En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]

EnCase Cybersecurity: Automating Incident Response

May 22, 2012

Ambreesh Bhagtani, Guidance Software, Inc. 1

Automating Incident ResponseAmbreesh Bhagtani

Manager UI Development

1.What is incident Response – Use Cases?

2.Comparing Manual v/s automated incident response

3.Understanding Web APIs

4.Overview of Arcsight

5.Data visibility

6.Q & A

Topics

Automating Incident Response

Page 2


May 22, 2012


Ability to respond to events and alerts in a timely fashion

What is incident Response?

Page 3

Incidents :

•Malicious Attack.

•Unauthorized Port Activity.

•Unauthorized URL access.

•Unauthorized USB account access.

Incident Response : Manual

Page 4


May 22, 2012


•The entire process can take from weeks to months

•Single machine analyzed at a time

•Critical data may be lost

•Full extent of the breach is unknown

•High Costs

Drawbacks of Manual Response

Page 5

Incident Response : Automated

Page 6


May 22, 2012


Benefits of Automating Incident Response

Page 7

•Analyze multiple alerts at the same time

•Reduce Costs

•Multiple Machines Analyzed

•Faster Response

•Critical Data preserved

•Full extent of the breach identified

Incident Response Flow / Architecture.

Page 8

SIEM /IDS/IPS /DLP etc

Integration Code

EnCase Cybersecurity


May 22, 2012


Computers need a language to communicate!

Applications Programming Interfaces – API’s

Web API’s

Page 9

SOAP Request – Get Guidance Stock Price

Page 10

Host: www.stockprice.comContent-Type: application/soap+xml; charset=utf-8

< ?xml version="1.0"?>< soap:Enveloope><m:GetStockPrice><m:StockName>GUID</m:StockName></m:GetStockPrice></soap:Body>< /soap:Envelope>


May 22, 2012


HTTP/1.1 200 OKContent-Type: application/soap+xml; charset=utf-8Content-Length: nnn

< ?xml version="1.0"?><m:GetStockPriceResponse><m:Price>800.00</m:Price></m:GetStockPriceResponse>< /soap:Envelope>

SOAP Response- Stock Price Response

Page 11

<m:GetStockPrice><m:StockName>IBM</m:StockName></m:GetStockPrice>

WSDL – What is it ?

Page 12

Web Service Definition Language


May 22, 2012


WSDL – Operation

Page 13

<operation name="GetLastTradePrice"> <soap:operation >

<input> <soap:body use="literal"/> </input>

<output> <soap:body use="literal"/> </output>

</operation>

Exercise 1 – Call a Web API

Page 14

� Objective – Get All Cases

� Assumption – Pre-created case


May 22, 2012


Exercise 2 – Use SIEM to call Integration Code

Page 15

Master Title

Page 16


May 22, 2012


Arcsight Integration UI

Page 17

Event Configuration

Master Title

Page 18


May 22, 2012


How it Works:

Retrieving Results

1./case “case 1”

2./source “safe – source”

3./ip “192.168.85.151”

4./event $event[eventId] -> variable to capture the eventId associated with the alert.

5./module snapshot

6./log true

7./demo

Request…

Master Title

Page 20


May 22, 2012


Configure Response

Master Title

Page 21

Status of the Scan

Master Title

Page 22


May 22, 2012


Set up the Response

Master Title

Page 23

Jobs are created..the examiner picks up the job.

Master Title

Page 24


May 22, 2012


Forensics Report

Forensic Analysis

Page 25


May 22, 2012


Type of Scan

• SPA

• Profiling

• Entropy

• Find identical files

• Personal Information Identification

• Find SSNs, credit card number…

• Internet Artifacts

• Find URLs

Technology

En case cybersecurity automating incident response-bhagtani-5-22-2012 [compatibility mode]