HP ArcSight Express and EnCase® Cybersecurity: Cost-effective Incident Prioritization and Response

Anthony Di Bello

There is a misperception—often heard—that  large companies make software solutions that try to be all things to everyone. We at Guidance Software work with some of the largest technology providers in the world, such as HP, Blue Coat Systems, and IBM, among others, to integrate our industry-leading incident response technology with best-of-breed SIEM and threat-detection solutions.

This is because we and our partners realize that whole, effective solutions to modern information security challenges cannot be delivered by any single information security vendor. Through our EnCase® Cybersecurity incident response solution, we help our customers bridge the gap between incident detection and response. We have seen time and time again that without an incident response solution or any degree of incident response automation (relying on human intervention) can lead to high response costs--up to $5.5 million per incident per recent Ponemon Institute research.

SANS Survey Reveals Need for Analytics to Tackle Big Data

While organizations are still relying heavily on log management or SIEM platforms, only a small percentage are confident about their ability to analyze large data sets for security trends, according to the newly released  SANS Security Analytics Survey.

Guidance Software recently co-sponsored the survey with Hewlett-Packard, Hexis Cyber Solutions (a KeyW Company), LogRhythym, and SolarWinds on awareness and use of analytics and intelligence to augment current monitoring practices. 

Incident Response: Automation by Integration

Ale Espinosa Congratulations are in order for EnCase® Cybersecurity integration partners IBM Q1 Labs and HP ArcSight for landing the top two placements in the Leaders quadrant of the 2013 Gartner Magic Quadrant for Security Information and Event Management (SIEM), soon to be available for download from Gartner's website.

Only the most successful vendors in building an installed base and revenue stream within the SIEM market, and whose offerings provide a good functional match to the general market requirements, land in this prestigious category of the Magic Quadrant report. Similarly, when evaluating integration partners for EnCase Cybersecurity, we use the very same criteria to decide which technologies to focus on first.

By integrating with SIEM and other event detection systems, EnCase Cybersecurity allows you to automatically respond to any security incident by zeroing in on affected endpoints at the moment of alert. It also triggers an array of deep inspection and analysis techniques to expose any anomalous activity. Scoping the impact of a breach as quickly as possible by instantly capturing and analyzing live system data over your network can help you minimize the risk and effects of an attack, before damage can be done.

Our list of out-of-the-box integrations keeps growing, with new ones being added in upcoming releases of EnCase Cybersecurity. What detection systems would you like EnCase Cybersecurity to integrate with, right out of the box? Drop me a note in the comments box below. We welcome your input!

The High Costs of Manual Incident Response

Anthony Di Bello It’s widely accepted and understood in most circles – but especially in IT – that when something can be effectively automated, it should be. In fact, automation is one of the best ways to increase efficiency.

It’s widely understood, that is, except when it comes to incident response. For whatever reason, incident response at most organizations remains largely a set of manual processes. Hard drives are combed manually for incident data. So are servers. Oftentimes, as a result, evidence in volatile memory is lost. And, in manual ad hoc efforts, confusion often reigns as to who should respond and how. In large organizations, where there are complex lines over who owns what assets and processes, such decisions are anything but easy. Determining who should respond to each incident as it is already underway wastes valuable time. We would never take this approach in the physical world — imagine a bank with no armed guards, no security cameras and no clearly defined emergency processes in place.

Additionally, organizations that rely heavily on manual processes would have to dispatch an expert to the location where the affected systems reside just to be able to perform their analysis and prepare for the eventual response.

There are clear costs associated with all of those aspects of manual response. But there are additional costs, too. First, with automated response, you can immediately validate the attack and prioritize high risk assets, reduce the number of infected or breached systems, and even more quickly contain an ongoing attack. This alone can be the difference between confidential data and intellectual property being stolen, or systems being disrupted. It also can be the difference between regulated data being disclosed, triggering a mandatory breach notification, or an incident that doesn't go any further than a single end user’s endpoint being infiltrated.

