•<span class="Apple-tab-span" style="white-space: pre;"> </span>Companies can protect and defend their operations and information from hackers<br />
•<span class="Apple-tab-span" style="white-space: pre;"> </span>The U.S. government protects the private information citizens provide for federal benefits and services<br />
<br />
Our own CMO, Michael Harris, added his valuable insight:<br />
<br />
“The United States must increase its investment in cybersecurity to protect our homeland. We live in a world of instant-anywhere-access. The cyber-terrorists are relentless. They morph. They adapt. They scoff at legacy authorization and hacker prevention systems. The recent wave of breaches to our Federal systems are proof of this reality. Deep forensic data analysis, detection and response technologies are essential for cybersecurity and we encourage congress to carefully evaluate the $19 billion spending initiative to ensure our sensitive, proprietary and military assets are protected from malicious exfiltration.” <br />
<br />
What do you think? Share your thoughts below.guidancesoftware101http://www.blogger.com/profile/13513583878393331499noreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-64811309235119658432016-01-01T06:00:00.000-08:002016-01-01T06:00:15.447-08:00Wishing you a happy and prosperous 2016!<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhatfpt0FHfcUKX2DOJGD5Q1x6Ag7tdW4Ag1UeacX7God5rk6fZnldZT0G6p3OuYymsQS8_JzpdxGiEPt6QdsOS1VKPNseKpRgNAzwLpvr6gWKtYSf3DHjP_PSP-kZNJ1BaUrOFHcK4WWwH/s1600/happyNewYear2016.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhatfpt0FHfcUKX2DOJGD5Q1x6Ag7tdW4Ag1UeacX7God5rk6fZnldZT0G6p3OuYymsQS8_JzpdxGiEPt6QdsOS1VKPNseKpRgNAzwLpvr6gWKtYSf3DHjP_PSP-kZNJ1BaUrOFHcK4WWwH/s1600/happyNewYear2016.png" /></a></div>
<br />Anonymoushttp://www.blogger.com/profile/05219056359611084358noreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-61304767934350665482015-11-03T17:20:00.000-08:002015-11-04T10:08:32.704-08:00Get to Know Our New Logo Before the RestUPDATE: We have our three winners! Thanks for playing and helping us celebrate our new look and logo, everyone.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivihaU8gQLj3oKv3tJMPMz3RK-20Zy6Azjvl7cfsml53V_g37Be6URu60CEHgzbYe4ADY6ksDGzG6Jw-IGFye0CRBuB9tIp1F-4cjhDCx_yHj5uy_sT4BI8FN7dk-pjvR2Twyy887VFH8/s1600/game+over.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivihaU8gQLj3oKv3tJMPMz3RK-20Zy6Azjvl7cfsml53V_g37Be6URu60CEHgzbYe4ADY6ksDGzG6Jw-IGFye0CRBuB9tIp1F-4cjhDCx_yHj5uy_sT4BI8FN7dk-pjvR2Twyy887VFH8/s320/game+over.png" width="320" /></a></div>
<br />
<a name='more'></a><br />
<br />
<br />
<h4>
Original blog post</h4>
Have you found the first part yet? Keep poking around the website - not far from this spot. If you're ready to go further, look for that "Easter egg" to claim the second part of our new logo before our announcement on Wednesday, November 4.<br />
<br />
And keep watching for more clues on our <a href="http://www.twitter.com/encase" target="_blank">@EnCase account on Twitter</a> or <a href="http://www.facebook.com/guidancesoftware" target="_blank">our Facebook page</a>. Once you have all four parts,email them to newsroom@guidancesoftware.com. Remember, the first three (based on email time stamps) to send all four parts plus the four URLs where the pieces were found will win a $250 American Express gift card, plus a polo shirt and coffee mug with our shiny new lo<a href="https://www2.guidancesoftware.com/PublishingImages/hex.jpg" target="_blank">g</a>o.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-31368925702788896642015-10-14T10:08:00.000-07:002015-10-14T10:08:18.446-07:00How to Streamline a Malware Investigation Down to 30 Minutes or LessMalware incident response can be a time-consuming and frustrating process. A seasoned investigator, however, has documented steps to help you investigate malware in 30 minutes or less.<br />
<br />
Joseph Salazar, an information security practitioner, presented his methodology in a lecture called “Streamlined Malware Incident Response with EnCase®,” at the Enfuse™ conference (formerly known as CEIC®) held earlier this year. This highly rated session outlined a framework to minimize user and system exposure to malware; utilize supporting infrastructures and processes; and leverage the flexibility of not only EnCase Endpoint Security, but even more so, EnCase Enterprise.<br />
<br />
<h4>
EnCase® Enterprise? Isn’t that a digital forensics tool? </h4>
<a name='more'></a>According to Salazar, “EnCase Enterprise is critical in malware incident response. The ability to do a live examination of a running system across the network is part of the reason you can do this in 30 minutes.”<br />
<br />
If you missed this popular lecture, you can read a brief summary of it here, in this blog, and also download the complete slide presentation here: <a href="https://www.guidancesoftware.com/ceic/Documents/Streamlined%20Malware%20Incident%20Response%20with%20EnCase-Salazar-5-20-2015.pdf" target="_blank">Streamlined Malware Incident Response with EnCase</a>. We’d also like to remind you to register early for Enfuse 2016, where you can hear similar topics that will help you to further decrease your company’s exposure to unknown cyber risks or threats. <br />
<h4>
<br />Malware is a real threat. Antivirus (AV) is not enough.</h4>
Salazar, with decades of experience in information security, including 22 years as a counter-intelligence agent, military intelligence officer and cyber security officer in the U.S. Army Reserves, introduced his session with a strong warning to information security professionals: Malware is a real threat. AV is not enough.<br />
<br />
He cited a plethora of industry sources that prove the ineffectiveness of AV in malware detection, including reports that AV only detects 45 – 50 percent of cyber attacks (<a href="https://www.guidancesoftware.com/ceic/Documents/Streamlined%20Malware%20Incident%20Response%20with%20EnCase-Salazar-5-20-2015.pdf" target="_blank">see presentation for sources</a>).<br />
<br />
To augment AV and perform malware incident response in 30 minutes, Salazar proposed a five-step investigative flow, as outlined below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVJ5MKgr1HSTdEO0vF9C1BWWhGvgZGQtHzzYZVDN-gLkS1FXsnUH9GqKl99GZ21q1rimJDoPQ9NJ76luCMo9k4yNgAz3VJMfkFhJlNLmQF_eae-6BHKjD1Bk6PG0Vai5oOY-1O-jzkHug/s1600/flowchart.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="58" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVJ5MKgr1HSTdEO0vF9C1BWWhGvgZGQtHzzYZVDN-gLkS1FXsnUH9GqKl99GZ21q1rimJDoPQ9NJ76luCMo9k4yNgAz3VJMfkFhJlNLmQF_eae-6BHKjD1Bk6PG0Vai5oOY-1O-jzkHug/s640/flowchart.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<ol>
<li>An alert is received from network monitoring. Examples: through an IDS alert, reputational alert, etc.</li>
<li>The host and/or the user is located. Examples: through proxy logs, internal DNS or AD authentication, firewall logs, etc. </li>
<li>The possible malicious executable is researched. Example: If you have a pcap, research on the binary, submit to VirusTotal, or send it through a sandbox. </li>
<li>The potential infection is investigated using EnCase Enterprise. Note: it takes longer to find a negative result than a positive result.</li>
<li>The malware is remediated via a wipe: Submit a request to wipe or reimage the system, or use EnCase Endpoint Security to perform a selective forensic wipe of the malicious binaries.</li>
</ol>
<br />
<h4>
Using EnScripts® to assist with and automate malware detection </h4>
Since EnCase Enterprise is the primary investigation tool recommended, Salazar suggested that EnScripts be used with it to reduce and automate the data to be reviewed. He said to create an EnScript to search for IOCs on the subject system, or find an EnScript already developed, <a href="https://www.guidancesoftware.com/appcentral/Pages/default.aspx" target="_blank">available from EnCase</a>®<a href="https://www.guidancesoftware.com/appcentral/Pages/default.aspx" target="_blank"> App Central</a>.<br />
<br />
The most common indications of a compromise were reviewed: <br />
<br />
<b>File signature analysis:</b> This will help you to identify renamed files. Look for exes renamed as .zip or similar, MZ file headers, java cache files, and anything that malware can use to execute on a system.<br />
<b>Executables (in locations they don’t belong):</b> You shouldn’t see executables in a user’s internet temp directory, for example.<br />
<b>Unexpected running processes:</b> These will show up when you do a quick snapshot in EnCase Enterprise, since it captures running process memory. This is very useful to find what is in memory that shouldn’t be.<br />
<b>Files with weird or missing time stamps</b>: These are candidates for close inspection, as the file may have been time-stamped.<br />
<b>Lexical or short file names</b>: A file with some random, alphanumeric file name of six consecutive consonants without a vowel is a dead giveaway that it may be malicious. You have to tinker with this one, as it can also identify legitimate files. Files with short file names, such as “a.exe” or “out.bin” are suspect as well.<br />
<br />
<h4>
More IOCs to Narrow Your Malware Investigation Scope</h4>
To learn about more IOCs to narrow your investigation scope, click here to download the complete presentation: <a href="https://www.guidancesoftware.com/ceic/Documents/Streamlined%20Malware%20Incident%20Response%20with%20EnCase-Salazar-5-20-2015.pdf" target="_blank">Streamlined Malware Incident Response with EnCase</a>. <br />
<br />
Don’t forget that you can attend other top-notch sessions like this one at Enfuse 2016 in Las Vegas, May 23-26, 2016. Enfuse brings the power of hands-on labs, learning sessions, and networking events together in a way that will take your work—and your career—to a whole new level.<br />
<br />
Click here to learn more about <a href="https://www.guidancesoftware.com/ceic/Pages/about-ceic.aspx" target="_blank">Enfuse </a>and how you can save over 40% off the regular conference registration fee if you act by November 30, 2015.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-1969844456041018432015-10-01T08:12:00.000-07:002015-10-01T08:56:35.697-07:00EU Data Protection: When Your Organization's Lifeblood becomes Poisonous<author></author>Damian Hallmark<br />
<div class="MsoNormal">
<br />
<div class="MsoNormal">
<span lang="EN-GB">A breaking development in the EU is
creating ripples that have the potential to create a global tsunami. A European
Court of Justice opinion has implications that highlight the pending impact for
any global organization processing EU personal information outside of the EU.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB"><br /></span></div>
<span lang="EN-GB">A privacy
campaigner has scored a legal victory that could bolster his attempts to
prevent Facebook from being able to pass EU citizens' data to the US
authorities</span><span lang="EN-GB"> in what the campaigner suggests could have far-reaching
consequences. The opinion <a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf"><b>issued
by the European Court of Justice</b></a> says that current data-sharing
rules between the 28-nation bloc and the US are "invalid." This
decision could affect other tech firms' abilities to send Europeans'
information to US data centres. </span><br />
<a name='more'></a><div class="MsoNormal">
<br />
<span lang="EN-GB">Given that this judgement is not yet finalized,
it is worth noting that the EU's high courts have tended to follow the opinion
of its legal adviser. So while the 15 judges involved have yet to issue a
conclusive ruling of their own on the matter, this does firmly shine the
spotlight on the changes, which are expected to be adopted not long after the
new year. This ruling affects both private and public sectors equally, with the
regulation stipulating that contractual agreements be in place between data
controllers and processors that ensure joint responsibility for liabilities and
sanctions. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB"><br /></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">Impact
on Data Controllers<o:p></o:p></span></b></div>
<div class="MsoNormal">
<b><span lang="EN-GB"><br /></span></b></div>
<div class="MsoNormal">
<span lang="EN-GB">For the data controller, the regulations
introduce binding contracts with data processors, underpinning the policies and
technology required for the appropriate processing of personal data. The changes
for data processors are most visible. Under the existing data directive,
liabilities in respect to data breach notification and failure to protect
personal data lie solely with the data controller. New regulation makes this a
joint liability with private-sector sanctions expected to be in the range of
two to four percent of global profit. Data processors must now employ electronic
discovery technology that has fidelity with data controllers within the EU. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB">With a focus on the information market,
data portability, and accessibility, the new regulations bring much needed
change to the way personal data is processed and protected, both within the
union and wherever the data is processed. This in turn has implications for the
Freedom of Information Act and subject-access requests as part of an
over-reaching drive to bring harmony to a struggling Data Protection Directive.
