Upload
techbiz-forense-digital
View
118
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados" Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc. Brasília, 04 de agosto de 2010
Citation preview
© 2010 Guidance Software, Inc. All Rights Reserved.
A New Era in Incident Response and Data Auditing
The Case for Cyberforensics
© 2010 Guidance Software, Inc. All Rights Reserved.
Speaker
Sam Maccherola
Vice President and General Manager, Public Sector for Guidance Software Inc.Contact Info: [email protected] , (703) 657-7230
Bio 20+ years of government management and program development experience within the
information technology and systems integration industry, At Guidance Software, manages strategic direction, as well as operational, sales, and
business development for a growing global Government practice. Prior to Guidance Software:
— Vice President of Federal at ProSight Inc., responsible for overall strategic direction, as well as operations, sales and marketing components for the federal business unit.
— President of Tenix America and VP of Public Sector Sales for Tripwire, Inc. — Senior positions with Tumbleweed, Entrust Technologies, Inc., PLATINUM Technologies,
and Legent Corp. Recognized as one of the 100 people in Government and Industry that made a positive
difference in Government IT by a panel of Government and Industry leaders. Active participant in many associations that promote public-private sector information
sharing and partnerships: AFCEA, ACT/IAC and ITAA
© 2010 Guidance Software, Inc. All Rights Reserved.
Guidance Software, Inc.The World Leader in Digital Investigations
Enterprise Ready, Market Proven Solutions Over 150 customers of EnCase® eDiscovery Over 650 customers of EnCase® Enterprise including:
— More than 100 of the Fortune 500 and over half of the Fortune 50— Deployed on over 10 million desktops, laptops and servers
The Leading Court-Validated Technology Used in thousands of cases worldwide Authenticated in over 50 published court cases and EnCase technology
validated under Daubert/Frye Courts have taken “judicial notice” of the validity of EnCase software
Top-ranked Software by Industry Analysts Gartner’s highest rating for eDiscovery Software Socha-Gelbmann’s Top 5 (highest category) for eDiscovery software Forrester calls it “The de-facto industry standard for remote desktop collection”
Committed to Support your On-going Success World-Class Training and Certification Program Top-Ranked Professional Services Organization
© 2010 Guidance Software, Inc. All Rights Reserved.
Government Agencies of AllSizes Rely on EnCase® Solutions
© 2010 Guidance Software, Inc. All Rights Reserved.
Evolving Threats
Perimeter defense is never enough
With new technologies come new exploits
Threats can also be internal and/or inadvertent
A determined hacker will find a way (high end)
Hacking has become “Productized” (low end)
© 2010 Guidance Software, Inc. All Rights Reserved.
Key Trends
Per a recent Cisco Annual Security Report, statistics found included:
the overall number of disclosed vulnerabilities grew by 11.5%.
Vulnerabilities in virtualization technology nearly tripled - from 35 to 103 year-over-year
attacks are becoming increasingly blended, cross-vector and targeted.
Cisco says its researchers saw 90% growth in threats originating from legitimate domains,
This year, numerous legitimate websites were infected with IFrames, malicious code injected by botnets that redirects visitors to malware-
downloading sites, the company says.
© 2010 Guidance Software, Inc. All Rights Reserved.
2008 Intelligence Community Statistics
55% Increase in Remote Access Cyber Intrusions
52% Increase in Insider Cyber Intrusions
22% Increase in Credit Card Fraud
© 2010 Guidance Software, Inc. All Rights Reserved.
Verizon Data Breach Report
Analysis of over 500 e-forensics audits:
73% resulted from external sources
18% by insiders
39% implicated business partners
© 2010 Guidance Software, Inc. All Rights Reserved.
Blackhats: Threat Actors
Nation States
108 countries with dedicated cyber-attack organizations
Dragon Bytes: Chinese Information War Theory & Practice
Terrorists
Growing sophistication
Hamas and Al Qaeda
Ibrahim Samudra and Irhabi 007
Organized Crime
Cybercrime is big business aka RBN
FBI: #1 criminal priority is cybercrime
© 2010 Guidance Software, Inc. All Rights Reserved.
Trends in Attacks Against .GOV
SQL Injection and Cross-site Scripting
Island Hopping-Unisys/DHS
Remote User Compromise-VPN Attacks-Client Side Attacks
PKI Compromise--Private Key Theft
Zero-Day Attacks
Automated Attack Tools
Digital Insider Attacks
© 2010 Guidance Software, Inc. All Rights Reserved.
