Showing posts with label Threat Response. Show all posts
Showing posts with label Threat Response. Show all posts

Black Hat 2014: Live Demo of Threat Detection and Intelligence for EnCase

We invited Jessica Bair, one of the ThreatGRID experts with whom we have partnered at Cisco, to write a guest blog post for us about their upcoming presentation in our booth at Black Hat 2014, and she has delivered. We welcome her and Cisco SourceFire and ThreatGRID to our Guidance Software booth #1141--and to the Endpoint Intelligence blog.

The threat landscape is rapidly evolving and organizations are having a harder time keeping up. The negative consequences of security incidents continue to be more impactful. The trends, unfortunately, are favoring the adversaries:

  • Attackers getting better and faster than the defenders. Attackers now compromise organizations in days or even hours, while it takes defenders weeks or even months to discover that they have been compromised. This gap is increasing.
  • The number of incidents detected continues to grow. Organizations are detecting 25 percent more incidents than last year. While some of this may be the result of better detection, it still points to the growing number of incidents that need to be responded to and handled--not to mention the time pressure.
  • The financial costs of incidents are rising, particularly among organizations reporting high dollar-value impact.
  • There is a major shortage of skilled cybersecurity professionals, more than any other role within IT.
What is required is a threat-centric, integrated solution for breach detection, threat analysis, and remediation. Guidance Software, Inc. partnered with SourceFire and ThreatGRID (both now part of Cisco) for a best-in-class integrated approach:

The combined approach provides you with efficient and rapid incident response, including:

  • Proactive breach and threat detection with SourceFire NGIPS
  • Analysis of unknown threat files in ~5-30 minutes with ThreatGRID
  • Remediation across the enterprise with EnCase Cybersecurity
The business value and benefits are immediate and lasting. Our combined approach:

  • Decreases the time between detection and remediation
  • Increases the productivity and efficiency of security professionals to manage threats
  • Reduces risks and associated costs by lowering the exposure to related breaches
  • Increases the accuracy of malware analysis and threat intelligence.
We invite you to come see a live demonstration of this integration in action at Black Hat 2014. The demonstration will be held at 1:50 p.m. on Thursday, August 7 in the Guidance Software theater in booth #1141. Security experts will be on hand to answer your questions and discuss how you can improve your breach detection, conduct efficient threat analysis, and complete rapid, enterprise-wide remediation. See you there!

Jessica Bair, EnCE, EnCEP
jbair@cisco.com
Sr. Manager, Business Development
Advanced Threat Solutions - Cisco Security Group

Joel Brenner Keynote at CEIC 2014: The Changing Face of Espionage


For more than a decade, a series of high-profile security breaches have bought to light the vulnerability of the security systems upon which we rely. The best known include:

  • Titan Rain: Hackers were able to gain access to U.S. defense contractor computer networks and siphon off large amounts of information.
  • New York Times: Ten years after Titan Rain, Chinese hackers broke into the New York Times network and gained access to employees' computers and passwords.
  • Target: More than 40 million credit and debit cards and 70 million records, including names, addresses, email addresses and phone numbers of customers were stolen in the attack on the retail giant.
Cybersecurity expert Joel Brenner shared deeper insights into the state of security with CEIC 2014 attendees in his keynote speech. In spite of a series of high-profile, damaging attacks dating back to 2003, public and private organizations are still under siege, and there is no end in sight.

Building Cyber-Talent in the National Collegiate Cyber Defense Competition

The headlines are full of stories about the growing number of job opportunities for what may be a too-small pool of young cyber-defenders and incident responders. At Guidance Software, we support universities with our EnCase Academic Program to help ensure that the up-and-coming generation of information security specialists has the tools and technology they need to work like seasoned professionals do. To that end, we are also proud to be a Gold sponsor of the National Collegiate Cyber Defense Competition (NCCDC).

Ten finalist teams from more than 180 colleges and universities will participate in this national competition, held in San Antonio, Texas from April 25-27. To support this valuable training exercise, we supplied EnCase software network-wide, some EnCase training for all contestants, and will staff the volunteer Red Team with an EnCase incident-response expert. 

Medical Devices Vulnerable to Remote Cyber Tampering, FDA Warns

Ale Espinosa This post is not suited for the faint-hearted … especially those wearing a medical device.

The U.S. Food and Drug Administration (FDA) has issued cybersecurity recommendations for medical device manufacturers and user facilities, hospitals, health care IT and procurements staff, and biomedical engineers, following news of security issues in certain fetal monitors and software used in body fluid analysis.

According to the FDA’s safety communication issued last week, there are strong concerns regarding medical devices and hospital networks’ vulnerability to malware, as well as with the unauthorized access to their configuration settings. Among the devices and systems at greater risk are those that are network-connected or configured, hospital computers, smartphones and tablets, and password databases, among others.

Hello? You’ve Been Breached.

Ale Espinosa Knock, knock. Who’s there? The FBI.

The reality of the world we live and do business in has made us increasingly vulnerable to cyber threats and attacks. Perimeter security and signature-based threat detection tools can only do so much when the threat is brand new or if it morphs as it spreads out through your network, making their signature unrecognizable. Chances are, there is someone lurking in your network right now and you don’t even know it.