There are many ways automation can help to turn this around, and help put time on your side. For instance, with an automated incident response capability, such as that provided by EnCase Cybersecurity, it’s possible to integrate existing security information and alerting systems to ensure response occurs as the alert is generated. This capability dramatically reduces mean-time-to-response and provides the right individuals’ time-sensitive information they need to accurately assess the source and scope of the problem, as well as the risk it presents your data.

This automation also includes the ability to take snapshots of all affected endpoints and servers, so that immediate analysis of the exact state of the machine at the time of the incident can be performed. This is a great way to identify what is actually going on in the system, such as uncovering unknown or hidden processes, running dynamic link libraries, and other stealth activities. As threats grow increasingly clandestine, this speed is all the more important.

There’s also a facet of our technology that’s often not considered part of response, but actually is, and that’s endpoint data discovery. This way, you can understand where sensitive data exists across your enterprise, remove from errant locations, and ensure data policies are being followed to reduce the risk of data ex-filtration. By integrating that capability with detection systems, you can be assured to quickly understand the risk a threat presents any potentially affected machine based on its’ sensitive data profile and prioritize other response activities accordingly.

Finally, to ensure that the process is efficient, it’s crucial to have solid workflow processes in place. This makes it much more straightforward to quickly assign incidents to the right analysts, or teams, as well as track investigations from open to close.

It’s impossible to detail the exact monetary return of effective, automated incident response – but it’s certain that such automation will save you significantly. It will reduce your exposure, manpower required to respond, speed time to identification and remediation of a breach, and very likely limit breach impact. This is especially the case when caught early. With a malicious breach costing more than $200 per record, and breach records running into the tens, if not hundreds, of thousands per incident – not to forget regulatory sanctions, fines, and potential lawsuits – anything reasonable that can be done to mitigate the impact of the inevitable breach should be done.

Incident Response for the Masses

Anthony Di Bello Being able to leverage the powerful capabilities of forensic incident response software no longer requires significant, specialized training for the security analyst.

When an attack strikes, or a suspected breach is underway, time is everything. Unfortunately, alerts sent from intrusion detection systems, security information and event managers (SIEM), data leak prevention tools and others aren’t always the most accurate. Yet, every time consuming false alert and lost moment is costly to the effectiveness of the IT security program.

The trouble is that historically initial forensic investigations require detailed training. And that expertise isn’t always available at notice - if you even have those skills readily available on staff.

Helping to automate incident response, without the need for extensive forensic training, is one of the strongest points of EnCase Cybersecurity. When you first suspect, or know, an attack is underway, the first thing that needs to be accomplished is to validate the alerts as well as understand the nature of the attack and the depth of its impact.

• Is the attack coming from:
• A malicious insider? 
• A knowledgeable and determined outside attacker?  
• A low-risk malware infection that’s not likely to have progressed beyond a single system? 
• How many endpoints or servers are involved? 
• How many hours, days, weeks, or months has the threat likely been present?

These are questions that can truly only be answered after a complete examination of affected systems. EnCase Cybersecurity helps security teams do just that without deep forensics expertise, through its ability to expose and automate forensic response actions in the console they are most used to working in, such as a SIEM. This provides teams what they need not only to validate, but also to have a working understanding of how the threat is affecting any given endpoint, and to identify how deep the compromise does - or doesn’t - go.

As a simple example, take an alert type that runs a high false positive rate as a result of unpatched anti-virus on the indicated system. Normally, validating this false positive requires involvement from IT, and the time it takes for IT to obtain access to the system and report back the status of the anti-virus software installed – this could take several days. If a forensic incident response solution were integrated into the alerting system, validating this false positive would be a simple matter of automating a hash value look-up based on the hash value representing an up-to-date anti-virus executable or related file – the entire process taking mere seconds. This same concept can be used to validate malware detected in-motion – that is to say, understand immediate if the attack was successful.

