Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Orchestration of Forensics and Incident Response with ESIM

Andrew Hay
May 15, 2011
Technology
0
100

The Orchestration of Forensics and Incident Response with ESIM

Andrew Hay

May 15, 2011
Tweet

More Decks by Andrew Hay

See All by Andrew Hay
“I” Before “R” Except After “IOC”
andrewsmhay
1
100
An Introduction to Graph Theory for Security People Who Can’t 'Math Good'
andrewsmhay
0
260
An Introduction to Graph Theory for OSINT
andrewsmhay
2
1.8k
The Not-So-Improbable Future of Ransomware
andrewsmhay
0
750
The Not-So-Improbable Future of Ransomware
andrewsmhay
0
640
Building a Security Strategy Without a Security Staff
andrewsmhay
2
120
CircleCityCon - Bootstrapping a Security Research Project
andrewsmhay
0
74
Facilitating Fluffy Forensics 2.0
andrewsmhay
0
74
15 Years Later – Data Awareness In A Post Robert Hanssen World
andrewsmhay
0
76

Other Decks in Technology

See All in Technology
本当のAWS基礎
toru_kubota
0
520
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
270
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
14k
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
310
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
ココがすごいぜ!Playwright Component Test
rakus_fe
0
130
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.4k
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
210
Hands-on Gemini, the Google DeepMind LLM
meteatamel
1
110
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
310
私が trocco を推す理由
__allllllllez__
1
220

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
68
8.6k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Clear Off the Table
cherdarchuk
84
310k
Optimizing for Happiness
mojombo
370
69k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
A designer walks into a library…
pauljervisheath
200
23k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
Making the Leap to Tech Lead
cromwellryan
124
8.5k
Into the Great Unknown - MozCon
thekraken
10
990
Bash Introduction
62gerente
604
210k
The Invisible Side of Design
smashingmag
294
49k

Transcript

  1. The Orchestration of Forensics and Incident Response with ESIM Andrew

    Hay, Senior Security Analyst Enterprise Security Program (ESP) The 451 Group

  2. About Andrew Hay • Senior Security Analyst, The 451 Group

    • Author, Speaker and Blogger • Coverage Areas: – ESIM (SIEM & Log Management) – Forensics & Incident Response – IT-GRC – Intrusion Detection/Prevention • Macro research areas: – Cyber Security & Critical Infrastructure Protection

  3. THE CURRENT STATE OF FORENSICS Before we jump into the

    presentation we should first frame…

  4. The Current State of Forensics • Primarily host-centric focus –

    IR and forensic response • Ancillary network-centric helpers – Packet analysis, log inspection, IDS, etc. • Combined forensic/IR workbench? – “This is what the SIEM sales guy told me their product was for!?!” Source: http://preview.tinyurl.com/3hqfcpg

  5. OK, So What’s SIEM? • Security Information & Event Management

    (SIEM) – Compliance, security and operational monitoring and reporting – Correlation and normalization of device and host logs and events in addition to network traffic related information Source: http://preview.tinyurl.com/3qage67

  6. Leaning Backward NIDS/NIPS Alerts Packet Captures Network Flows Firewall Logs

    Remote Access Logs Proxy Logs Host OS Logs HIDS/HIPS Alerts Application Logs

  7. Leaning Forward

  8. The Forensics & IR Sweet Spot Leaning Forward Leaning Backward

  9. A Traditional Forensic Exercise

  10. THE FORENSICS & IR SWEET SPOT It’s an extensive process

    but we may be able to leverage…

  11. The Forensics & IR Sweet Spot Leaning Forward Leaning Backward

    The Forensics and IR Sweet Spot - Where SIEM was Supposed to Help

  12. We Were Promised This… Source: http://preview.tinyurl.com/3ux8bo6

  13. We Got Was This… Source: http://preview.tinyurl.com/3wtpgre

  14. A LOOK TOWARDS THE FUTURE It’s not all doom and

    gloom, let’s take…

  15. The Future • The Future is Enterprise Security Information Management

    (ESIM) • Combines traditional SIEM with: – Vulnerability management – Patch and configuration management – DAM, WAF and more! • SIEM talks about ‘helping’ with forensics but doesn’t help enough to provide a useable forensics & IR workbench Source: http://preview.tinyurl.com/3qage67

  16. The ESIM Forensic Ecosystem Collaboration All logo’s copyright of their

    respective owners

  17. Let’s Revisit Our Exercise

  18. Using ESIM: Murdock • Captain H.M. "Howling Mad” Murdock –

    Detect incident precursors and alert on, or potentially prevent, the breach before it occurred – Build a complete story of the incident based on logs, flows, packet captures, etc. – Inform Hannibal of similarly exploitable systems based on incident timeline, VM, deployed patches, configuration profiles, etc.

  19. Using ESIM: Face • First Lieutenant Templeton "Faceman" Peck –

    Draw from centralized investigatory notes from other team members during interviews (as they make them) – Easily corroborate story on-the-fly (e.g. ‘I didn’t log into that machine on that day’) – Have a complete view into the organizational identity and access information for each suspect

  20. Using ESIM: B.A. • Master Sergeant Bosco Albert ("B.A.") Baracus

    – Could right-click on asset and kick-off remote forensic image acquisition • Downside: Less driving around in the cool van – Automated analysis searching for evidence already identified by team • Reduce investigatory dataset by leveraging third- party data sources and previous investigation data

  21. Using ESIM: Hannibal • Colonel John "Hannibal" Smith – Can

    easily determine value of assets and redirect team as needed – Achieves complete situational awareness of all aspects of the investigation from a central location - easy coordination of team – Able to create incident walkthrough for management team and make recommendations on on how to prevent in the future

  22. What if Hannibal Worked Alone?

  23. And In Proper A-Team Form… “I love it when a

    plan comes together!” Source: http://preview.tinyurl.com/3fvujww

  24. Conclusions • ESIM is not yet here and SIEM just

    isn’t cutting it from a forensic and IR perspective • Vendors must strive to “play together” for ESIM to become the forensic and IR workbench that WE need it to be • Some vendors are starting down the path but the ESIM goal is still out of reach • WE need to teach SIEM vendors forensics!

  25. Thank You / Questions? Andrew Hay, Senior Security Analyst Enterprise

    Security Program (ESP) The 451 Group [email protected] (403) 388-4315