So it was fitting to attend the keynote by RSA Chairman Art Coviello and hear him say, “It’s past time for us to disenthrall ourselves from the reactive and perimeter-based security dogmas of the past and speed adoption of intelligence-driven security.” He described a fact that’s inescapable to all security professionals now, which is that alerting systems and point solutions for threat response aren’t sufficient to respond to modern threats. The time has come to change the way we perform incident response by using rapidly accessible, actionable intelligence to make the stakes higher for hackers, crackers, and thieves.
Guidance Software has connected EnCase® Cybersecurity version 4.3 with security information and event management (SIEM) systems to facilitate security automation. For example, when an attack or breach event is suspected, the SIEM system can now automatically trigger an EnCase® Cybersecurity forensic response, including exposing, collecting, triaging and remediating data related to threats — essentially taking action on or gathering data about a security event that might otherwise have been missed.
By automating incident response, organizations can collect actionable information about an attack, minimize data leakage and economic damage, and reduce the time needed to eliminate the threat and return an endpoint computer to a normal state.
According to a September 2011 Cost of Cyber Crime study by The Ponemon Institute, the average time to resolve a cyber attack in 2011 was 18 days. Shortening that duration could reduce the cost and impact of an attack, which the Ponemon study placed at $416,000 on average. Results of the study also showed that malicious insider attacks can take more than 45 days to contain.
"Time is of the essence when performing incident response, but today's security teams are constrained by the volume of attacks and the time it takes to initiate a response. Any delay in response means a potential for more damage and a loss of valuable data," said Victor Limongelli, president and chief executive officer, Guidance Software. "By automating forensic response EnCase® Cybersecurity enables security teams to achieve a real-time view of what was occurring on endpoints during an attack, even if the incident occurred over a weekend or in the middle of the night."
Organizations have three ways they can automate incident response using new features in EnCase® Cybersecurity:
-- Integration with ArcSight — The integration of EnCase® Cybersecurity with HP ArcSight Enterprise Security Manager (ESM) offers four pre-programmed, automatic functions, including forensic auto-capture of system memory, scanning for Internet history and cache files, scanning for personally identifiable information, and conducting a targeted forensic data audit of a system. Security managers can run these EnCase® functions and view results from a pull-down menu inside ArcSight ESM with a few mouse clicks, or they can set them to run automatically, without manual intervention, when an incident triggers a security alert.
-- Response Automation Connector — EnCase® Cybersecurity 4.3 includes the new response automation connector, which is an application-programming interface (API) that gives organizations the ability to integrate the software with other security alerting systems. Customers using the API can integrate all of EnCase® Cybersecurity's incident response capabilities into their SIEM environment and automate those functions that are most important to their security processes.
-- Response Automation Services — Guidance Software has also launched new professional services offerings to help organizations with other security alerting tools or unique staffing needs to automate response to security incidents using EnCase® Cybersecurity.
Learn more about automated incident response with Arcsight ESM and EnCase® Cybersecurity.
Read the news release.
The software tools they use today include attack exploit code, Trojans, keystroke loggers, network sniffers, bots – whatever works to infiltrate the network and then ex-filtrate the desired data.
Consider this quote from this CIO.com story, “Customized, stealthy malware growing pervasive”, from an experienced penetration tester:
"The advanced attack is getting more pervasive. In our engagements and my conversations with peers we are dealing with more organizations that are grappling with international infiltration. Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere. I imagine anybody in the global 2,500 has this problem.”
Consider that quote again for a second: “Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere.”
Obviously, the goal of the malware is to slither past anti-malware defenses, and too often the attackers are successful.
This is why the ability to quickly detect and respond to infiltrations is more crucial than ever for an effective IT security program. And that makes digital forensics software central to those efforts. By being able to quickly determine the nature and cause of an incident, forensics software can be used to stop future incidents through the increased visibility into the network it provides.
This is where EnCase® Cybersecurity shines. EnCase® Cybersecurity offers enterprises a way to obtain actionable endpoint data related to an event before that data has a chance to decay or disappear from the affected endpoint altogether. EnCase® Cybersecurity can easily be integrated with an alerting solution or SIEM of choice (such as ArcSight ESM) to enable real-time visibility into relevant endpoint data the moment an alert or event is generated. This ensures security teams have instant access to information such as hidden processes running at the time the alert was generated, ports that were open at the time and more. The ability to see the entire picture in regards to what was occurring on an endpoint – at a specific moment in time – allows for a far more accurate incident impact analysis and a way to gain visibility into any given threat. Having a clear view into that moment in time leads to faster incident resolution rather than chasing cold trails.
This type of instant response capability that better addresses potential threats is simply mandatory today, considering the stealthy nature of malware and significant effort that goes into masking any traces of an attack.
Anthony Di Bello is product marketing manager at Guidance Software.