All of this is completed without biases or misguided assumptions that cloud the judgment of many investigator’s during an investigation. The forensic grade, disk-level visibility granted by EnCase Cybersecurity provides teams a transparent, accurate view of what’s happening and what exists on endpoints, from advanced malware to misplaced regulated data, and helps teams to quickly understand the nature of attacks.

The tools are out there to help simplify incident response and forensic analysis and in today’s threat landscape, and it's time more organizations started using them.

Before the Breach Part 2 - 6 Best Practices

Anthony Di BelloEarlier this week, we talked about the implortance of incident response. In this post, I'm going to touch on the 6 best practices presented in our webinar, and why I think these are important considerations for you to take.

Best Practice #1: Preparation. Whether you are running a sports team, a military, or incident response effort, success requires that the team be prepared. A plan of action needs to be in place. The organization needs intelligence on new threats and risks it faces. Also, anyone involved in the incident response process needs a clear understanding of what their expectations are and what they need to do to when an incident is underway.

Another part of preparation is understanding the abilities and limitations of your organization. Do you have the resources necessary to respond to outbreaks manually, or would network-enabled response help your team save time and effort? Other important aspects of preparation include having clear and up-to-date knowledge of your environment, as well as understanding where sensitive and regulated data are stored. Finally, as is true with any successful team, you need to test your incident response processes with fire drills and ongoing practice.

Best Practice #2: Identify the risk. Make sure you can identify incidents as quickly as is reasonably possible. Tune your intrusion detection systems properly and integrate security and infrastructure event logs with your SIEM (if you have one). This way, you can quickly identity the critical events that need immediate attention. And note that while SIEMs can help eliminate a lot of noise from your intrusion detection systems, as well as events from throughout your infrastructure, high risk incidents will need to be carefully vetted and handled by incident response proceedures.

Best Practice #3: Triage. Speaking of alerts, as you have them rolling in from various security platforms, you need to have a system in place that enables you to understand what threats need immediate attention and which can wait for analysis later. In one interesting example during our best practice webinar, Darrell Arms, solutions engineer, Accuvant Inc., recalls an instance when a client was on the verge of publicly disclosing what, initially appeared to be a significant breach on the company’s data. Fortunately, after a thorough forensic investigation, it came to be realized that there wasn’t any breach at all. That experience goes to show how important the power and visibility provided by capabilities driven by forensic principles can be.

Best Practice #4: Contain. To be able to contain a threat, you need to be able to collect, preserve, and understand the evidence associated with the incident. That includes any malware uncovered. And this evidence can’t be collected in a haphazard way; it needs to be handled as evidence, because it potentially will be. Malware and live system information must be collected and preserved in real-time, in order to provide accurate and timely details for a full scope assessment. This is crucial to understand potential targets of the attacker, as well as how deep the attacker may have infiltrated, or how far malware had propagated. Live system details as well as the Malware binary can be leveraged to seek out other infections throughout the network quickly. While the largest enterprises may have the expertise in-house to reverse engineer malware, it is a time consuming and expensive process when there is more readily available data that can be used to immediately perform an accurate scope assessment. Either way, have a plan in place to utilize when needed.

Best Practice #5: Recover & Audit. Before the incident can be considered closed, all offending malware and exploits have to be removed from affected systems, and any offending vulnerabilities that made the attack possible need to be closed. Systems need to be cleansed, or possibly even rebuilt. It’s important, for this stage, to have the ability to search throughout the network for other potentially infected or compromised systems. During this phase of your incident response plan, you’ll need to conduct a sensitive data audit of any affected systems that may have contained personally identifiable information, intellectual properly, data that are governed by regulatory controls, or anything that could possibly trigger a mandated breach notification.

Best Practice #6: Report & Lessons Learned. Hopefully, the breach didn’t involve regulated data. However, if it did, you’ll need to consult all relevant data breach notification regulations, and develop a plan with internal stakeholders such as IT, communications, business leaders, and legal on how you’ll move forward.