After all, the directive could not have foreseen the explosions in the
internet, mobile and cloud data, and the globalization of organizations. The
ability for organizations to forensically identify and locate key information
through electronic discovery processes ensures that requests under either the
Freedom of Information Act or the Subject Access Regulation can be completed efficiently
and economically.<o:p></o:p></span></div>
<br />
<div class="MsoNormal">
<span lang="EN-GB">In 2016 when the regulations come in to
force, companies that provide cloud services within the EU and rely on data
centers in the US will be contractually obliged to comply in accordance with
the proposed changes in the European Union. The results of this opinion present
major issues for companies such as Apple, Facebook, Google, Microsoft, and Amazon.
Each of these organizations operates data centers in Europe, and each is
looking at fundamentally restructure their data storage architecture. As time
passes, this new data protection directive may even force changes in corporate structures.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB"><i>Damian Hallmark is a Solutions Consultant working in the U.K. office of Guidance Software.</i></span></div>
<div class="MsoNormal">
<span lang="EN-GB"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB"><b>Questions? Comments?</b> We welcome your thoughts in the section below.</span></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-2635187710684348762015-09-04T20:48:00.000-07:002015-09-04T20:48:41.463-07:00Celebrating Our 5-Star Rating from SC Magazine for EnCase Endpoint Security<author></author>Mitchell Bezzina<br />
<div class="MsoNormal">
<br />
We’re chuffed to announce that our <a href="https://www.guidancesoftware.com/products/Pages/encase-endpoint-security/Introduction.aspx?cmpid=nav_r" target="_blank">EnCase® Endpoint Security</a> product was <a href="http://goo.gl/dUIfEk" target="_blank">given a five-star rating</a> in this month’s <i>SC Magazine</i> Endpoint Security group product review. Those of us working in security for a few years have known that “endpoint security” doesn’t equal antivirus anymore, and it’s taken a little while for that to be unanimously accepted. We believe this review validates the need for endpoint detection and response to aid perimeter, network and log tools – and is something of a turning point as well.<br />
<a name='more'></a><br />
You can read the <a href="http://goo.gl/dUIfEk" target="_blank">full review here</a>, but here are a few of the highlights:<br />
<ul class="list"><br />
<li>"A unique forensic approach to endpoint security – effective especially when investigating an incident.”</li>
<li>“If you are an EnCase shop already, do not hesitate to add this tool to your quiver. If not, give it a close look. It can tell you things about an attack that nothing else can.”</li>
<li>“Everything is based on the observations of a kernel-level agent at the endpoint. This prevents an attacker or malware from obfuscating its activities.”</li>
<li>“EnCase Endpoint Security plays very well with others. For example, it can exchange information with such organizations as Splunk, QRadar, FireEye, Palo Alto, Intel Security, Sourcefire and Cisco ThreatGrid. Agents can be managed using Intel Security's McAfee ePolicy Orchestrator.”</li>
</ul>
<div class="MsoNormal">
Our approach to endpoint security focuses on building upon the foundation security teams have in place today, enhancing productivity of people, processes and technology where it matters the most - detecting and responding to organizational threats.<br />
<br />
When used in conjunction with our <a href="https://www.guidancesoftware.com/resources/Pages/doclib/Document-Library/Inside-Out-Security-Framework.aspx" target="_blank">Inside-Out Security Framework</a>, EnCase Endpoint Security can help you move away from a traditional passive defense strategy that relies heavily on alert-monitor-block scenarios to “protect” your network, and move towards an active defense strategy. An active defense strategy enables security teams to understand the strengths, weaknesses, and use of their networks, then defend it from a position of knowledge. There is a great write-up by Rob Lee on a<a href="https://www.recordedfuture.com/active-cyber-defense-part-1/" target="_blank">ctive defense here</a>, and if you're looking for a strategy to help get you there, try this <a href="https://www.guidancesoftware.com/resources/Pages/doclib/Document-Library/Inside-Out-Security-Framework.aspx" target="_blank">high-level framework</a>.<br />
<br />
<b>Have you been living and breathing inside-out security as a team?</b> Have some best practices to share? Let us know in the comments section below.<br />
<br /></div>
<i>Mitchell Bezzina is the security product evangelist at Guidance Software.</i></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-39699872048118894872015-09-02T10:07:00.000-07:002015-09-04T17:46:11.085-07:00Defending Your Security Program: The FTC, Breach Class Actions, and You<author></author>Roger Angarita<br />
<div class="MsoNormal">
<br />
Data breaches continue to fuel major media bonfires, CEOs are resigning, and the FTC is gaining ground in becoming the data-protection enforcers on behalf of consumers and business customers. Now in the wake of the Ashley Madison, Neiman Marcus, and Home Depot cyber-attacks, critical court decisions are occurring that will may raise protection standards and increase corporate liability. The smoke signal arising from the judicial system last month was the Third Circuit’s ruling affirming the data security authority of the Federal Trade Commission (FTC) in Federal Trade Commission v. Wyndham Worldwide Corp.<br />
<a name='more'></a><br />
The<a href="https://www.ftc.gov/enforcement/cases-proceedings/1023142/wyndham-worldwide-corporation" target="_blank"> FTC brought a suit against Wyndham</a>, saying that the corporation engaged in “unfair and deceptive practices” relating to three data breaches in 2008 and 2009 that “unreasonably and unnecessarily” exposed the personal data of hundreds of thousands of consumers to misuse and theft. The U.S. Court of Appeals for the Third Circuit ruled on August 24, 2015 to unanimously uphold the authority of the FTC in the case.<br />
<h4>
<br />
Critical Questions Raised</h4>
We can be reasonably certain that this ruling indicates that a new era in regulatory and legal requirements for data protection is dawning. As the breach enforcers, the FTC will likely be empowered to take action on behalf of consumers when class-action lawsuits do not. And they’ll no doubt serve as referees in lawsuits between credit card companies and hacked corporations, because no one wants to bear the financial brunt of these attacks. This complex situation begs three really important questions:<br />
<ul class="list"><br />
<li>How will “reasonable” data protection standards be defined?</li>
<li>How will companies who lack those reasonable data-protection policies and processes be penalized by the FTC in the future?</li>
<li>How will damages be calculated for civil litigation and class-action suits?</li>
</ul>
<div class-=""Msonormal="">
Hacked organizations' first defense in the past 18 months has been to claim that there is no certain way to prevent the new breed of “advanced” cyber-attacks. Yet consider that two of the most publicized breaches occurred at a major retailer or service provider that had no idea where all of their sensitive data was kept and had not been performing even basic security and data protection.<br />
<br />
We can’t answer numbers two or three yet, and only time will tell. It’s nearly certain, though, that damage calculations will have to consider a broad range of factors, including job loss (particularly in the case of Ashley Madison customers who were members of the military), pain and suffering, identity theft, and financial fraud that may occur following loss of personally identifiable information.<br />
<br />
<h4>
Starting Points for “Reasonable Data Protection” </h4>
While we don’t yet know how “reasonable” security standards will be defined, we can make some recommendations with confidence. Based on the fact that many organizations are not yet doing even the basic protection practices, we recommend taking these steps:<br />
<ul class="list"><br />
<li><b>Learn where every copy of your sensitive data is stored</b> (product plans and other intellectual property, financial information, personally identifiable information) across your enterprise, and don’t forget about third parties like business partners and vendors such as law firms and payroll services.</li>
<li><b>Encrypt that sensitive data</b>. This is not sufficient protection, but it is essential.</li>
<li><b>Stop watching the firewall and start watching your sensitive data</b>. Begin studying what normal behavior around that data looks like and ask your security team to implement an alert system for abnormal or anomalous behavior related to it.</li>
<li><b>Investigate and consider adopting the NIST Cybersecurity Framewor</b>k. Many legal experts feel this may become a standard for “commercially reasonable” security approaches.</li>
<li><b>Research the types of attacks that are occurring within your line of business or industry</b>. Professional associations are good places to obtain and share this information.</li>
<li><b>Hire more experts</b> – whether employees, contractors, or services firms – to implement better security.</li>
<li><b>Consider the many types of risks represented by your data.</b> Think about your line of business and what could happen to your business model if specific types of data were leaked. For example, in the case of Ashley Madison, inability to protect the privacy of their data means they may be out of business. Even confidential emails like those publicized in the Sony breach coverage can have an impact on executive careers and overall business viability.</li>
<li><b>Be prepared to capture and preserve breach-related data </b>as potential evidence of criminal activity and as proof if you ever need to claim that your breach may not have been preventable.</li>
<li><b>Go beyond simply buying and installing security tools and work from a real security framework. </b>One example is our own <a href="https://goo.gl/knPYdp" target="_blank">Inside-Out Security Framework</a>.</li>
<li><b>Document your security processes.</b> In this new age of enhanced regulation and civil liability, these processes may be discoverable.</li>
<li><b>Test your security processes. </b>Practice your readiness. Many of our most security-mature customers run security breach “fire drills.” Doing this helps ensure that all concerned in your organization know what to do when the inevitable happens.</li>
</ul>
<div class="MsoNormal">
The next year will be interesting as both standards and damage-calculation formulas are defined. For now, focus on doing the basics, gaining visibility to and monitoring the locations where your sensitive data lives, documenting your processes, and testing them.<br />
<br />
<b>Want to share a best practice?</b> I welcome feedback and ideas in the comments section below.<br />
<br />
<i>Roger Angarita is the Director of Product Management in R&D at Guidance Software. Earlier in his career he worked on corporate governance and intellectual property issues as an attorney at Latham & Watkins.</i></div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-79750577714922572082015-07-09T11:18:00.000-07:002015-07-09T11:18:18.344-07:00What Hit OPM? What We Know So Far<author></author>Paul Shomo<br />
<div class="MsoNormal">
<br />
It’s been almost a month since the OPM breach, and there’s been much speculation and leaks pointing to the details of the attack. Here is a recap of released information so far:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>June 4, 2015</b>
- OPM announces they’ve been <a href="http://www.opm.gov/news/latest-news/announcements/frequently-asked-questions/"><span style="color: #1f497d;">breached</span></a>.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>June 8<span style="color: #1f497d;"><span style="font-size: 13.3333330154419px;">,</span></span> 2015
-</b> Guidance Software announces that EnCase<span style="font-family: Calibri, sans-serif; font-size: 11pt;">®</span> was used in OPM’s investigation. I am <a href="http://www.scmagazine.com/opm-rich-with-data-for-attackers/article/419390/2/">quoted</a>
by SC Magazine, hinting that the PlugX Remote
Access Trojan (RAT) was utilized by
OPM’s attackers. </div>
<div class="MsoNormal">
<o:p></o:p></div>
<br />
<a name='more'></a><div class="MsoNormal">
<b>June 15, 2015</b> - ThreatConnect notices malware submitted to VirusTotal used fake OPM
domain names, and was submitted around the time of a prior 2014 OPM breach.
