Showing posts with label Incident Response. Show all posts
Showing posts with label Incident Response. Show all posts

2015: Fighting Adaptive Attacks Requires Adaptive Defense with Response Automation

Anthony Di Bello

Attackers are always looking for new vulnerabilities to exploit technologies with large-scale adoption or use/create/modify malware that changes just enough to avoid known detection methods as it propagates through a corporate network. The same malware or vulnerability is rarely used after public discovery. The identification and sale of new vulnerabilities is a high-revenue enterprise, as is the sale of malware kits which can be customized and use as weapons against unsuspecting organizations. Cybercrime is a high-growth industry and the players are only getting better organized and their attack methods more elaborate.

The defenses widely in use today are limited to technology that is overly reliant on the known, is unable to adapt when attackers change their patterns, or find easier ways to sneak onto our networks undetected. The headline-grabbing hacks of 2014 — Home Depot, JP Morgan Chase, eBay — only serve to highlight this fact.

HP ArcSight Express and EnCase® Cybersecurity: Cost-effective Incident Prioritization and Response

Anthony Di Bello

There is a misperception—often heard—that  large companies make software solutions that try to be all things to everyone. We at Guidance Software work with some of the largest technology providers in the world, such as HP, Blue Coat Systems, and IBM, among others, to integrate our industry-leading incident response technology with best-of-breed SIEM and threat-detection solutions.

This is because we and our partners realize that whole, effective solutions to modern information security challenges cannot be delivered by any single information security vendor. Through our EnCase® Cybersecurity incident response solution, we help our customers bridge the gap between incident detection and response. We have seen time and time again that without an incident response solution or any degree of incident response automation (relying on human intervention) can lead to high response costs--up to $5.5 million per incident per recent Ponemon Institute research.

EnCase® Cybersecurity and HP ArcSight Express Join Forces to Deliver a Powerful Post-Event Solution


When it comes to integrating with industry-leading technologies, something is always in the works at Guidance Software. This week at HP Protect in Washington, D.C., we announced a powerhouse incident-response bundle that pairs EnCase Cybersecurity with HP ArcSight Express. 

Designed for organizations that have invested in the ability to detect threats, but that are challenged in figuring out which of the alerts in the alert storm are meaningful, our combined solution is a comprehensive, best-of-breed post-event workflow that can help you automatically prioritize and respond to the most critical alerts. 

Thales Expands Critical Incident Response Capabilities in the UK with EnCase

As the threat landscape increases in complexity, large organizations everywhere are looking to recognized information security experts to help them ramp up their response capabilities. A leader in the design and delivery of resilient critical systems and security solutions for government agencies and corporations, Thales UK wanted to bolster its endpoint security and incident response offerings with EnCase products. 

Building Cyber-Talent in the National Collegiate Cyber Defense Competition

The headlines are full of stories about the growing number of job opportunities for what may be a too-small pool of young cyber-defenders and incident responders. At Guidance Software, we support universities with our EnCase Academic Program to help ensure that the up-and-coming generation of information security specialists has the tools and technology they need to work like seasoned professionals do. To that end, we are also proud to be a Gold sponsor of the National Collegiate Cyber Defense Competition (NCCDC).

Ten finalist teams from more than 180 colleges and universities will participate in this national competition, held in San Antonio, Texas from April 25-27. To support this valuable training exercise, we supplied EnCase software network-wide, some EnCase training for all contestants, and will staff the volunteer Red Team with an EnCase incident-response expert. 

Insider Threats in the Federal Agency: Endpoint Security and Human Analytics

Manning, Snowden, Wikileaks… Recent headlines have made the dangers of insider threats for federal agencies even more of a flashing red light than before. The risk of intentional data breaches is a critical problem, but certainly not the only one. The latest report from the Ponemon Institute, the 2013 Cost of Cyber Crime Study: United States, found that more than one third of all data security breaches at government agencies are caused accidentally by internal employees. Intentional or not, both are problematic.

Human error as insider threat
A study by the Privacy Rights Clearinghouse noted not long ago that government agencies have experienced a steady rise in data breaches caused by employees over the last four years. In addition, employee negligence caused over 150 breaches and the loss of more than 92.5 million records since January 2009.

Security Professionals 2.0: Inspiring the Next Generation of Cybersecurity Warriors


There is heightened awareness within the business community regarding vulnerabilities related to cyber threats and the financial repercussions of breaches, data loss and cyber attacks. In fact, according to a recent Ponemon Institute survey, a majority of respondents indicated that cybersecurity risks rank higher in terms of business risks than natural disasters. However, there is a worrisome lack of interest in the IT security profession among young adults.

The Jobs are There. Where are the Skilled Workers… and Investment in Security?