It’s important to remember that any business can be breached. In fact, most will be. And, if a company has been in business long enough, it’ll be breached more than once. That’s why it’s so important to learn from these incidents. Document, in detail, what went wrong, and suggest controls that could work better in the future. Also, document what went right and why.

Perhaps this negative incident can also be an opportunity to obtain the budget for things that have been neglected, but shouldn’t have been. Perhaps your organization needs more people dedicated to IT security and response. Maybe what’s needed is not more people but employees with perhaps different skills sets than are currently on staff. Maybe it is certain types of technology that you’re missing that would help to block such attacks more effectively, and more rapidly expose those that do manage to slither through. Take the opportunity to learn from what went wrong, so you can be stronger in the future.

Successful incident response requires a sound plan backed by accurate information

Anthony Di Bello In a number of our recent posts we discussed the importance of being able to quickly identify and respond to potential security breaches:

Incident Response: The First Step is Identifying the Breach

Beating the Hacking Latency

SIEM Turbocharger

In those articles we covered why it’s critical, for effective incident response, to have the ability to filter the noise from the various security technologies most organizations have in place. In our SIEM Turbocharger post, for instance, we talked about how EnCase’s SIEM integration capabilities enables instantaneous forensic data collection, and how (when the inevitable breach does occur) an assessment can be quickly conducted across endpoints to scope the breadth of the situation.

But what happens should the breach be significant and turns out to be a reportable incident due to regulatory mandate, SEC reporting expectations, when a considerable amount of confidential data has been stolen, or a related situation is encountered?

News headlines of companies that didn't handle their incidents, once identified, properly are all too common.

The key to success at these times is by having a well-crafted plan in place for how the incident will be handled.

Based on our discussions with customers and industry leaders there are several things that must be in place to make a successful incident response possible. While the IT security incident response team is generally a tight group of IT and security managers and analysts, having the right, and much more organizationally broad, team in place to respond to business-critical incidents is crucial. In fact, if a publicly reportable incident is going to be well managed it will most likely require input from many aspects of the business. That’s the only way to best decide how the general public, partners, suppliers, customers or anyone else affected, and who will be notified, could best be handled.

Unfortunately, this is where many organizations fall short. When they approach their customers, or announce a breach it’s not always handled as well as should be, which can cause loss of trust, loss of customers, and even increased regulatory scrutiny.

However, once it’s determined that an incident is serious enough to notify business leadership the people and the protocol for this need to be in place ahead of time. That includes informing members of the legal and compliance teams, the CIO’s office, corporate communications, and others. Once the legal, business, and regulatory implications of the breach are understood it’s time to take the incident to executive management and eventually notify the affected stakeholders.

Of course, what is required throughout the entire incident response process is accurate and trusted information. Organizations need clarity on the nature and scope of the breach as soon as possible so they can start making intelligent decisions as early in the incident as possible. Fortunately, through the integration of EnCase Cybersecurity with SIEM technology, it’s possible to automate the digital forensics data capture process and therefore quickly understand the nature and true scope of an incident. This way well informed and the more appropriate decisions can be made from the start.

Follow me on Twitter @CyberResponder

SIEM Turbocharger

Victor LimongelliWell, since no compressed air is involved, perhaps it is not technically a turbocharger, but EnCase® Cybersecurity now makes SIEM tools much more effective, by automating the digital forensics capture and analysis activity required as part of incident response.

As Martin Kuppinger has observed, the “art of SIEM is to – at best – identify exactly the critical situations which need to be handled. Not more, not less.” The problem is, no organization can do that perfectly – no SIEM is ever tuned to such a fine degree of precision so that only the “critical situations which need to be handled” are immediately presented to the incident response team. Often, there are too many “situations,” or, the critical nature of certain “situations” is not apparent until a later time, when perhaps more related data points are correlated by the SIEM. Determining what happened, whether critical data was exfiltrated from the organization, or whether the attack spread to other computing assets, is crucial. In order to do so, the data around the critical situations needs to be captured, either for immediate response, or for later analysis. As NIST has noted in its Guide to Computer Security Log Management, “data regarding a particular event could be needed weeks or months after the event occurred.” What’s more, when one of these critical situations occurs, you may want to assess a broader set of machines, even a subnet, as part of the analysis.