ThreatConnect <a href="http://www.threatconnect.com/news/opm-breach-analysis-update/">theorizes</a> that “Destroy RAT aka Sogu,” also
named PlugX in some threat intelligence databases, was used in this latest OPM
attack.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>June 18, 2015</b> - Ellen Nakashima comments in a <i>Washington Post</i> <a href="http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/officials-chinese-had-access-to-u-s-security-clearance-data-for-one-year/">blog</a> that the “malware OPM discovered was
a never-before-seen variant of the malware known as PlugX.”<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>June 27,
2015</b> – USA Today <a href="http://www.usatoday.com/story/news/politics/2015/06/27/opm-hack-questions-and-answers/29333211/">reports</a>
that the breach started with a stolen credential used by KeyPoint
Government Solutions, a Colorado-based contractor that OPM uses to conduct
background investigations.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>June 29, 2015 </b>– FCW <a href="http://fcw.com/articles/2015/06/29/news-in-brief-june-29.aspx?s=fcwdaily_300615">notices</a>
that the day after the OPM disclosure, an <a href="https://info.publicintelligence.net/FBI-HackToolsOPM.pdf">FBI flash alert</a>
detailed an unnamed agency breach, and that threat actors have been observed
using four RATs: Sakula, FF RAT, Trojan.IsSpace and Trojan.BLT. FCW speculates that the FBI is referring
to OPM. Note that Sakula is
also mentioned in the June 15th ThreatConnect
<a href="http://www.threatconnect.com/news/opm-breach-analysis-update/">report</a>. Similar to the PlugX variants highlighted by ThreatConnect, Sakula was custom built to use fake OPM domain names.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>July 8, 2015 –</b> U.S.
Homeland Security Chief makes a vague <a href="http://www.voanews.com/content/us-prime-suspect-identified-in-government-worker-cybersecurity-breach/2853925.html">claim</a>
to have narrowed down OPMs attackers. Note this information is exclusively
released on Voice of America, the little known US <a href="https://en.wikipedia.org/wiki/Voice_of_America">state run</a> media
outlet. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
As a matter of national
security, it is conceivable we may never learn the details of the malware used
against OPM. In any case, all the breadcrumbs point to two RATs: PlugX and
Sakula, both seemingly built by Chinese authors specifically to target OPM. <span style="color: #1f497d;"><o:p></o:p></span><br />
<br />
<b>Comments?</b> I welcome discussion in the section below.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-29871061146218319632015-07-01T16:16:00.000-07:002015-07-01T23:19:01.489-07:00Office of the Secretary of Defense Calls for Emphasis on Detection and Response<author></author>Anthony Di Bello<br />
<div class="MsoNormal">
<br />
This week, in <a href="http://www.securitycurrent.com/en/ciso_journal/ac_ciso_journal/opm-breach-why-doing-the-basics-is-not-easy" target="_blank">response to the OPM breach</a>, Chris Carpenter, the Security Director at the Office of the Secretary of Defense called for an emphasis on detection and response capabilities.<br />
<br />
The reason, Carpenter noted, is that there is a clear window of opportunity within which to find attackers inside the network and cut off their access before they have a chance to exfiltrate data. This is backed up by the fact that the vast majority of breach disclosures note that the attackers had been inside for a period of time prior the data exfiltration.<br />
<br />
<a name='more'></a><h4>
We can’t prevent all breaches. Now what?</h4>
Carpenter explained:<br />
<i><br /></i>
<div style="text-align: justify;">
<i><i> When we start operating from an assumption that breaches cannot always </i><i>be prevented, </i></i></div>
<div style="text-align: justify;">
<i><i> we can put more emphasis on detection and response. This </i><i>actually can save us time and </i></i></div>
<div style="text-align: justify;">
<i><i> money. </i></i></div>
<div style="text-align: justify;">
<span style="font-style: italic;"><br /></span></div>
<div style="text-align: justify;">
<i> When a system is breached it takes time for the attackers to identify or reach the </i></div>
<div style="text-align: justify;">
<i> resources they are after on the network. During the time that it takes for them to learn the </i></div>
<div style="text-align: justify;">
<i> network and find what they are after, detection would still protect valuable information. </i></div>
<div style="text-align: justify;">
<span style="font-style: italic;"><br /></span></div>
<div style="text-align: justify;">
<i> Even after the attackers identify the information they must exfiltrate it. This is another </i><br />
<i> opportunity for detection. Early detection of compromise minimizes the amount of </i><br />
<i> information lost, cost of repair and reputational damage. With that type of benefit, </i><br />
<i> it should be easy to get the resource for detection systems, even in </i><br />
<i> budget-constrained environments. It's not, though.</i></div>
<br />
The number one thing organizations have to assume is that attackers may already be on their endpoints, undetected, looking for sensitive data to steal. That means that they’ve already bypassed security controls, which are typically at the gateway or are signature-based, and those controls are useless once the invaders are inside and user accounts have been compromised.<br />
<br />
<h4>
But there’s hope</h4>
What Carpenter is calling for is detection and response. And that's what we do at the endpoint--what Gartner calls endpoint detection and response (EDR). Every action leaves a breadcrumb that can be seen by <a href="https://www.guidancesoftware.com/products/Pages/encase-endpoint-security/Introduction.aspx?cmpid=nav" target="_blank">EnCase® Endpoint Securit</a>y with our unparalleled endpoint visibility. It’s a simple fact: there is no way for an attacker to compromise a system without leaving a trace either on the disk, in memory or in the registry.<br />
<br />
Having comprehensive endpoint visibility is the only way to ensure you have the capability to root out an attacker, no matter how well they think they’ve hidden their tracks. EnCase Endpoint Security gives you the industry’s deepest and most complete endpoint visibility—even down below the operating system level. I invite you to take a look and share your own ideas in the Comments section below.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-69228191350614735812015-06-09T12:50:00.000-07:002015-06-11T06:50:50.416-07:00The OPM Hack: I Smell a RAT<author></author>Paul Shomo<br />
<div class="MsoNormal">
<br />
In the wake of the OPM hack, where reports suggest that millions of security clearance records headed directly to Chinese intelligence units, let’s talk about remote administrator tools (RATs). These tools are commonly used in this type of attack, so we'll walk through a common methodology for identifying unknown RATs.<br />
<br />
In the broadest sense, RATs are used to remotely access and control computers. System administrators often use these tools for good, but black hats develop specialized RATs that infect, hide, and act as back doors.<br />
<br />
Malicious RATs like PlugX, Gh0st, Korplug, Gulpix, Sogu, Thoper, and Destory can be built as zero day attacks that avoid signature detection. The Gh0st RAT user interface (UI), shown below, gives some insight into how easily hackers can build zero day variants to infect sensitive machines. Once infected, command-and-control can be established from anywhere on the internet, with traffic re-routed through servers to avoid identification of the true perpetrator.<br />
<br />
<a name='more'></a><div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcBdfiq1TwNuAkB_e0TMHFks9dbsbeBKSPFrhW8JiI_AGBQoWpUoSAvgWo1v6SxiHsILDcjTYIztr13HX0HyTIo3F2lKGOyKlx3uHkM1YXn48s3HaTtR1P8-Ls-HyfAowCTSAzgXrX52Q/s1600/RAT+1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcBdfiq1TwNuAkB_e0TMHFks9dbsbeBKSPFrhW8JiI_AGBQoWpUoSAvgWo1v6SxiHsILDcjTYIztr13HX0HyTIo3F2lKGOyKlx3uHkM1YXn48s3HaTtR1P8-Ls-HyfAowCTSAzgXrX52Q/s320/RAT+1.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for close-up</td></tr>
</tbody></table>
Probably the highest-profile RAT variant, PlugX, was featured in a <a href="https://www.blackhat.com/docs/asia-14/materials/Haruyama/Asia-14-Haruyama-I-Know-You-Want-Me-Unplugging-PlugX.pdf" target="_blank">Black Hat 2014 presentation</a>, and was found by Trend Micro as early as 2008. Guidance Software security professionals working in the federal space have reported seeing PlugX variants <i>routinely</i>. It's a good example of how a malware framework deployed in 2008 can still build variants that bypass signature-based detection.<br />
<br />
To find zero day attacks, you have to do routine investigations for unknown threats. It's wise to make use of the one natural advantage that incident responders possess: detailed knowledge of their environments. Sun Tzu once said, “Know the weather, know the terrain, your victories will be limitless.” In this modern cyberwar, the ancient sage of war might have said, “Know your network and endpoints. Your discovery-to-response time will be formidable.”<br />
<br />
RATs may sound intimidating, but they can be easily detected by a human using<a href="https://goo.gl/HqAtaf" target="_blank"> EnCase<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">®</span> Endpoint Security</a>. Its Snapshot technology, shown in the report below, can examine your endpoint processes and allow incident responder, tiered security analysts, or threat detection staff to quickly spot anomalies.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSs4L5e4B0QfnzyDhOk23vpvSjOxBAxeyqfwpMITDN-o5GZc6OPQSfpTD2u6Tw-nclIClMtHJCuG3bI8XMyFlfBUguawEHrEbDicaIrYYfCCpDFuEk9F12f_Xclmpz6ImMmq-GpvQGx4Y/s1600/Processes.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSs4L5e4B0QfnzyDhOk23vpvSjOxBAxeyqfwpMITDN-o5GZc6OPQSfpTD2u6Tw-nclIClMtHJCuG3bI8XMyFlfBUguawEHrEbDicaIrYYfCCpDFuEk9F12f_Xclmpz6ImMmq-GpvQGx4Y/s320/Processes.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for close-up</td></tr>
</tbody></table>
PlugX uses a variety of injection methods to hijack common processes, but generally we aim to identify variations of familiar processes that have been injected with malware. A good way to start is to group the often attacked svchost.exe, then look for strange start times, or reassigned process identifiers (PIDs) where no reboot occurred. In the cases of PlugX svchost.exe and misexec.exe, both suffer injections. Another method of identifying injection is by spotting seemingly legitimate binary files whose names are slightly misspelled, that are stored in non-standard paths, or that are running and injected into non-standard processes.<br />
<br />
Many forms of malware need autorun registry keys to restart themselves after reboots. This is known as persistence or a persistence mechanism. Using a network-wide registry scan, EnCase Endpoint Security can rapidly locate machines infected with PlugX by searching for unfamiliar binaries set to run on reboot, such as the autorun keys shown below.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHtVe9SMTZHRP74V6Ksje0H60_YcV0FpqQYFZJTJEELlcZ-SNVd0RqyQkY5bpxMYUZtcwoXUIuA_XT2xvr4vHbl3VT1XsLdDxq0Tzbra7hw4G38rNpCoaCtpqyg4p_O16etYf0RXQb5_E/s1600/rats+3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHtVe9SMTZHRP74V6Ksje0H60_YcV0FpqQYFZJTJEELlcZ-SNVd0RqyQkY5bpxMYUZtcwoXUIuA_XT2xvr4vHbl3VT1XsLdDxq0Tzbra7hw4G38rNpCoaCtpqyg4p_O16etYf0RXQb5_E/s320/rats+3.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for close-up</td></tr>
</tbody></table>