According to a recent jobs report, of 1,000 adults ages 18-26 surveyed, only 24 percent expressed interest in a cybersecurity career. In comparison, 32 percent are interested in being an app designer/ developer. Additionally, 82 percent said that their high school counselor never mentioned the possibility of a career in cybersecurity.

Survey Says: Organizations Most Concerned About Length of Time to Resolve Data Breaches

During our 13th Annual Computer and Enterprise Investigations Conference (CEIC) in May, we conducted a survey of more than 150 attendees from the security, law-enforcement, and e-discovery fields to get first-hand insights on shifting priorities in enterprise and government security teams. It was not a surprise that “length of time to resolve attacks” came in as the chief cybersecurity concern. In addition, 24 percent also said they were concerned about insider threats.

Data breaches and the amount of time it takes to detect and resolve them remain a critical security issue. It takes companies an average of three months to discover a malicious breach and more than four months to resolve it, according to the 2013 Cost of Data Breach Study by the Ponemon Institute.

U.K. Announces Engagement in the War With No Front Line

Alex Andrianopoulos

On the day the mighty U.S. government shut down, the U.K. government threw down a colossal gauntlet: it revealed that it has been developing the capacity to carry out cyber attacks. The Financial Times reported today: Philip Hammond, defence secretary, said ahead of the Conservative party conference in Manchester that the UK was "developing a full-spectrum military cyber capability, including a strike capability." It was the first time any country  has made such a sensitive statement in public.

Border Wars: Incident Response vs. Forensic Investigation

Josh Beckett

In my day job, we often discuss security tools and the respective processes that generate the requirements that demand the use of such tools. Lately, we have been debating incident response tools and processes as contrasted with forensic investigation tools and processes.  Obviously, both have differing benefits that they bring to the general discipline of security.  They also have differing requirements in terms of the tool sets that they require to execute those processes.

To me, the boundaries between forensic investigation and incident response have always been rather clear.  Maybe slightly fuzzy at the exact interface between them, but not a huge gaping canyon of a zone of uncertainty.  However, lately, I'm starting to believe that out there in the rest of the community it may not be so clear.  I could be wrong...it wouldn't be the first time and I'm sure it won't be the last, especially if you ask some of my close friends.

Through the looking glass...blessing or burden?

Josh Beckett

Google Glass coming out has had some interesting implications to the world of security and forensics.  I thought the QR code vulnerability was certainly unique and akin to the drive-by RFID vulnerabilities that exist.  I'm sure we haven't seen the last of such issues.  Google, of course, says this was all part of their plan to really shake out the bugs and round the rough edges that they didn't foresee.  Is that claim more marketing than truth?  Meh, probably a little of each.  It's a nice idea, but I hardly think that even one thousand hacking oriented techies could even scratch the surface of possibilities for what this technology could potentially deliver, good and bad.  Some interesting use cases have already come about, but I think the best are still to come.

What's Your Incident Response Plan?

Ale Espinosa We keep rainy day funds. Our cars all have a spare tire. We buy life, car, and home insurance. We organize fire drills and have earthquake emergency kits. We understand that life may go awry at times, and have made investments and plans to help us limit, escape, or better endure the damage, when things don’t go as planned.

As perimeter security technologies become insufficient for the detection of advanced threats like rootkits, polymorphic worms, insider attacks, and zero-day malware, your incident response plan will work as the “rainy day fund” or “fire drill” of your cybersecurity efforts in the event of a breach. But, despite the vast amount of data on the growing number of cyber-attacks occurring each day – Guidance Software estimates it at half a million for government agencies and Fortune500 companies – many organizations have yet to create and put in place a formal incident response plan.

Truth is, your organization is more likely to be the victim of at least one security breach over the next year, than you are to deplete your rainy day fund, submit an insurance claim, escape a burning or collapsed building, or use your car’s spare tire during the same period of time. Your incident response plan as well as your investment in remediation software will see more use in a year than your own personal “rainy day” investments.

Medical Devices Vulnerable to Remote Cyber Tampering, FDA Warns

Ale Espinosa This post is not suited for the faint-hearted … especially those wearing a medical device.

The U.S. Food and Drug Administration (FDA) has issued cybersecurity recommendations for medical device manufacturers and user facilities, hospitals, health care IT and procurements staff, and biomedical engineers, following news of security issues in certain fetal monitors and software used in body fluid analysis.

According to the FDA’s safety communication issued last week, there are strong concerns regarding medical devices and hospital networks’ vulnerability to malware, as well as with the unauthorized access to their configuration settings. Among the devices and systems at greater risk are those that are network-connected or configured, hospital computers, smartphones and tablets, and password databases, among others.