Data is the Lifeblood of Government
C l a s s i f i e d
I n f o r m a t i o n
Government Data
Epicenter of Risk
Vu l n e r a b i l i t i e s &
A s s e s s m e n t s
PII & Medical
Records
B u d g e t a r y /
P r o c u r e m e n t
D e f e n s e C o n t r a c t s
Tr o o p
M o v e m e n t s
S e n s i t i v e
P r o j e c t s &
S c h e m a t i c s
© 2010 Guidance Software, Inc. All Rights Reserved.
Let the Blood Loss Begin…
25 July 2010
U.S. National Security Advisor on Wikileaks Report on Afghanistan
Says disclosure of classified information threatens U.S. national security
© 2010 Guidance Software, Inc. All Rights Reserved.
On a Normal Day, an Agency Gets Hit by upwards of 2.4M Attacks
How effective is your security? 99.9%? 99% 12,000 - 24,000 attacks 99.9% 1200 - 2400 attacks through each day 99.99% 120 - 240 attacks
Multiple technologies must be layered to get near 99.9% effective
It is impossible to achieve impenetrability
Even if you pulled the plug, they can take the hard drive…
© 2010 Guidance Software, Inc. All Rights Reserved.
Traditional Security is for Traditional Threats
“Traditional security solutions are obsolete…the signature approach and other traditional methods of security are not keeping
pace with the
number of threats being created by online criminals.”
“The days of traditional URL filtering are dead, we care about where users go and they all use the top 500 websites. We care
about enforcing
capable policy security and the content on pages is dynamic.”
“It often takes up to 24- to 72-hours from the time a threat is identified, analyzed, and its signature is developed to the time it is
finally delivered to the endpoint. While consumers and enterprises are playing the
waiting game; their endpoints are exposed and vulnerable.”
“The degree of difficulty for identifying malware targeting data
is outpacing the innovation of traditional security vendors.”
© 2010 Guidance Software, Inc. All Rights Reserved.
Over $40B Spent on FISMA since 2002 … not enough
More checklists and standardsConsensus Audit Guideline; CVE/OVAL; DISA GOLD/STIG;
NSA/NIST NIAP (CCEVS EAL); DIACAP; FIPS; FISMA; ISO 17799; IEC 27002; GLBA; SOX; HIPAA; FDCC; SCAP; NERC’s CIP 009-2; and so on…
Compliance is not an insurance policy against the unknown threat. Heartland Payment Systems
— Breach cost at $12.5M+
© 2010 Guidance Software, Inc. All Rights Reserved.
History Repeats Itself
Hannibal using the Roman Roads to cross the Alps
40% Increase in Major Intrusions (US-CERT)
© 2010 Guidance Software, Inc. All Rights Reserved.
The Challenge – The Starting Line
You Are Here
© 2010 Guidance Software, Inc. All Rights Reserved.
The Challenge – 1st Hour
You Are Here
© 2010 Guidance Software, Inc. All Rights Reserved.
The Challenge – 2nd Hour
You Are Here
© 2010 Guidance Software, Inc. All Rights Reserved.
The Challenge – 3rd Hour
You Are Here
© 2010 Guidance Software, Inc. All Rights Reserved.
The Challenge – Owned
You Are Here
© 2010 Guidance Software, Inc. All Rights Reserved.
Hosting Companies = Watering Holes
© 2010 Guidance Software, Inc. All Rights Reserved.
Current Challenges in Cyber Defense
Regardless of what you do…Attacks will continue 24/7/365Enemy at the Gates will continue to recon/infiltrate/exfiltrateAnonymity will challenge attributionMalware will be custom designed and used against youThey live in 0-day environmentPolymorphic Code is on the riseYou need to be right 100% of the time
How do you learn to defend if you never learn what happened or who you’re dealing with?
© 2010 Guidance Software, Inc. All Rights Reserved.
Cyber Forensics is the Spear Tipof any Cybersecurity Initiative
Identify covert/undiscovered threats: dynamically adaptive patented technology gives InfoSec the advantage against new threats: Polymorphic Malware Packed files Other advanced hacking techniques
Attribute new attacks to older attacks, invaluable in attributing malware to an attacker
Complete visibility into endpoint risk with the ability to target static and live data to locate sensitive information
Find and remediate malware: risk mitigation by wiping sensitive information, malware and malware artifacts from hard drives, RAM and the Windows Registry
Powerful investigative capabilities allow organizations to audit for PII (e.g., credit card numbers, account numbers, etc.), and perform internal investigations such as those dealing with fraud or HR matters
© 2010 Guidance Software, Inc. All Rights Reserved.
