The Orchestration of Forensics and Incident Response with ESIM

Transcript

1. The Orchestration of Forensics and Incident Response with ESIM Andrew

   Hay, Senior Security Analyst Enterprise Security Program (ESP) The 451 Group

2. About Andrew Hay • Senior Security Analyst, The 451 Group

   • Author, Speaker and Blogger • Coverage Areas: – ESIM (SIEM & Log Management) – Forensics & Incident Response – IT-GRC – Intrusion Detection/Prevention • Macro research areas: – Cyber Security & Critical Infrastructure Protection

3. THE CURRENT STATE OF FORENSICS Before we jump into the

   presentation we should first frame…

4. The Current State of Forensics • Primarily host-centric focus –

   IR and forensic response • Ancillary network-centric helpers – Packet analysis, log inspection, IDS, etc. • Combined forensic/IR workbench? – “This is what the SIEM sales guy told me their product was for!?!” Source: http://preview.tinyurl.com/3hqfcpg

5. OK, So What’s SIEM? • Security Information & Event Management

   (SIEM) – Compliance, security and operational monitoring and reporting – Correlation and normalization of device and host logs and events in addition to network traffic related information Source: http://preview.tinyurl.com/3qage67

6. Leaning Backward NIDS/NIPS Alerts Packet Captures Network Flows Firewall Logs

   Remote Access Logs Proxy Logs Host OS Logs HIDS/HIPS Alerts Application Logs

7. Leaning Forward

8. The Forensics & IR Sweet Spot Leaning Forward Leaning Backward

9. A Traditional Forensic Exercise

10. THE FORENSICS & IR SWEET SPOT It’s an extensive process

    but we may be able to leverage…

11. The Forensics & IR Sweet Spot Leaning Forward Leaning Backward

    The Forensics and IR Sweet Spot - Where SIEM was Supposed to Help

12. We Were Promised This… Source: http://preview.tinyurl.com/3ux8bo6

13. We Got Was This… Source: http://preview.tinyurl.com/3wtpgre

14. A LOOK TOWARDS THE FUTURE It’s not all doom and

    gloom, let’s take…

15. The Future • The Future is Enterprise Security Information Management

    (ESIM) • Combines traditional SIEM with: – Vulnerability management – Patch and configuration management – DAM, WAF and more! • SIEM talks about ‘helping’ with forensics but doesn’t help enough to provide a useable forensics & IR workbench Source: http://preview.tinyurl.com/3qage67

16. The ESIM Forensic Ecosystem Collaboration All logo’s copyright of their

    respective owners

17. Let’s Revisit Our Exercise

18. Using ESIM: Murdock • Captain H.M. "Howling Mad” Murdock –

    Detect incident precursors and alert on, or potentially prevent, the breach before it occurred – Build a complete story of the incident based on logs, flows, packet captures, etc. – Inform Hannibal of similarly exploitable systems based on incident timeline, VM, deployed patches, configuration profiles, etc.

19. Using ESIM: Face • First Lieutenant Templeton "Faceman" Peck –

    Draw from centralized investigatory notes from other team members during interviews (as they make them) – Easily corroborate story on-the-fly (e.g. ‘I didn’t log into that machine on that day’) – Have a complete view into the organizational identity and access information for each suspect

20. Using ESIM: B.A. • Master Sergeant Bosco Albert ("B.A.") Baracus

    – Could right-click on asset and kick-off remote forensic image acquisition • Downside: Less driving around in the cool van – Automated analysis searching for evidence already identified by team • Reduce investigatory dataset by leveraging third- party data sources and previous investigation data

21. Using ESIM: Hannibal • Colonel John "Hannibal" Smith – Can

    easily determine value of assets and redirect team as needed – Achieves complete situational awareness of all aspects of the investigation from a central location - easy coordination of team – Able to create incident walkthrough for management team and make recommendations on on how to prevent in the future

22. What if Hannibal Worked Alone?

23. And In Proper A-Team Form… “I love it when a

    plan comes together!” Source: http://preview.tinyurl.com/3fvujww

24. Conclusions • ESIM is not yet here and SIEM just

    isn’t cutting it from a forensic and IR perspective • Vendors must strive to “play together” for ESIM to become the forensic and IR workbench that WE need it to be • Some vendors are starting down the path but the ESIM goal is still out of reach • WE need to teach SIEM vendors forensics!

25. Thank You / Questions? Andrew Hay, Senior Security Analyst Enterprise

    Security Program (ESP) The 451 Group [email protected] (403) 388-4315