Now that you have some endpoints showing cause for suspicion, a live preview with EnCase Endpoint Security lets you narrow down suspicious files. A simple right-click search can initiate static and/or dynamic file analysis with leading threat intelligence providers such as ThreatGrid, or with freely available alternatives such as Google hash searches and VirusTotal to confirm maliciousness. We would always recommend that files be collected for preservation and reporting.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmrJMnlIX3CX2w8tSZ2CZjblPLysJRSATzG7ag0i2IHafHKoqyevg4yFeYNnbWWJ0hHbtXZAHbDgJFkDB3phStokEZNjURhhL_J8KpCnNwoXgqSwc4AV8pEwY6WmYeuyFWuHpzz6lYB68/s1600/Drilldown.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmrJMnlIX3CX2w8tSZ2CZjblPLysJRSATzG7ag0i2IHafHKoqyevg4yFeYNnbWWJ0hHbtXZAHbDgJFkDB3phStokEZNjURhhL_J8KpCnNwoXgqSwc4AV8pEwY6WmYeuyFWuHpzz6lYB68/s320/Drilldown.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for close-up</td></tr>
</tbody></table>
<br />
Now that an instance of PlugX is known, searches based on indicators of compromise (IOCs) can be formed to find other related binaries. Simple indicators like hash, file size, filename, and path can be used, or more advanced users can grab binary file search keywords from the hex editor and form even richer searches, as shown below. This allows us to determine the scope of an incident throughout the organization.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRqbLz_oyO0Fo4yDOjoADukveA5GoIE_4Zhwxh2JoAJm2OzvbtnmeWzLUJ6Aowf1nX-vfmlvgKhvRU2eB5t7RFwXZjQyOYJIyG92ApVM198vayDi5iTkn-QFQoW1Czg0WKPUr73Qgwa6o/s1600/rats+4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRqbLz_oyO0Fo4yDOjoADukveA5GoIE_4Zhwxh2JoAJm2OzvbtnmeWzLUJ6Aowf1nX-vfmlvgKhvRU2eB5t7RFwXZjQyOYJIyG92ApVM198vayDi5iTkn-QFQoW1Czg0WKPUr73Qgwa6o/s320/rats+4.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for close-up</td></tr>
</tbody></table>
Now that you have an indicator condition, the collection wizard in EnCase Endpoint Security (shown below) designates the machines against which to run the search, and even allows other conditions to be imported and exported for sharing across agencies. If you want to cast an even broader net, our Entropy Near Match Analyzer can locate additional polymorphic variants without the need for indicators. This patented algorithm was designed specifically to identify malware created to evade signature-based detection. The last step is remediation with EnCase Endpoint Security.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPYlgaXt2Ia98k6LKcjxUw3ND3OcnmreQaBDsyCTlHrjKBpIY27whtUEuyEfcphos1T2ADmQwBPr-scqv7DizWT0Vl1K0N-PnJwwqMW2teMilRrFjwkJvdk17bL81MujSffR3qH1JOxcc/s1600/File+Collection.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPYlgaXt2Ia98k6LKcjxUw3ND3OcnmreQaBDsyCTlHrjKBpIY27whtUEuyEfcphos1T2ADmQwBPr-scqv7DizWT0Vl1K0N-PnJwwqMW2teMilRrFjwkJvdk17bL81MujSffR3qH1JOxcc/s320/File+Collection.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for close-up</td></tr>
</tbody></table>
<br />
As you can see, these investigation tools allow a human investigator to quickly see zero day attacks that bypass automated detection methods. With some zero day attacks there are no shortcuts, so try to make these active investigations part of your ongoing security strategy.<br />
<br />
<b>Comments? Questions? </b>I welcome responses in the section below.<br />
<br />
<i>Paul Shomo is the Senior Technical Manager, Strategic Partnerships at Guidance Software.</i></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-72228221550773291832015-06-04T20:59:00.001-07:002015-06-05T05:39:50.454-07:00The OPM Breach: What Went Right<author></author>Michael Harris<br />
<div class="MsoNormal">
<br />
Today the national and federal press announced a “massive” breach of federal personnel data housed at the Office of Personnel Management (OPM) within the Department of Homeland Security (DHS). Following an earlier breach discovered in March 2014, the breach is said to have exposed the personally identifiable information (PII) of up to four million federal employees. <i><a href="http://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html" target="_blank">The Washington Post</a> </i>reported that U.S. officials suspect the Chinese government to be behind the attack, which represents “the second significant foreign breach into U.S. government networks in recent months.”<br />
<a name='more'></a><br />
<h4>
What the OPM is Doing Right</h4>
While this state-sponsored attack on federal employees and their agencies is an act of espionage and therefore of grave concern to the nation, I see signs in the news coverage that the OPM is taking action that is deserving of praise. As noted in the recent <i>Washington Post</i> coverage, “After the earlier breach discovered in March 2014, the OPM undertook ‘an aggressive effort to update our cybersecurity posture, adding numerous tools and capabilities to our networks,’ Seymour said. ‘As a result of adding these tools, we were able to detect this intrusion into our networks.’”<br />
<br />
This type of response to an initial breach is not only appropriate, but exemplary. Government agencies need to be proactive, because many realize that breaches like the recent Sony attack prove that the enemy may already be within their gates—and sometimes cruising the network for months before they’re detected.<br />
<br />
<h4>
Key Takeaway: Be Proactive</h4>
Many organizations—in both private and public sectors-- house extremely sensitive data. High-value data is ideally confined to properly fortified servers, and tightly sealed off with aggressive whitelisting and rigorous audits. Multi-factor authentication and strong passwords are critical, and there’s a new tactic that becomes more crucial with every hack we learn about: active, ongoing anomaly hunting.<br />
<br />
Sensitive data tends to congregate on network endpoints such as laptops and servers, and it has a habit of multiplying into errant, unauthorized copies in unauthorized storage locations. For that reason, it’s essential for today’s security teams to create and regularly update baselines of normal activity for each endpoint that houses sensitive data, and to then actively watch for signs of anomalous behavior against those baselines.<br />
<br />
Today’s threat actors are deploying malware in unusual places--<a href="http://endpoint-intelligence.blogspot.com/2014/08/hiding-in-plain-sight-spotting-botnet.html" target="_blank">such as the UDP channel</a>--that are not visible with most security tools. With its exclusive ability to gain visibility of the endpoint even below the operating system, <a href="https://www.guidancesoftware.com/products/Pages/encase-endpoint-security/Introduction.aspx?cmpid=nav" target="_blank">EnCase® Endpoint Security</a> was designed to see the unseen by helping you baseline normal behavior across all your organizational endpoints, then watch for signs that something unusual is happening. After all, anomalies are the hallmark of infiltration.<br />
<br />
<b>Comments</b>? Are you proactively hunting threats in your systems? We welcome discussion in the section below, whether on this topic or on one you would like to see us write about here in the blog.<br />
<br />
<i>Michael Harris is the Chief Marketing Officer at Guidance Software.</i></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-19926739735259964692015-05-22T15:15:00.000-07:002015-10-13T06:58:25.736-07:00CEIC 2015 Highlights: Thwarting Malware, FRCP Rules Changes, Corporate Cyberbullying, Collaborating for the Win<br />
CEIC® 2015 began with a one-day CISO/CLO Summit that gathered security and legal chiefs to collaborate on emerging best practices in defending the enterprise, as well as an energetic CEIC welcome keynote from our president and CEO Patrick Dennis and Roger Angarita, our head of product development. Patrick talked about how the legal, security, and forensic investigation communities are blending together, both to collaborate and even to expand their own professional areas of responsibility. Our data is converging—and so are our professions—which is good news, since as we collaborate, we are turning the tide in the defense of our organizations, our citizens, and our economies.<br />
<br />
<a name='more'></a><b>Federal Agencies
Tackling Cybercrime</b>
<b><br /></b>
<br />
<div class="MsoNormal">
At the CISO/CLO Summit, guest speaker Ed McAndrew of the
Department of Justice said that the Sony attack included the first example of
what he sees as an upcoming trend: the cyber bullying of corporations by
nation-state threat actors and other hacker groups. Our Assistant General
Counsel and Vice President of E-Discovery Chad McManamy led a panel that
included U.S. Cybercrime Attorney McAndrew as well as Michael Succi of the
Secret Service. Called “Tales from the Front Lines in the Fight Against
Cybercrime,” the discussion focused on how the Department of Justice, Secret
Service, and other federal agencies are tackling cyber crime, including
everything from hacking and intellectual property theft and identity theft to
any other type of crime that involves digital evidence. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Describing their work, McAndrew noted that federal law
enforcement had made 5,490 cyber crime arrests in 2014, including suspects
ranging from high-school grade hackers to some indicted for involvement in the
Home Depot and Target cyber attacks. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Different<span class="MsoCommentReference"><span style="font-size: 8.0pt; line-height: 115%;"> </span></span>hacking
groups have varying motives, but they now include spying, theft, hacktivism,
disruption and destruction of the organization, terrorism and extortion, and
outright warfare. The good news is that the Department of Justice and other
agencies are eager to work with organizations to capture evidence and help bring
cyber criminals to justice, and have done so in recent years with notable
success.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Proposed Changes to
the Federal Rules of Civil Procedure (FRCP)<o:p></o:p></b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
Daniel Lim of Shook, Hardy & Bacon led a panel, "Judicial
Roundtable on Current E-Discovery Issues," with the Honorable Andrew Peck of the
U.S. District Court of Southern New York and the Honorable Matthew Sciarrino,
Jr., of the Kings County Supreme Court. Many evolving aspects of e-discovery
were discussed. Of particular note were the proposed changes to the FRCP. One
judge noted that the change to Rule 1 is primarily about efficiency. He made
several recommendations, including gaining an organizational commitment to
information governance to ease the e-discovery workflow, to make a record of
any preservation decisions in case explanation is needed later, and to bring
information technology (IT) and legal tech staffers into preservation
discussions early to save time later in the process. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Also noted was the removal of the word “sanction” from FRCP
Rule 37(e), which the judge said can eliminate most fear of sanction by a judge
except when there is evidence that there was intent to deprive the harmed party of access to relevant ESI. He said, “The serious sanctions would then only come
when you lie to the court.” Acting in good faith, documenting decisions, and
working on a sound process that follows the latest EDRM and information
governance workflows will stand any legal team in good stead.<o:p></o:p></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
<b>Malware Labs Aplenty<o:p></o:p></b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
In addition to the tracks aimed at corporate management,
legal teams, and law-enforcement were some with highly focused sessions on
incident response. These sessions were always full, and included “Rootkits,
Exfil and APT: RAM Conquers All,” “EnCase® Cybersecurity Incident Response
Walk-Through featuring Gh0st RAT,” “APT Attacks Exposed: Network, Host, Memory
and Malware Analysis” with SANS' Rob Lee, Anuj Soni of Booz Allen Hamilton, Chad
Tilbury of CrowdStrike, and Jake Williams of Rendition InfoSec. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We’ll have more blog posts summarizing the highlights and
hot buttons of CEIC 2015, and we invite your thoughts and comments in the
section below.</div>
<div>
<!--[if !supportAnnotations]-->
<br />
<div>
<div class="msocomtxt" id="_com_1" language="JavaScript">
<!--[if !supportAnnotations]--></div>