2010 Cybersecurity Survey (Continued)
44%42%
Endpoint was used in all of the top 3 insider theft mechanisms
44% Laptops
42% Copied information to mobile device
38% Downloaded information to home computer)
38%
© 2010 Guidance Software, Inc. All Rights Reserved.
2010 Cybersecurity Survey (Continued)
Incident response and internal forensics can make a difference28% of events resulted in legal or law enforcement action35% could not pursue legal action due to lack of evidence29% could not identify the individuals responsible
© 2010 Guidance Software, Inc. All Rights Reserved.
The Endpoint Needs Comprehensive Visibility
Endpoint
Visibility
Speed,
Mobility,
Adaptability
Data
Protection
Multiple OS and File Systems;
See through Data at rest solutions;
Packed and compressed; Data
Universe is ever expanding
Targeted search &
remediation; DLP;
Encryption, etc
Infinite digital reach;
Speed of cyber, not
UPS/FedEx; Adaptive
malware identification
& recovery
Cyber
Preparedness
© 2010 Guidance Software, Inc. All Rights Reserved.
Incident Response at the Forensic Level with Endpoint Visibility
EnCase Cybersecurity provides…
Enterprise-wide incident response— Cyberforensic triage and in-depth analysis, attack attribution analysis, and
remediation
System deviation assessments— Expose system integrity issues caused by unknown
threats
Data policy enforcement— Identify and wipe PII/Classified data
from unauthorized endpoints
The Missing Layer in Defense in Depth …
© 2010 Guidance Software, Inc. All Rights Reserved.
Information Security Challenges
Proactively identifying and addressing covert/unknown threatsDetermining the capabilities and purpose of unknown files or
running processes Identifying and recovering from known malware and/or
polymorphic malware— Signature-based detection tools are insufficient when faced with code
that morphs to evade detection
Quickly triaging and containing an identified threat
Locating and rapidly responding to data leakage (PII, IP, etc.)Compliance with data protection and breach notification laws
Determining the “State of the Network” by comparing known profiles to data on systems
© 2010 Guidance Software, Inc. All Rights Reserved.
The Past
One Computer at a timeDays, weeks, and months
to get the data
Costly & Time Consuming
The gathered intelligencewas valuable, but useless
© 2010 Guidance Software, Inc. All Rights Reserved.
The Past
EnCase Field Intelligence Module (FIM)
One computer over the network. (2004)
© 2010 Guidance Software, Inc. All Rights Reserved.
The Past
Searching only onetarget at a time.
© 2010 Guidance Software, Inc. All Rights Reserved.
EnCase Cybersecurity provides…
Network-enabled incident response— Cyberforensic triage and analysis, attack attribution analysis, and remediation
System deviation assessments— Expose system integrity issues caused by anomalous or unknown threats
Data policy enforcement— Identify and wipe PII/IP/Classified data
from unauthorized endpoints
A Cyber Forensics Approach
© 2010 Guidance Software, Inc. All Rights Reserved.
The Present
Enterprise Forensics
© 2010 Guidance Software, Inc. All Rights Reserved.
The Present
Automation of searchingmultiple targets in parallel.
Pre-defined Critera
© 2010 Guidance Software, Inc. All Rights Reserved.
The Present
Automation of searching forcompromises and malware.
© 2010 Guidance Software, Inc. All Rights Reserved.
Benefits & Features of Cyber Forensics
Benefit Cyber Forensic Feature
Proactively identify and recover from covert network threatsEntropy near match analysis, hash analysis, memory analysis, remediation
Find similar files over the network Entropy near match analysis
Proactively identify and recover from data leakage Targeted search and remediation
Ensure endpoints remain in a trusted state Hash database comparison, system profiling
Accurately triage an incident anywhere in the world from a central location
Network-enabled, security protocols, investigative capabilities
Combat insider threat by proactively identifying and investigating suspicious activity
Log file analysis, Snapshot, investigative capabilities
Endpoint situational awareness Operates at the kernel level, sees what the OS cannot
Determine the extent of data breaches Log file analysis, memory analysis, investigative capabilities
© 2010 Guidance Software, Inc. All Rights Reserved.
Questions/Thoughts
Today, how do you… Identify unknown or covert threats? Limit the risk exposure presented by sensitive information? Respond to a suspected threat? Limit the scope of a data breach? Ensure endpoints remain in a
trusted state? Address and scale technology
and processes to include file servers, email servers,semi-structured data repositories?
© 2010 Guidance Software, Inc. All Rights Reserved.
Thank you