In fact, Verizon’s 2013 Data Breach Investigations Report revealed that approximately 70% of cyber breaches go completely undetected by organizations’ security teams, and are instead discovered by external parties like the authorities, FBI, or even the attackers themselves.

The Best Tool in Your Kit

Josh Beckett As security professionals, we all have to deal with real events and incidents and false positives.  Furthermore, we all need to try to minimize the impact that false positives have on our workflow so that we can focus on the real stuff. I love to use real world examples that have a parable-like quality to them in order get interesting points about security across.

A friend recently told me of an issue with someone they knew where they were requested to show their drivers license and it happened to be expired. Now, there are obviously many situations where we know this will become a problem, but there is really only one situation where this particular bit of information is actually relevant.  What is a driver's license really? It is proof of your authorization to drive a particular class of motor vehicle. If expired, it is possible that you are no longer so authorized. That is the only use case where such information is completely relevant.

Incident Response: Automation by Integration

Ale Espinosa Congratulations are in order for EnCase® Cybersecurity integration partners IBM Q1 Labs and HP ArcSight for landing the top two placements in the Leaders quadrant of the 2013 Gartner Magic Quadrant for Security Information and Event Management (SIEM), soon to be available for download from Gartner's website.

Only the most successful vendors in building an installed base and revenue stream within the SIEM market, and whose offerings provide a good functional match to the general market requirements, land in this prestigious category of the Magic Quadrant report. Similarly, when evaluating integration partners for EnCase Cybersecurity, we use the very same criteria to decide which technologies to focus on first.

By integrating with SIEM and other event detection systems, EnCase Cybersecurity allows you to automatically respond to any security incident by zeroing in on affected endpoints at the moment of alert. It also triggers an array of deep inspection and analysis techniques to expose any anomalous activity. Scoping the impact of a breach as quickly as possible by instantly capturing and analyzing live system data over your network can help you minimize the risk and effects of an attack, before damage can be done.

Our list of out-of-the-box integrations keeps growing, with new ones being added in upcoming releases of EnCase Cybersecurity. What detection systems would you like EnCase Cybersecurity to integrate with, right out of the box? Drop me a note in the comments box below. We welcome your input!

Chinese government behind Chinese hack-a-thon...really?

Josh Beckett The Pentagon has come out and stated the obvious. When listening to this story this morning on NPR, the immediate thought that came to me was, "Yeah, well, what are you going to do now?"  Of course, the interviewer asked that very question and the interviewee burbled and hemmed and hawed.  No real answer.  What can you do in a war that is not fought on a physical battlefield with physical weapons, but inside of computers?

The Road to CEIC 2013: Cybersecurity 101


Jessica Bair The “Road to CEIC 2013” is a series of blog posts on all things CEIC, before, during, and after, from an insider’s point of view. 

Are you an EnCase® Enterprise user who'd like to learn how to automate your network-enabled incident response? Or, perhaps an experienced EnCase® examiner looking for a career change or career enhancement? If a more complete approach to incident response is  on your task list, you should attend Cybersecurity 101 with Josh Beckett, product manager for EnCase® Cybersecurity, at the CEIC 2013 Cybersecurity and Compliance Lab.  This hands-on lab will demonstrate the basics of using EnCase Cybersecurity, as Josh walks through the major use cases of how the software will assist you in both incident response and compliance management roles; and how to implement it into your organization’s processes.

Attack Aftermath: What’s Next for South Korean Banks and Broadcasters?

Anthony Di Bello What's next for South Korean banks and broadcasters that were paralyzed by a massive cyber attack this past week? I was talking with Rodney Smith, who directs information security and field engineering here at Guidance Software and has consulted on post-attack digital investigations with hundreds of firms around the world.

His take is that a thorough digital forensic investigation is an urgent and essential next step to getting back to normal after having hard drives and associated master boot records (MBRs) wiped out. Master boot records encapsulate critical information on the organization of file systems on the drives. Affected systems were given a forced reboot command, but restarts were impossible because the MBRs and file systems had been corrupted.

RSA Conference: Actionable Intelligence is the Missing Link in Incident Response

Anthony Di Bello Yesterday at Moscone Center I walked by the former Gartner security analyst who famously pronounced nearly 10 years ago that “IDS is dead.”

So it was fitting to attend the keynote by RSA Chairman Art Coviello and hear him say, “It’s past time for us to disenthrall ourselves from the reactive and perimeter-based security dogmas of the past and speed adoption of intelligence-driven security.” He described a fact that’s inescapable to all security professionals now, which is that alerting systems and point solutions for threat response aren’t sufficient to respond to modern threats. The time has come to change the way we perform incident response by using rapidly accessible, actionable intelligence to make the stakes higher for hackers, crackers, and thieves.

Information Discovery and Sharing in the Wake of the Executive Order on Cybersecurity

Anthony Di Bello It’s the wake-up call CISOs, information assurance, and risk chiefs didn’t really need – but when the White House issues an executive order on “Improving Critical Infrastructure Cybersecurity,” it’s time to up our collective game. Most Fortune 500 companies and critical-infrastructure providers are already establishing and working to best practices in cyber defense and information security, but President Obama’s executive order is a call to a higher standard of readiness for cyber defense and information sharing among agencies and companies providing or servicing critical infrastructure.

We all know cybersecurity is vitally important. However, this order came about for the simple reason that the threat landscape is constantly changing and far too many organizations are far from a state of response readiness.