<!--[endif]--></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-14045424733125518502015-04-22T13:18:00.001-07:002015-04-22T13:18:53.601-07:00Security and IR Labs at CEIC Focus on Advanced Malware and Attack AnalysisCEIC 2015 is just a few weeks away and we’re excited to meet with you face-to-face on the show floor and in the conference sessions earmarked for cybersecurity and incident response professionals. If your cybersecurity journey seems to grow more complicated with each passing <a href="http://www.ceicconference.com/" target="_blank">CEIC </a>event, this is the year you won’t want to miss.<br />
<br />
Incident response as a discipline is still largely misunderstood and under-implemented, mainly because enterprises struggle to understand the changing security landscape and the need to be prepared for the inevitable cyber attack. To help you better understand these changes, we've developed new sessions and labs for CEIC 2015 to help you take incident response to the next level.<br />
<a name='more'></a><h4>
<br />More Advanced, Technical Labs will Help You Understand the Root Cause of a Cyber Attack </h4>
<br />
In addition to offering topics for newcomers on incident response, CEIC will dig deep this year into advanced technical analysis of malware and attacks so you can be more confident before, during or after a cyber attack. This foresight to develop more analytical and leading-edge topics began with two critical questions we hear incident responders ask:<br />
<ul class="list"><br />
<li>What really happened? Incident response teams are often too focused on remediation, without a deep understanding of how the cyber attack was orchestrated, what tools were used, and so on.</li>
<li>Are we still exposed? When that deep understanding is lacking, incident response teams can miss vital information when cleaning up after an attack, leaving your company vulnerable and/or compromised.</li>
</ul>
<div class="MsoNormal">
Take a look at some of the labs and lectures highlighted here that address these issues, as well as a powerful lineup of seasoned incident response professionals bringing them to you:<br />
<ul class="list"><br />
<li>Jamie Levy from The Volatility Foundation will lead you through a fascinating hands-on technical lab on memory forensics, which is the analysis of memory images from endpoints to identify potential malware. </li>
<li>Jessica Bair from Cisco Security will teach you to leverage Cisco AMP Threat Grid’s threat intelligence service during a security investigation through a technical integration between EnCase and Threat Grid.</li>
<li>A veteran of 30+ years, Attorney Gordon Calhoun will help you to evaluate a disk for insider threats.</li>
<li>Security/Defense Research Analyst Nik Roby from KEYW Corporation will put you in the attacker’s seat as you learn to use an attack framework representative of the exploitation kits available for sale on the black market.</li>
</ul>
<div class="MsoNormal">
You’ll also get a technical preview of EnCase 8, with a completely new set of technologies designed to make enterprise-wide querying of endpoint data more accessible and useful for endpoint security.<br />
<br />
This is just a small sampling of the 11 sessions in the Cybersecurity and Incident Response track that will bring you closer to the most advanced incident response techniques—including analyzing disk based and memory based artifacts—so you can better understand the root cause of a cybersecurity attack. <br />
<br />
Visit our <a href="http://www.ceicconference.com/" target="_blank">CEIC event website</a> to see the agenda in detail, register, and more.<br />
<div>
<br /></div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-58635318662205194772015-04-09T11:06:00.000-07:002015-04-09T11:06:33.651-07:00Why Financial, Retail, and Healthcare Professionals Should Reserve a Seat at a CEIC 2015 Roundtable<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN-wFvUlxWgGWsQDFgkuSh5lwS1q-NvYln1B6vAfWVUHsmKnvLTY8IZuh84eQxOFzBr3yT0rFD46xsAqDBItgSLA7cJ5ANemz7FoAkMyew9VxzkOfLu51v1m1utbU4weNE6E8VoEnUXL8/s1600/roundtable.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN-wFvUlxWgGWsQDFgkuSh5lwS1q-NvYln1B6vAfWVUHsmKnvLTY8IZuh84eQxOFzBr3yT0rFD46xsAqDBItgSLA7cJ5ANemz7FoAkMyew9VxzkOfLu51v1m1utbU4weNE6E8VoEnUXL8/s1600/roundtable.png" height="225" width="400" /></a></div>
<br />
By now, you may have heard about our new CEIC industry roundtable sessions for professionals in retail, finance, and healthcare. These focused, media-free sessions provide a forum for security and e-discovery specialists to discuss current trends and challenges that affect their work on a daily basis. First you've heard of our roundtables? Take a look at our previous post.<br />
<br />
So why should you spend valuable CEIC time on a roundtable? Here are the three most compelling reasons.<br />
<br />
<a name='more'></a><h3>
#1 - Chilling statistics for financial, retail, and healthcare industries turn up the heat on discussions about digital investigations.</h3>
The new industry-focused roundtable discussions at CEIC put you side-by-side with your peers who are passionate about conquering the latest threats to data and e-discovery processes. We all know the stakes are rising and the challenges are becoming more complex, as shown by these recent findings:<br />
<br />
<b>Financial</b>: The <a href="http://www.verizonenterprise.com/DBIR/2014/reports/rp_Verizon-DBIR-2014_en_xg.pdf" target="_blank">Verizon 2014 Data Breach Investigations Report</a> says that the financial industry leads the list with the highest number of security incidents with confirmed data loss.<br />
<br />
<b>Retail</b>: A r<a href="http://www.ponemon.org/library/2014-global-report-on-the-cost-of-cyber-crime" target="_blank">ecent survey from the Ponemon Institute</a> showed the average cost of cyber crime for U.S. retail organizations more than doubled from 2013 to an average of $8.6 million per company in 2014.<br />
<br />
<b>Healthcare</b>: The <a href="http://www.hhs.gov/" target="_blank">U.S. Department of Health and Human Services estimates</a> that the medical records of between 27.8 and 67.7 million people have been breached since 2009.<br />
<br />
<h3>
#2 - Inquiring minds want to know, "How are others doing it?"</h3>
So many of your most pressing challenges are shared by your peers in your industry that it can be invaluable to put your heads together in a focused sessions. By attending the roundtable, you'll tap an unprecedented opportunity to learn from each other's successes and even mistakes.<br />
<br />
<b>Financial Pros</b>: Find out how other are managing the new wrinkles in SOX compliance, securing ATM systems, and maintaining cyber attack and data breach evidence for legal purposes.<br />
<br />
<b>Retail Pros:</b> Share new ways to grapple with PCI DSS compliance, securing POS systems, and maintaining breach evidence for legal purposes.<br />
<br />
<b>Healthcare Pros:</b> How are others mastering HIPAA compliance, information governance, and records management?<br />
<br />
<h3>
#3 - Build a peer network to choose the best tools and strength best practices.</h3>
Another benefit of the industry roundtables is their small size. Space is limited and media-free, which lends a more intimate, "off-the-record" tone to the discussion. Our goal is to foster a sense of trust and kinship between fellow attendees to build a long-term network within which you can confidentially discuss new tools, processes, and best practices.<br />
<b><br /></b>
<b>Financial: </b>The increasing sophistication and potential damage of cyber threats as well as the always changing demands of regulatory compliance make it imperative to continually evolve your approach to data-related risk.<br />
<b><br /></b>
<b>Retail: </b>All eyes are on your security and privacy practices. How have your peers optimized their infrastructures to respond to risk arising from PCI DSS 3.0, POS-systems security, data privacy, loss prevention, and the rest?<br />
<b><br /></b>
<b>Healthcare Pros</b>: Attacks on healthcare providers are on the rise at the same time you're dealing with the HIPAA Final Omnibus Rule and EU privacy requirements. What are the emerging best practices?<br />
<br />
Learning how others are streamlining security and e-discovery approaches while effectively serving many masters (regulatory bodies, legal authorities, stockholders, executive management) promises to be a highly valuable experience.<br />
<br />
We hope you can add your voice to one of these focused discussions, so if you haven't already, why not <a href="http://www.ceicconference.com/" target="_blank">register today</a>? <b>Questions? </b>Drop a line to <a href="mailto:ale.espinosa@guidancesoftware.com" target="_blank">Ale Espinosa</a>.<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-77797259836844966812015-04-07T11:52:00.000-07:002015-04-07T11:52:09.395-07:00New to CEIC 2015: Financial, Retail, and Healthcare Roundtable Sessions It’s not too late to sign up for the first-ever roundtable discussions to be held at CEIC 2015 for industry-specific professionals in the financial, retail, and healthcare industry. As part of the new Topics in Management track, the roundtable sessions will provide a forum to discuss pressing cybersecurity and e-discovery challenges that affect today’s organizations and present emerging best practices for addressing them.<br />
<a name='more'></a><h4>
<br />
Different Markets Warrant Different Conversations around the Table</h4>
The roundtable sessions were created to address specific cybersecurity and e-discovery needs, because each industry is influenced by different factors, uses different workflows, and stores different types of sensitive data that determines unique criminal activity and data breaches.<br />
<br />
Verizon’s 2014 <a href="http://www.verizonenterprise.com/DBIR/2014/" target="_blank">Data Breach Investigations Report</a> ranks the leading data breach types for each industry. As shown below, the top challenges last year for financial, healthcare, and retail industries varied in their rank and frequency:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDnwPBw7Q29nnKlCqUTy4GpiIndr4aIVmVRSI12uM_-BkUwvl8DlyOk_h7y0kYD-63Ik3ulKRVcNGKtfPWlPcFUcZoF4d99z-ukrAzGe9wSzivhVb7vIii73Wyu50Rc237keZzP-XyZNM/s1600/chart.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDnwPBw7Q29nnKlCqUTy4GpiIndr4aIVmVRSI12uM_-BkUwvl8DlyOk_h7y0kYD-63Ik3ulKRVcNGKtfPWlPcFUcZoF4d99z-ukrAzGe9wSzivhVb7vIii73Wyu50Rc237keZzP-XyZNM/s1600/chart.png" height="218" width="640" /></a></div>
<br />
CEIC 2015 industry roundtable discussions will bring together like-minded peers who are ready to blow open the doors to these top data breaches, latest cybersecurity threats, and e-discovery trends, bringing in new ideas and proven best practices. Participation in each roundtable will be limited, media-free, and reserved exclusively for professionals who work in that specific industry, be it financial, retail, or healthcare.<br />
<h4>
<br />
Reserve a Seat at the Table</h4>
First, get <a href="http://www.ceicconference.com/" target="_blank">registered for CEIC 2015</a> here.<br />
<br />
Second, select one of these roundtable discussions within the conference agenda before you forget and before it’s full:<br />
<ul class="list"><br />
<li>Financial Industry Roundtable: Wednesday, May 20, 11:00 a.m. – 12:30 p.m.</li>
<li>Retail Industry Roundtable: Wednesday, May 20, 2:00 p.m. – 3:30 p.m.</li>
<li>Healthcare Industry Roundtable: Wednesday, May 20, 4:30 p.m. – 6:00 p.m.</li>
</ul>
<div class="MsoNormal">
We hope to see you at CEIC and encourage you to check out the comprehensive agenda with over 140 sessions in 13 unique tracks! If you have any questions about our CEIC Industry Roundtables, please contact <a href="mailto:ale.espinosa@guidancesoftware.com" target="_blank">Ale Espinosa</a>.<br />
<div>
<br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-249824227592963332015-03-30T16:53:00.001-07:002015-03-31T06:34:16.690-07:00CISO/CLO Summit 2015: One Day that Generates Actionable Intelligence <author></author>Mark Harrington<br />
<div class="MsoNormal">
<br />
As legal chiefs around the world get serious about
cybersecurity as part of our mission to defend our organizations, we’re
learning fast, but it’s time to go beyond education and begin taking action.
