Upload
duongtram
View
213
Download
0
Embed Size (px)
Citation preview
The 451 Group
451 Research is focused on the business of enterprise IT innovation. into the
competitive dynamics of innovation in emerging technology segments.
Tier1 Research is a single-‐source research and advisory firm covering the multi-‐tenant datacenter, hosting, IT and cloud-‐computing sectors, blending the best of industry and financial research.
The Uptime Institute Global Data Center and a pioneer in the creation and facilitation of end-‐user knowledge communities to improve reliability and uninterruptible availability in datacenter facilities.
TheInfoPro is a leading IT advisory and research firm that provides real-‐world perspectives on the customer and market dynamics of the enterprise information technology landscape, harnessing the collective knowledge and insight of leading IT organizations worldwide.
ChangeWave Research is a research firm that identifies and quantifies in consumer spending behavior, corporate purchasing, and
industry, company and technology trends.
Introductions
Andrew Hay Senior Security Analyst, The 451 Group Author, Speaker and Blogger
Coverage Areas: ESIM (SIEM & Log Management) IT-‐GRC Forensics & Incident Response Intrusion Detection/Prevention
Macro research areas: [Nation State] Cyber Security & Critical Infrastructure Protection
What is this talk about?
Forensics has traditionally been viewed as very system-‐specific Only recently, has external (off of the target machine) sources of
Image Source: http://infosecnewbie.blogspot.com/2010/11/open-source-forensics-fundamental.html
The idea for this talk came from Kill Bill two-‐part epic
revenge drama In it, martial arts master Pai Mei
wherein pressure points on the victim's chest are struck leaving them with a few footsteps before their death This technique is referred to as
Heart
Image Source: http://inatitude.files.wordpress.com/2009/02/pai-mei.jpg
So what are the five points?
Platform Forensics
Network Forensics
Data Reduction
Orchestration
Corroborators
Point 1 Platform forensics
No one will argue that the artifacts residing on the suspect endpoint hold lots of information Volatile memory, application
One should be cognizant, however, of the other sources of information spread throughout an enterprise environment NOT residing on the target system
Image Source: https://cagandoregra.wordpress.com/2010/08/03/the-36th-chamber-of-shaolin-a-camara-36-de-shaolin/
Point 2 Network forensics
If a host needs to talk to the world, it needs to leverage the network Likewise, if an attacker interacted with the machine remotely there may be a trail Deep packet inspection (DPI), network flow generation/collection/inspection, packet sniffers and flow analytics engines
Image Source: http://www.imdb.com/media/rm2382076160/ch0001814
Point 3 Data reduction
Feeds and sources of third party data that help analysts
Why look at what we know
from your friends Application whitelisting, threat intelligence feeds, known compromised IP addresses/ranges, etc.
Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/
Point 4 Corroborators
additional information Vulnerability & patch management Perimeter detection/protection Endpoint protection Change, configuration and policy management System management DLP, NAC, etc.
Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/
Point 5 Orchestration
Tools designed to correlate, normalize and alert on enterprise information (not just security information) Central repositories of
central repositories of information!
SIEM, log management, IT GRC, compliance management, etc.
Image Source: http://celluloidamazing.blogspot.com/2009/11/when-i-woke-up-i-went-on-what-movie.html
What will it look like?
Platform Forensics
Network Forensics
Data Reduction
Orchestration
Corroborators
The result?
Many hands make light work this extremely true with regards to forensics Evidence on a system can almost always be enriched by external sources of corroborating evidence Hindsight is 20/20 deploy now to help later
Image Source: http://totallyradicalsportz.wordpress.com/2010/10/11/smackfest/
The result?
Vendors must strive to
work Some vendors are starting down this path but primarily to enrich their own data WE need to teach non-‐forensics vendors the value of forensic data WE need to teach forensics vendors the value of integration Image Source: http://blog.lowpricelessons.com/wp-content/uploads/2011/01/kill-bill-uma-in-car.jpg