EnCase® Cybersecurity now facilitates this data capture and analysis in three ways. First, if an analyst sees a highly critical situation identified in the organization’s SIEM tool, he or she can now, right from the SIEM, perform an EnCase collection.  Second, an organization, in its tuning of its SIEM, can establish rules so that for critical events, forensic collection occurs automatically. Third, an assessment can be automatically run on a broad set of endpoints to determine the extent of the problem – by way of example, assessing what binaries are running that are not part of the organization’s approved builds.

The user can view the analysis results right from the SIEM console. The following video demonstrates how it works:



The result is a turbocharged SIEM – more power, more effectiveness, and a better response to critical incidents when they occur.

Victor Limongelli is president and chief executive officer of Guidance Software.

EnCase Automates Response to Security Incidents

Anthony Di BelloNew software and services from Guidance Software fill a critical gap in information security by helping organizations respond automatically to security attacks and breaches, giving businesses and government agencies the capacity to react to thousands of events daily and reduce the time between a breach and incident response.

Guidance Software has connected EnCase® Cybersecurity version 4.3 with security information and event management (SIEM) systems to facilitate security automation. For example, when an attack or breach event is suspected, the SIEM system can now automatically trigger an EnCase® Cybersecurity forensic response, including exposing, collecting, triaging and remediating data related to threats — essentially taking action on or gathering data about a security event that might otherwise have been missed.

By automating incident response, organizations can collect actionable information about an attack, minimize data leakage and economic damage, and reduce the time needed to eliminate the threat and return an endpoint computer to a normal state.

According to a September 2011 Cost of Cyber Crime study by The Ponemon Institute, the average time to resolve a cyber attack in 2011 was 18 days. Shortening that duration could reduce the cost and impact of an attack, which the Ponemon study placed at $416,000 on average. Results of the study also showed that malicious insider attacks can take more than 45 days to contain.

"Time is of the essence when performing incident response, but today's security teams are constrained by the volume of attacks and the time it takes to initiate a response. Any delay in response means a potential for more damage and a loss of valuable data," said Victor Limongelli, president and chief executive officer, Guidance Software. "By automating forensic response EnCase® Cybersecurity enables security teams to achieve a real-time view of what was occurring on endpoints during an attack, even if the incident occurred over a weekend or in the middle of the night."

Organizations have three ways they can automate incident response using new features in EnCase® Cybersecurity:

-- Integration with ArcSight — The integration of EnCase® Cybersecurity with HP ArcSight Enterprise Security Manager (ESM) offers four pre-programmed, automatic functions, including forensic auto-capture of system memory, scanning for Internet history and cache files, scanning for personally identifiable information, and conducting a targeted forensic data audit of a system. Security managers can run these EnCase® functions and view results from a pull-down menu inside ArcSight ESM with a few mouse clicks, or they can set them to run automatically, without manual intervention, when an incident triggers a security alert.

-- Response Automation Connector — EnCase® Cybersecurity 4.3 includes the new response automation connector, which is an application-programming interface (API) that gives organizations the ability to integrate the software with other security alerting systems. Customers using the API can integrate all of EnCase® Cybersecurity's incident response capabilities into their SIEM environment and automate those functions that are most important to their security processes.

-- Response Automation Services — Guidance Software has also launched new professional services offerings to help organizations with other security alerting tools or unique staffing needs to automate response to security incidents using EnCase® Cybersecurity.

Learn more about automated incident response with Arcsight ESM and EnCase® Cybersecurity. 
Read the news release.