Four years ago Guidance Software brought legal, security, and risk and
compliance chiefs together at the inaugural <a href="http://connect.guidancesoftware.com/LP=609?elq=00000000000000000000000000000000&elqCampaignId=&elqaid=613&elqat=2&elqTrackId=dab6dd44c3f3433e8ad5fe7c1c826ac4">CISO/CLO
Summit</a> to talk strategy and we’ve come a very long way since.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Last year I was privileged to lead a panel discussion on
enabling proactive risk and threat intelligence at CISO/CLO Summit 2014. The
panelists included an information security chief for a major defense
manufacturer, the CISO for a global automaker, security analyst Jon Oltsik of
the Enterprise Strategy Group (ESG), and Ed McAndrew, the Assistant U.S.
Attorney and National Cyber Security Specialist for the Department of Justice. <o:p></o:p></div>
<a name='more'></a><br />
<h4>
<b>Working with the DOJ
on Cyber Crime</b></h4>
<div class="MsoNormal">
Our discussion focused on how to respond to security
incidents in a way that minimizes damage, prevents the ultimate exfiltration of data, and
allows organizations to work productively with the appropriate law-enforcement
agency. Among the many insightful things said by panelists was this remark from
Ed McAndrew on how the Department of Justice is now approaching cyber investigations:
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 10.0pt; margin-left: .5in; margin-right: .5in; margin-top: 0in;">
<i>“While they’re still in
the network there’s a real opportunity for investigation. It’s a highly complex
and dynamic scenario in every case. Our greatest successes are happening when
victims are working with us and we can capture data and analyze it while the
persistent threat persists.”<o:p></o:p></i></div>
<div class="MsoNormal">
While discussing the sometimes complicated dynamic between
executives and security teams and the need for executives to become educated on
security, McAndrew also said:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 10.0pt; margin-left: .5in; margin-right: .5in; margin-top: 0in;">
<i>“Senior executives get
targeted [for spear phishing attacks] all the time. What would be bad is if you were the pivot point into
the system and, because of your privileged access, they were able to do the
following things. You go explain that to your board and to regulators. Explain
it to a congressional committee.”<o:p></o:p></i></div>
<h4>
<b>Join Us at CISO/CLO
Summit 2015 on May 18</b></h4>
<div class="MsoNormal">
Sessions on the state of endpoint security with 451
Research, on the FBI Cyber Squad, and on inciting industry change and
influencing national cybersecurity policy will make this year a can’t-miss
one-day learning opportunity for executives. I hope you’ll <a href="http://connect.guidancesoftware.com/LP=609?elq=00000000000000000000000000000000&elqCampaignId" target="_blank">register to join us</a>
and add your voice to the discussion. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<i><span style="color: #333333; mso-bidi-font-family: Helvetica;">Mark
E. Harrington is Senior Vice President, General Counsel and Corporate Secretary
at Guidance Software and oversees worldwide legal operations for the company.</span></i>
<o:p></o:p></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-60866990878170442312015-03-25T15:55:00.002-07:002015-03-30T19:05:16.632-07:00New Track at CEIC 2015 Targets Critical Executive-level Legal and Security IssuesThe explosion of threats in digital forensics and security is pressuring executives to anticipate, assess, and respond with greater assurance and insight than ever before. Because of this, CEIC® 2015 has developed a new “Topics in Management” conference track for business leaders responsible for legal, security, and risk and compliance initiatives.<br />
<br />
The new track expands upon the success of the annual <a href="http://connect.guidancesoftware.com/LP=609?elq=00000000000000000000000000000000&elqCampaignId=" target="_blank">CISO/CLO Summit</a> and is packed with an all-star roster of speakers and topics. We’re eager to share some of the highlights of the management track with you in this blog, but encourage you to review the complete <a href="https://www.guidancesoftware.com/ceic/Pages/ceic-agenda-table.aspx" target="_blank">CEIC 2015 conference agenda</a> with session descriptions and speaker bios for all 12 tracks.<br />
<a name='more'></a><h4>
<br />
Management Strategies to Help Mitigate Foreign Attacks</h4>
Bookending the management track are two powerful speakers you won’t want to miss. Assistant U.S. Attorney and National Cyber Security Specialist <b>Edward J. McAndrew</b> will kick off the first day by demonstrating the prevalence of borderless cyber crime and how victimized organizations can apprehend and prosecute foreign cyber criminals to help mitigate the long-term cyber threat. Expanding on the same topic, Law & Forensics General Counsel <b>Daniel Garrie</b> wraps up the last day in a session that explains how to react to attacks perpetrated by sovereign nations from the legal, business, and security viewpoints.<br />
<br />
Both of these speakers bring a significant amount of legal acclaim to the CEIC program. As the Cybercrime Coordinator and National Security Cyber Specialist in the <a href="http://www.justice.gov/usao/de/index.html" target="_blank">U.S. Attorney’s Office for the District of Delaware</a>, Mr. McAndrew authored the Supreme Court Commission’s “Leading Practices: Data Security,” the first set of data security practices published by a state bar. He will share case studies of the first U.S. convictions of China-based and other foreign cybercriminals.<br />
<br />
<h4>
<span style="font-weight: normal;">Mr. Garrie is the Editor-in-Chief and founder of the </span><a href="http://www.jlcw.org/" target="_blank">Journal of Law and Cyber Warfare</a><span style="font-weight: normal;">, and has co-authored a number of books, including, “Plugged In: Guidebook to Software and the Law, Dispute Resolution and E-Discovery,” and “Cyber Warfare: Understanding the Law, Policy and Technology.”</span></h4>
<br />
<h4>
Management Panels Share Thought Leadership on IP Theft, Cloud-based Risks, and E-Discovery</h4>
CEIC has always attracted speakers who are leading practitioners and thought leaders from around the globe, and the new management track is packed with high-caliber presenters. We’ve worked hard to create three high-level panel discussions that directly address executive challenges:<br />
<ul class="list">
<li>IP Theft from In-House to Courtroom</li>
<li>Managing Business Risks in the Cloud</li>
<li>E-Discovery from Three Perspectives: Corporate, Discovery Services, and a Law Firm</li>
</ul>
<div class="MsoNormal">
These topics are balanced with a strategic mix of industry authorities to bring unbiased and unrivaled perspectives to each panel. They include:<br />
<ul class="list">
<li>451 Research’s <a href="https://451research.com/biography?eid=542" target="_blank">David Horrigan</a>, an industry analyst, attorney and award-winning journalist</li>
<li>Innovative Discovery’s <a href="http://www.id-edd.com/about-us/our-team/" target="_blank">Joseph Martinez</a>, a U.S. Army veteran who served as a Counterintelligence Special Agent tasked with neutralizing threats to U.S. Department of Defense information systems.</li>
<li>Executives from leading cloud service providers LinkedIn and DropBox and the world’s largest oilfield services company, <a href="http://www.slb.com/about.aspx" target="_blank">Schlumberger Limited</a>, to share personal, real-world case studies and best practices alongside legal pundits to shed light on counsel’s frame of reference.</li>
</ul>
<div class-="" sonormal="">
This is just a snapshot of the 11 management sessions that include lectures, panels, and roundtable discussions on a variety of executive-level topics on reducing data-related risk in the enterprise. We’ll blog more about other conference topics and speakers in weeks to come.<br />
<br />
Visit the <a href="http://www.ceicconference.com/" target="_blank">CEIC event websit</a>e for information on the current event agenda, registration information, sponsor and exhibitor opportunities, and register now. Also, be sure to follow us on <a href="https://www.facebook.com/CEIC.Conf" target="_blank">Facebook</a>, <a href="http://www.twitter.com/ceic_conf" target="_blank">Twitter</a>, and <a href="https://www.linkedin.com/company/guidance-software" target="_blank">LinkedIn </a>for the latest CEIC buzz and conversation. </div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-64421886242629831002015-03-24T10:52:00.000-07:002015-03-24T15:38:38.632-07:00The Current Cyber Crisis and the IT Security Budget<author></author>Barry Plaga, Interim CEO and CFO, Guidance Software<br />
<div class="MsoNormal">
<br />
Last summer, J.P. Morgan Chase suffered a <a href="http://www.wsj.com/articles/fbi-probes-possible-computer-hacking-incident-at-j-p-morgan-1409168480" target="_blank">significant cyber breach </a>of its corporate servers that affected approximately 76 million households. Very bad news and no longer an unprecedented event for a major financial institution. Then, two things happened the following fall that are very interesting when considered together:<br />
<ol>
<li>J.P. Morgan Chairman and CEO <a href="http://www.wsj.com/articles/j-p-morgans-dimon-to-speak-at-financial-conference-1412944976" target="_blank">James Dimon told a panel discussion audience</a> at the Institute of International Finance that his bank would double its cybersecurity spending over the following five years.</li>
<li>PwC released its latest <a href="http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf" target="_blank">Global State of Information Security survey</a> that noted that spending on information security fell four percent during a period in which cyber attacks against companies increased 48 percent.</li>
</ol>
<a name='more'></a>The key takeaway? It takes a hack on our own organizations and a massive media storm to get us to sit up and open our wallets.<br />
<br />
<h4>
The Challenges are Clear</h4>
As someone who wears two hats at Guidance Software—interim CEO and CFO—I understand the concern with cost management in a challenging business climate. IT costs in general are often uncomfortably large, and they seem to go up at the whim of vendors and industry analysts to very little measurable return on investment.<br />
<br />
But I have found myself wondering more than once in the past five years whether the last 20 years of curbing IT security spending has left us as executives—and our companies—exposed. The Target breach has <a href="http://thehill.com/policy/cybersecurity/233920-target-breach-has-cost-company-162-million" target="_blank">cost the company $162 million</a> so far. That’s higher than the 2014 average reported on in the latest <a href="http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis" target="_blank">Ponemon Institute report</a>, which says breaches cost companies around $3.5 million, up 15 percent from the 2013 average.<br />
<br />
As CFO, I know that we have to make smart spending choices to stay competitive—no question about it. But as CEO, I understand that the potential consequences of a data breach are dramatically higher than they were five years ago. The legal defense costs and potential awards of class-action lawsuits, the capital costs of remediation, potential regulatory fines, and the damage to corporate reputation add up in a way that should give every board of directors and C-suite dweller pause.<br />
<br />
<h4>
Smart Spending Means Adding a Line Item</h4>
Spending on information security should be one of the highest budget priorities on any executive’s list. But smart spending is key. As hacks like those in the past year have taught us, no matter how many bricks you add to your firewall, only one of us inside the firewall (the human perimeter) has to click on a phishing email link or leave a login and password sitting around and all of that perimeter security money was for nothing. Companies have to be watching their network endpoints (laptops, mail servers, point-of-sale devices) for strange activity – the behavior that is outside of normal for that endpoint—in order to see problems as they develop—and before the critical data leaves the premises.<br />
<br />
In other words, if you’re not investing equally in endpoint security as on perimeter security, you’re not fully covered. Meet with your IT and information security teams. Ask them whether they can see when something unauthorized is happening in the locations where your sensitive data is stored. Then revisit the budget and add a line item for endpoint security.
