En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]
-
date post
19-Oct-2014 -
Category
Technology
-
view
769 -
download
1
description
Transcript of En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]
![Page 1: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/1.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 1
Automating Incident ResponseAmbreesh Bhagtani
Manager UI Development
1.What is incident Response – Use Cases?
2.Comparing Manual v/s automated incident response
3.Understanding Web APIs
4.Overview of Arcsight
5.Data visibility
6.Q & A
Topics
Automating Incident Response
Page 2
![Page 2: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/2.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 2
Ability to respond to events and alerts in a timely fashion
What is incident Response?
Page 3
Incidents :
•Malicious Attack.
•Unauthorized Port Activity.
•Unauthorized URL access.
•Unauthorized USB account access.
Incident Response : Manual
Page 4
![Page 3: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/3.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 3
•The entire process can take from weeks to months
•Single machine analyzed at a time
•Critical data may be lost
•Full extent of the breach is unknown
•High Costs
Drawbacks of Manual Response
Page 5
Incident Response : Automated
Page 6
![Page 4: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/4.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 4
Benefits of Automating Incident Response
Page 7
•Analyze multiple alerts at the same time
•Reduce Costs
•Multiple Machines Analyzed
•Faster Response
•Critical Data preserved
•Full extent of the breach identified
Incident Response Flow / Architecture.
Page 8
SIEM /IDS/IPS /DLP etc
Integration Code
EnCase Cybersecurity
![Page 5: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/5.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 5
Computers need a language to communicate!
Applications Programming Interfaces – API’s
Web API’s
Page 9
SOAP Request – Get Guidance Stock Price
Page 10
Host: www.stockprice.comContent-Type: application/soap+xml; charset=utf-8
< ?xml version="1.0"?>< soap:Enveloope><m:GetStockPrice><m:StockName>GUID</m:StockName></m:GetStockPrice></soap:Body>< /soap:Envelope>
![Page 6: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/6.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 6
HTTP/1.1 200 OKContent-Type: application/soap+xml; charset=utf-8Content-Length: nnn
< ?xml version="1.0"?><m:GetStockPriceResponse><m:Price>800.00</m:Price></m:GetStockPriceResponse>< /soap:Envelope>
SOAP Response- Stock Price Response
Page 11
<m:GetStockPrice><m:StockName>IBM</m:StockName></m:GetStockPrice>
WSDL – What is it ?
Page 12
Web Service Definition Language
![Page 7: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/7.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 7
WSDL – Operation
Page 13
<operation name="GetLastTradePrice"> <soap:operation >
<input> <soap:body use="literal"/> </input>
<output> <soap:body use="literal"/> </output>
</operation>
Exercise 1 – Call a Web API
Page 14
� Objective – Get All Cases
� Assumption – Pre-created case
![Page 8: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/8.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 8
Exercise 2 – Use SIEM to call Integration Code
Page 15
Master Title
Page 16
![Page 9: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/9.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 9
Arcsight Integration UI
Page 17
Event Configuration
Master Title
Page 18
![Page 10: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/10.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 10
How it Works:
Retrieving Results
1./case “case 1”
2./source “safe – source”
3./ip “192.168.85.151”
4./event $event[eventId] -> variable to capture the eventId associated with the alert.
5./module snapshot
6./log true
7./demo
Request…
Master Title
Page 20
![Page 11: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/11.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 11
Configure Response
Master Title
Page 21
Status of the Scan
Master Title
Page 22
![Page 12: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/12.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 12
Set up the Response
Master Title
Page 23
Jobs are created..the examiner picks up the job.
Master Title
Page 24
![Page 13: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/13.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 13
Forensics Report
Forensic Analysis
Page 25
![Page 14: En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]](https://reader034.fdocuments.us/reader034/viewer/2022042813/54440bdfb1af9fbc0e8b4755/html5/thumbnails/14.jpg)
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 14
Type of Scan
• SPA
• Profiling
• Entropy
• Find identical files
• Personal Information Identification
• Find SSNs, credit card number…
• Internet Artifacts
• Find URLs