View
770
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Resposta automatizada a incidentes de segurança com EnCase Cybersecurity + SIEM
Citation preview
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 1
Automating Incident ResponseAmbreesh Bhagtani
Manager UI Development
1.What is incident Response – Use Cases?
2.Comparing Manual v/s automated incident response
3.Understanding Web APIs
4.Overview of Arcsight
5.Data visibility
6.Q & A
Topics
Automating Incident Response
Page 2
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 2
Ability to respond to events and alerts in a timely fashion
What is incident Response?
Page 3
Incidents :
•Malicious Attack.
•Unauthorized Port Activity.
•Unauthorized URL access.
•Unauthorized USB account access.
Incident Response : Manual
Page 4
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 3
•The entire process can take from weeks to months
•Single machine analyzed at a time
•Critical data may be lost
•Full extent of the breach is unknown
•High Costs
Drawbacks of Manual Response
Page 5
Incident Response : Automated
Page 6
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 4
Benefits of Automating Incident Response
Page 7
•Analyze multiple alerts at the same time
•Reduce Costs
•Multiple Machines Analyzed
•Faster Response
•Critical Data preserved
•Full extent of the breach identified
Incident Response Flow / Architecture.
Page 8
SIEM /IDS/IPS /DLP etc
Integration Code
EnCase Cybersecurity
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 5
Computers need a language to communicate!
Applications Programming Interfaces – API’s
Web API’s
Page 9
SOAP Request – Get Guidance Stock Price
Page 10
Host: www.stockprice.comContent-Type: application/soap+xml; charset=utf-8
< ?xml version="1.0"?>< soap:Enveloope><m:GetStockPrice><m:StockName>GUID</m:StockName></m:GetStockPrice></soap:Body>< /soap:Envelope>
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 6
HTTP/1.1 200 OKContent-Type: application/soap+xml; charset=utf-8Content-Length: nnn
< ?xml version="1.0"?><m:GetStockPriceResponse><m:Price>800.00</m:Price></m:GetStockPriceResponse>< /soap:Envelope>
SOAP Response- Stock Price Response
Page 11
<m:GetStockPrice><m:StockName>IBM</m:StockName></m:GetStockPrice>
WSDL – What is it ?
Page 12
Web Service Definition Language
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 7
WSDL – Operation
Page 13
<operation name="GetLastTradePrice"> <soap:operation >
<input> <soap:body use="literal"/> </input>
<output> <soap:body use="literal"/> </output>
</operation>
Exercise 1 – Call a Web API
Page 14
� Objective – Get All Cases
� Assumption – Pre-created case
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 8
Exercise 2 – Use SIEM to call Integration Code
Page 15
Master Title
Page 16
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 9
Arcsight Integration UI
Page 17
Event Configuration
Master Title
Page 18
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 10
How it Works:
Retrieving Results
1./case “case 1”
2./source “safe – source”
3./ip “192.168.85.151”
4./event $event[eventId] -> variable to capture the eventId associated with the alert.
5./module snapshot
6./log true
7./demo
Request…
Master Title
Page 20
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 11
Configure Response
Master Title
Page 21
Status of the Scan
Master Title
Page 22
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 12
Set up the Response
Master Title
Page 23
Jobs are created..the examiner picks up the job.
Master Title
Page 24
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 13
Forensics Report
Forensic Analysis
Page 25
EnCase Cybersecurity: Automating Incident Response
May 22, 2012
Ambreesh Bhagtani, Guidance Software, Inc. 14
Type of Scan
• SPA
• Profiling
• Entropy
• Find identical files
• Personal Information Identification
• Find SSNs, credit card number…
• Internet Artifacts
• Find URLs