<br />
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-55563880486757152162015-03-09T12:09:00.000-07:002015-03-26T17:06:21.308-07:00AMP Threat Grid Empowers Law Enforcement to Fight Cybercrime<author>Jessica Bair, Cisco</author><br />
<br />
<div class="MsoNormal">
Recognizing the critical need for state and local law enforcement agencies to have state-of-the art technologies to effectively fight digital crime, Cisco is creating the AMP Threat Grid for Law Enforcement Program. The program is designed to empower those working to protect our communities from cybercriminals with its dynamic malware analysis and threat intelligence platform.<br />
<br />
Computers are central to modern criminal investigations, whether as instruments to commit the crime, as is the case for phishing, hacking, fraud or child exploitation; or as a storage repository for evidence of the crime, which is the case for virtually any crime. In addition, those using computers for criminal activity continue to become more sophisticated, and state and local law enforcement agencies struggle to keep up with their internal computer forensics/digital investigation capabilities. Malware analysis is also a critical part of digital investigation: to prove or disprove a "Trojan defense" for suspects, wherein the accused rightly or falsely claims a malicious software program conducted the criminal activity and not the user; and to investigate unknown software and suspicious files on the computers of the victims of cybercriminal activity for evidence of the crime.<br />
<br />
<a name='more'></a>The AMP Threat Grid for Law Enforcement program is designed for state and local agencies with fewer than 1,000 sworn officers. In the United States, this encompasses more than 99.5 percent of <a href="ttp://www.bjs.gov/content/pub/pdf/csllea08.pdf" target="_blank">law-enforcement agencies</a>. Once empowered with AMP Threat Grid, within seconds of a threat-intelligence query or withing a few minutes of submitting a suspicious file or URL for analysis, an investigator will have the ability to view and download an easy-to-read and comprehensive report detailing the actual behavior of the submitted file, including changes to the file system, registry, command-and-control communication, downloads, code injection, and other malicious activity.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In addition, AMP Threat Grid will correlate the file with the millions of samples and billions of artifacts in the threat intelligence database, providing instant global and historical context. The program also includes seamless integration with EnCase<span style="font-family: Arial, sans-serif;"><span style="font-size: x-small;">® </span></span>Forensic to reduce investigators' time and effort to identify and analyze suspected malware.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The AMP Threat Grid for Law Enforcement program includes:<br />
<ul class="list">
<li>Two portal user accounts per agency</li>
<li>Up to five samples (of suspicious files or compute programs) or URLs submitted per day, per user, for analysis through the portal or via the API integration with EnCase Forensic</li>
<li>Unlimited sample queries through the portal or via the API integration with EnCase Forensic, including file hash values, IP addresses, domains, registry keys, and file paths</li>
<li>The AMP Threat Grid Malware Analysis and Intelligence for EnCase EnScript and installation guide, training manual and video, and EnCase Forensic case template</li>
<li>Access to regularly scheduled law enforcement-only WebEx sessions for training and peer discussion</li>
</ul>
<div class="MsoNormal">
Cisco will host a hands-on lab for threat intelligence and dynamic malware analysis at the <a href="http://www.ceicconference.com/" target="_blank">Computer and Enterprise Investigations Conference</a> (CEIC) to be held at Caesars Palace in Las Vegas, May 18-21, 2015.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Law-enforcement investigators can register for the program on the <a href="http://www.threatgrid.com/le/" target="_blank">Threat Grid Law Enforcement Program</a> page. The <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010126WS&k=threatgrid" target="_blank">AMP Threat Grid Malware Analysis and Intelligence for EnCase EnScript</a> is available for download at no cost to Guidance Software customers from the EnCase App Central store; it includes a 30-day pilot of the full solution for non-law enforcement incident responders, with free malware sample submissions and contextual searches of the Threat Grid threat intelligence repository. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<i>Jessica Bair, EnCE, EnCEP</i></div>
<div class="MsoNormal">
<i>jbair@cisco.com</i></div>
<div class="MsoNormal">
<i>Sr. Manager, Business Development</i></div>
<div class="MsoNormal">
<i>Advanced Threat Solutions, Cisco Security Group</i></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Comments</b>? <b>Questions</b>? We welcome discussion in the section below.</div>
<div class="MsoNormal">
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-9089836486883960812015-03-04T10:04:00.000-08:002015-03-04T10:08:40.173-08:00The Essential Risk of Facebook ThreatExchange<author>Duran Holycross</author><br />
<br />
<div class="MsoNormal">
Last month Facebook announced a new social network called ThreatExchange, which, according to the <a href="http://www.ibtimes.com/facebook-inc-launches-new-social-network-geared-toward-cybersecurity-1813684" target="_blank">International Business Times</a>, "is designed to help cybersecurity experts protect Internet users from malicious software and security vulnerabilities by allowing them to alert each other quickly about evolving threats." Saying that companies who participate can do so selectively to ensure that they don't "accidentally divulge private information," Facebook wants to make it "easier for an organization that may want to share data that needs to be handled with extra sensitivity."<br />
<br />
Hmm... As a long-time member of the profession being targeted by this initiative, I immediately see a number of red flags. For starters, I think we can all agree that nobody's going to share real intelligence on a real hack without being guaranteed some privacy or, ideally, full anonymity.<br />
<br />
<a name='more'></a>But the big problem is that anonymity is a two-way street. It's well-known that intelligence and military units around the world specialize in the tactical sharing of disinformation. And we already have a high degree of insecurity about people being who they say they are on the internet, and about who's really wearing a black hat and who's wearing a gray one within the information security world.<br />
<br />
<h4>
My Questions about ThreatExchange</h4>
So with Facebook ThreatExchange, I may applaud the mission, but I have to ask, who vets the membership? How are their identities validated? What's the definition of success in a venture such as this? Who's to say that a member of the board hasn't run into financial troubles, taken up illicit activities, and that his or her focus hasn't changed from helping the community to profiting from it? Expert communities, including ours, tend to hear the most noise from the least experienced members and, on the whole, internet technical groups can tend to generate more heat than light on important issues.<br />
<br />
In fact, I do think that we, as security specialists, ought to share threat intelligence. I am pro-information-sharing. However, the idea of sharing my risks and concerns with an anonymous group of internet techies just doesn't fly. What I have seen work well over the past decade is to trade tips and methodologies within a trusted community of people in face-to-face settings, such as local or regional <a href="http://www.issa.org/" target="_blank">ISSA </a>(Information Systems Security Association) meetings. In a thoroughly digital world with threat actors like nation-states and organized crime groups, we have to continue to flex the old saw, "Trust no one."<br />
<br />
<b>Comments? </b>How are you collaborating with your peers on threat intel? We welcome discussion in the section below, whether on this topic or one you'd like to see covered here in the blog.<br />
<br />
<i>Duran Holycross is the vice president, information systems at Guidance Software. In this role, he leads operations and allocates resources to improve the quality and cost-effectiveness of our company's technology.</i></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-77370066663210185692015-01-23T06:49:00.001-08:002015-01-25T08:37:46.805-08:00The State of the Union Address and the Call for Corporate and Armed Forces Evolution<author>Mark Harrington</author><br />
<br />
<div class="MsoNormal">
This week’s State of the Union Address was the fourth in a
row in which President Obama highlighted the critical nature of cybersecurity. Until
the most recent onslaught of headlines painted a painful picture of the
consequences of a data breach, all too many of our organizations have been
focused on passing compliance audits and dealing with a broad variety of
threats to long-term business viability. Times have changed, and the headlines
and the tough reality are all crystal clear: the bad guys are strong,
dedicated, and working productively together, and <i>they are in our networks today</i>.<br />
<br />
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<o:p></o:p></div>
<author>As President Obama said, lawmakers must “finally pass the
legislation we need to better meet the evolving threat of cyber-attacks,” and,
“If we don’t act, we’ll leave our nation and our economy vulnerable.” Recently
proposed legislation would relieve some of the risk of participating in the
information-sharing for which the federal government is asking. Defending our
organizations is becoming increasingly complicated for legal and security
teams, so it’s crucial for such legislation to increase the incentives or
decrease the exposure that companies would experience in being more transparent
and collaborative with government when data breaches occur. </author><br />
<a name='more'></a><div class="MsoNormal" style="background: white; margin-bottom: 0.0001pt;">
<br />
<b><span style="color: #222222; mso-bidi-font-family: Arial; mso-fareast-font-family: "Times New Roman";">Preparing for a Cyber Pearl Harbor</span></b><span style="color: #222222; mso-bidi-font-family: Arial; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #222222; mso-bidi-font-family: Arial; mso-fareast-font-family: "Times New Roman";">In his first term in office, the president created a
cabinet-level cyber czar. Now the risk to our country is so severe that there
is a need to go one step further. In addition to the land, sea, and air
divisions of our U.S. armed forces, we should establish a military branch
focused on cyber warfare to consolidate our approach. <o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #222222; mso-bidi-font-family: Arial; mso-fareast-font-family: "Times New Roman";">Just as our military transformed itself from horseback
riders in World War I to a mechanized and airborne fighting machine in World
War II, so should it undergo further evolution to address the front on
which our national defense is threatened in the modern age. The cyber war is
erupting all around us and, unlike foreign wars that our military has fought in
the past; this one threatens our domestic security and the foundation of our
way of life. The cyber Pearl Harbor hasn’t happened yet, but it will, and we
need to be ready with a robust cyber military branch of our armed forces. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Where Ayn Rand Meets
Rosie the Riveter<o:p></o:p></b></div>
<div class="MsoNormal">
<br />
In the same spirit in which American women flexed their industrial muscle and
showed up to work the assembly lines of munitions factories in World War II, so
do our corporations need to step up. We should first push for legislation that
protects us from serious reputational damage when reporting on hacks, and then
add steps to our internal security workflows that enable information-sharing
between our own corporations and the government. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Such information-sharing combines good corporate citizenship
and enlightened self-interest in a way that benefits our national security, our economy,
and our shareholders. The most straightforward way for an organization to do
this is to use the <a href="http://www.nist.gov/cyberframework/">NIST
Cybersecurity Framework</a> as a baseline for information-security
preparedness, then add proactive threat-hunting in all the areas inside and
outside your firewalls where intellectual property, credit-card data, and other
sensitive data is stored. <a href="http://goo.gl/qNmSfi" target="_blank">EnCase security products</a> can help your security team do that. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Crossing National Lines<o:p></o:p></b></div>
<div class="MsoNormal">
<br />
Why stop here? Until the United Nations takes up this
charge, we are well served to do it ourselves and collaborate with trusted
partners in commerce and governments around the world. The bad guys cross
borders. The good guys must do the same.<o:p></o:p></div>
<div class="MsoNormal">