Better Incident Response Is the Real Game Changer

Josh Beckett As usual, on my very long drive to work, I was getting my daily fix of NPR and a couple of stories prompted me to write today.  First was a story that had to do with one of the interesting side effects of moneyball and how it was making baseball games longer by increasing the value of players that get walks.  More walks = longer games = less action = more fan boredom.  Their take away from this...you get what you ask for.  Not very security-esque, but stay with me.

The second story had to do with one of those agencies that's been in the news lately for monitoring lots and lots of email and phone communications.  I've heard claims that all three branches of government had oversight into the process.  It struck me that there is a major problem with that claim.  They were all sworn to secrecy and operating behind closed doors.  No transparency; just a tacit statement that we only look at the facts relevant to the bad stuff.  Ok, so how are they related?

Hello? You’ve Been Breached.

Ale Espinosa Knock, knock. Who’s there? The FBI.

The reality of the world we live and do business in has made us increasingly vulnerable to cyber threats and attacks. Perimeter security and signature-based threat detection tools can only do so much when the threat is brand new or if it morphs as it spreads out through your network, making their signature unrecognizable. Chances are, there is someone lurking in your network right now and you don’t even know it.

In fact, Verizon’s 2013 Data Breach Investigations Report revealed that approximately 70% of cyber breaches go completely undetected by organizations’ security teams, and are instead discovered by external parties like the authorities, FBI, or even the attackers themselves.

Information Security Executives Share their Perspective at the 2013 CISO/CLO Summit

Ale Espinosa This year’s Computer and Enterprise Investigations Conference (CEIC) was referred to by many of its loyal attendees as our best one yet. Running concurrently with the show was the CISO/CLO Summit, which brought together top information security and legal technology executives for a day filled with valuable panel sessions, presentations, and networking opportunities.

One of the most talked about presentations at the CISO/CLO Summit was offered by Bryan Sartin of Verizon, who gave an in-depth review of the 2013 Data Breach Investigations Report (read more about the report on one of my earlier posts). And in the spirit of survey data, we asked Summit attendees to answer a few questions for us regarding their information security concerns and challenges.

The Best Tool in Your Kit

Josh Beckett As security professionals, we all have to deal with real events and incidents and false positives.  Furthermore, we all need to try to minimize the impact that false positives have on our workflow so that we can focus on the real stuff. I love to use real world examples that have a parable-like quality to them in order get interesting points about security across.

A friend recently told me of an issue with someone they knew where they were requested to show their drivers license and it happened to be expired. Now, there are obviously many situations where we know this will become a problem, but there is really only one situation where this particular bit of information is actually relevant.  What is a driver's license really? It is proof of your authorization to drive a particular class of motor vehicle. If expired, it is possible that you are no longer so authorized. That is the only use case where such information is completely relevant.

Why Are We Losing the Cyberwar? It's About the Money.

Josh Beckett 'Follow the money' is a tried and true security strategy. It will lead to you the things the bad guys may be after. It will lead you to the tools they use. It will lead you to who is committing the crimes. Money is the reason we are losing the Cyberwar.

It is simply more profitable to sell newly discovered exploits to bad guys than it is to report them to the software companies for fixing. The few companies that are willing to pay bounties for bugs are easily outbid by the bad guys as a cost of doing business. As long as that is a viable economic model, we will never have a hope of any defensive strategy that will work other than fast clean up of the mess when it happens.

Chinese government behind Chinese hack-a-thon...really?

Josh Beckett The Pentagon has come out and stated the obvious. When listening to this story this morning on NPR, the immediate thought that came to me was, "Yeah, well, what are you going to do now?"  Of course, the interviewer asked that very question and the interviewee burbled and hemmed and hawed.  No real answer.  What can you do in a war that is not fought on a physical battlefield with physical weapons, but inside of computers?

Beware cyber-criminals, here come the Cyber Jedi

Josh Beckett Don't be jealous, but I've recently been promoted to "Cyber Jedi"  ...at least in the UK.

After reading this article, it brought me back to something that I've struggled with through many Jedi battles.  Remember that the Jedi not only fought with the bad guys, but fought with the Senate as well...


Security is hot even in this down economy, so why are security experts undervalued?


It is obvious that the field of security is heating up faster than the rest of the global economy.  The problem that I see is still one of economics and understanding.  Security, as a discipline, doesn't make money.  So when hard economic times lead to even harder spending choices, one of the first things to get cut are those folks that don't bring in money.  Namely, those (sometimes) quiet folks that talk about technical things that hardly anyone understands and while they sound like they are doing something useful, few could really explain what that stuff is.  I'm sure we could do without one or two of them, right?  The end result is that we have too few Jedi trying to fight too many bad guys.