<i><span style="color: #333333; mso-bidi-font-family: Helvetica;"><br /></span></i></div>
<div class="MsoNormal">
<i><span style="color: #333333; mso-bidi-font-family: Helvetica;">Mark
E. Harrington is Senior Vice President, General Counsel and Corporate Secretary
at Guidance Software and oversees worldwide legal responsibility for the
company.</span></i> <o:p></o:p></div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-39611518759706607232015-01-06T16:21:00.000-08:002015-01-06T16:21:09.148-08:002015: Fighting Adaptive Attacks Requires Adaptive Defense with Response Automation<author>Anthony Di Bello</author><br />
<br />
<div class="MsoNormal">
Attackers are always looking for new vulnerabilities to
exploit technologies with large-scale adoption or use/create/modify malware that
changes just enough to avoid known detection methods as it propagates through a
corporate network. The same malware or vulnerability is rarely used after
public discovery. The identification and sale of new vulnerabilities is a high-revenue
enterprise, as is the sale of malware kits which can be customized and use as
weapons against unsuspecting organizations. Cybercrime is a high-growth
industry and the players are only getting better organized and their attack
methods more elaborate.</div>
<br />
<div class="MsoNormal">
The defenses widely in use today are limited to technology
that is overly reliant on the known, is unable to adapt when attackers change
their patterns, or find easier ways to sneak onto our networks undetected. The headline-grabbing
hacks of 2014 — Home Depot, JP Morgan Chase, eBay — only serve to highlight
this fact.<o:p></o:p></div>
<a name='more'></a><br />
<div class="MsoNormal">
As I look at these recent examples of cybercrime, and look
forward to 2015, it’s perfectly clear: deflecting<b> </b><a href="https://www.gartner.com/doc/2665515/designing-adaptive-security-architecture-protection"><b>adaptive
attacks requires adaptive defenses</b></a><b>, </b>and this basic tenet is what
guides the focus of Guidance Software EnCase security products as we continue
to build upon our <a href="http://connect.guidancesoftware.com/LP=594?cmpid=Direct-GSI-Cybersecurity_NA-Q414_GartnerCompLandscape_homepage-A-Eloqua_Landing_Page-Gartner_Competitive_Landscape-12-16-2014&utm_source=GSI&utm_medium=Direct&utm_campaign=12-16-2014-Cybersecurity_NA-Q414_GartnerCompLandscape_homepage">market<span style="color: #1f497d;">-</span>leading<span style="color: #1f497d;">,</span>
next-generation endpoint security technology</a>. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
So the challenge is significant, and further compounded by
the high number of information security alerts fired off — hundreds of
thousands to millions a day — and limited staff with which to prioritize,
evaluate, and respond to the alerts that pose the greatest risk to sensitive
data. Our adversaries have time and automation on their side, enabling a single
attacker to attempt to break into the network hundreds or thousands of times in
a single day. An attacker only need be right once, while the defender must be
right every single time.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Automation: The fastest way to
arrest an attack in progress <o:p></o:p></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Given the high volume of daily events, which can only be
assumed to increase in 2015 if the past is any indication, fending off <a href="https://www.forrester.com/Rules+Of+Engagement+A+Call+To+Action+To+Automate+Breach+Response/fulltext/-/E-RES87221"><b>adaptive
attackers requires response automation</b></a><b> </b>to validate, assess and
remediate high-priority events before damage can be done. Guidance Software
works with leading detection and event management technology such as <a href="https://www.guidancesoftware.com/ceic/Pages/about-ceic.aspx">CEIC<span style="color: #1f497d;"> </span>2015</a> <a href="https://www.guidancesoftware.com/ceic/Pages/ceic-sponsorship.aspx">Gold
Sponsors</a> <a href="https://www.guidancesoftware.com/about/Pages/newsroom/post/Guidance-Software-Announces-New-Bundled-Solution-between-EnCase-Cybersecurity-and-HP-ArcSight-Express.aspx">HP
ArcSight</a>, <a href="https://www.guidancesoftware.com/resources/Pages/doclib/Document-Library/Automating-Your-Incident-Response-Process-A-SOURCEFIRE-AND-ENCASE-APPROACH.aspx">Cisco
SourceFire</a>, and <a href="https://www.guidancesoftware.com/resources/Pages/doclib/Document-Library/Accelerate-Incident-Response-and-Forensics-with-McAfee-and-EnCase.aspx">Intel
Security</a> to automate the time-sensitive steps of the incident response
process — delivering real-time insights from your endpoints, and eliminating
time spent on after-the-fact data collection. We look forward to adding more
detection partners and integration points throughout 2015 to ensure that—no
matter what you have in place for detection or event aggregation—you have the
means to automate and streamline your incident response process. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I suspect in the coming year we will hear a lot more about
these two requirements and potential solutions not only from vendors, but also
from the analyst community and information security professionals who have
realized the insanity of using the same approach over and over while expecting
different or improved results. Case in point: Chris Sherman, Security and Risk
Analyst at Forrester Research shares Forrester’s views on endpoint security in
2015 in this webinar<span style="color: #1f497d;">,</span> “<a href="https://www.guidancesoftware.com/resources/Pages/webinars/2015-Endpoint-Security-Predictions-Key-Winning-Strategies.aspx">2015
Endpoint Security Predictions and Key Winning Strategies</a><span style="color: #1f497d;">,</span>” which I invite you to check out.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I<span style="color: #1f497d;">’</span>m excited to be at
Guidance Software as we enter 2015 energized to meet the challenges posed by
today’s digital adversaries, and helping our customers implement adaptive
endpoint security, and automated incident response capabilities designed to meet
the challenges associated with a persistent and adaptive adversary. <o:p></o:p></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-13463338588849765532014-12-18T13:19:00.000-08:002014-12-18T13:19:09.948-08:00Hack-y Holidays: Best Practices for Retailers and Credit Card Processors<div class="MsoNormal">
The holiday season is in full swing, with security
professionals worldwide still reeling from the scope of last year’s infamous
December hack. Many response teams have taken steps to beef up data protection
processes and technology, and so far, no news is good news in the retail/credit
card processing world.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Making a List and Checking it Twice<o:p></o:p></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We deliver technology that empowers you to respond faster
and more effectively to hacking attempts. Are the new practices you put into
place this year on our list? We’ve put together ten of the strongest steps
you can take toward a more complete security posture in our first annual
“Guidance Software Hack-y Holidays Cyber Defense Report.”</div>
<div class="MsoNormal">
<o:p></o:p></div>
<a name='more'></a><div class="MsoNormal">
<b><br /></b>
<b>
<b><a href="http://goo.gl/o5d13k" target="_blank">Download our report here</a></b>. </b>And let us know in
the Comment section what you’re doing to keep the bad guys from wrecking your
holiday season.</div>
<div class="MsoNormal">
<o:p></o:p></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2731069116187316673.post-47298843387271683612014-12-16T15:40:00.000-08:002014-12-19T07:46:36.845-08:00How Legal Can Leverage the Latest Version of the NIST Cybersecurity Framework<author>Mark Harrington</author><br />
<br />
<div class="MsoNormal">
Last week, the National Institute of Standards and
Technology (NIST) released an update to its <a href="http://www.nist.gov/cyberframework/">Framework for Improving Critical
Infrastructure Cybersecurity</a>, incorporating feedback from its October
workshop as well as responses to an August Request for Information. While
adoption of the Framework remains voluntary and not a regulatory requirement,
many large organizations in a variety of industries consider it to be an
effective benchmark for security operations. We at Guidance Software believe it
will soon be considered a “commercially reasonable” standard, but we <a href="http://endpoint-intelligence.blogspot.com/2014/02/a-legal-perspective-on-nist.html">also
recommend incorporating additional, proactive security practices</a> for a more
complete security posture.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
This most recent update to the Framework reports on certain
implementation issues, including the need to expand awareness among smaller and
medium-sized businesses in the critical infrastructure sector. Some concern
exists that the Implementation tier of the Framework’s three main components—Core,
Profile, and Implementation Tiers—is being used the least frequently. Instead,
the Framework is being most commonly used simply as a basis for evaluating
security—as a yardstick, if you will.<br />
<br />
<b>Information-Sharing
Holds Real Promise for More Effective Organizational Defense</b><br />
<b><br /></b>
<div class="MsoNormal">
Among the aspects of the NIST Framework that I believe holds
the most promise in defending our organizations is that of information-sharing.
Many who have responded to NIST’s calls for feedback have expressed interest in
expanding this type of collaboration in order to build more powerful threat
intelligence feeds across American industries. While interest in participation
is high, so are the levels of concern about potential impact on corporate
reputation if data breaches were made public. Since the original Framework was
published, there has been a clear call for a means of reporting a breach and
related information anonymously.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Congress has just passed the <a href="https://www.congress.gov/bill/113th-congress/senate-bill/2519">National
Cybersecurity Protection Act</a> in order to better support cyber-threat
information exchange between the public and private sector via the <a href="https://www.us-cert.gov/nccic">National Cybersecurity and Communications
Integration Center</a>. However, a bill that incorporates liability protections
for those reporting on breaches will have to wait until early next year.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<b></b></div>
<a name='more'></a><br />
<div class="MsoNormal">
<b>Alignment Makes Sense
for Most Corporations</b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Helping your organization prepare for alignment with the
NIST Framework and participation in intelligence-sharing can put you in a
position to benefit from the most recent and deepest threat intelligence
available anywhere once the Framework becomes firmly established in American
industry. Taking steps to put your security systems and protocols in alignment
with the Framework will also help you make a case following a breach that you
took reasonable steps to protect sensitive information. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In addition, if 2015 legislation does pass that incorporates
the expected liability and privacy protections for those sharing information,
the risk of participation is far outweighed by the benefits.<o:p></o:p><br />
<br /></div>
<div class="MsoNormal">
As inside counsel, you can help influence and participate in
this organizational initiative by:<br />
<br />
<ul class="list">
<li>Calling a meeting with your CIO, Information Security, and other stakeholders to review the NIST Framework</li>
<li>Encouraging an assessment of where your organization stands today in meeting the standards in the Framework</li>
<li>Asking stakeholders to consider ramping up to participate in information-sharing within a certain timeframe</li>
<li>Asking how your legal team can help.</li>
</ul>
<div>
<div class="MsoNormal">
Whether your organization is part of the
critical-infrastructure industries or not, being in a position to positively
and proactively work with federal protection agencies can only improve your
reputation with your market, industry partners, and those agencies
themselves—something that can be invaluable following a breach.<o:p></o:p></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
<b>Are You Working with
NIST or NCCIC?</b> I encourage your comments in the section below. For more
information on the NIST Cybersecurity Framework and how to support it, consider
<a href="http://goo.gl/mgefNt" target="_blank">these resources</a>, including <a href="http://goo.gl/mgefNt" target="_blank">two webinars featuring Adam Sedgewick</a>, the NIST Senior Policy Advisor who led
the development of the Framework.<o:p></o:p></div>
<div class="MsoNormal">
<i><span style="color: #333333; mso-bidi-font-family: Helvetica;"><br /></span></i></div>
<div class="MsoNormal">
<i><span style="color: #333333; mso-bidi-font-family: Helvetica;">Mark
E. Harrington is General Counsel and Corporate Secretary at Guidance Software
and oversees worldwide legal responsibility for the company.</span></i> <o:p></o:p></div>
</div>
</div>
Unknownnoreply@blogger.com0