Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Orchestration of Forensics and Incident Res...

Andrew Hay
May 15, 2011
Technology
0
110

The Orchestration of Forensics and Incident Response with ESIM

Andrew Hay

May 15, 2011
Tweet

More Decks by Andrew Hay

See All by Andrew Hay
“I” Before “R” Except After “IOC”
andrewsmhay
1
120
An Introduction to Graph Theory for Security People Who Can’t 'Math Good'
andrewsmhay
0
270
An Introduction to Graph Theory for OSINT
andrewsmhay
2
1.9k
The Not-So-Improbable Future of Ransomware
andrewsmhay
0
770
The Not-So-Improbable Future of Ransomware
andrewsmhay
0
650
Building a Security Strategy Without a Security Staff
andrewsmhay
2
130
CircleCityCon - Bootstrapping a Security Research Project
andrewsmhay
0
77
Facilitating Fluffy Forensics 2.0
andrewsmhay
0
75
15 Years Later – Data Awareness In A Post Robert Hanssen World
andrewsmhay
0
86

Other Decks in Technology

See All in Technology
OCI Data Integration技術情報 / ocidi_technical_jp
oracle4engineer
PRO
1
2.6k
音声×Copilot オンコパの世界
kasada
1
110
SREの組織類型に応じた リーダシップの考察
kenta_hi
PRO
1
620
エンジニアが一生困らない ドキュメント作成の基本
naohiro_nakata
2
140
Datadog RUM を用いた UX 指標の監視・顧客対応への活用
imamura_ko_0314
0
110
dev 補講: プロダクトセキュリティ / Product security overview
wa6sn
0
1.6k
株式会社ログラス − エンジニア向け会社説明資料 / Loglass Comapany Deck for Engineer
loglass2019
3
28k
利きプロセススケジューラ
sat
PRO
4
2.6k
LINEヤフー株式会社における音声言語情報処理AI研究開発@SP/SLP研究会 2024.10.22
lycorptech_jp
PRO
2
280
地理情報データをデータベースに格納しよう~ GPUを活用した爆速データベース PG-Stromの紹介 ~
sakaik
1
110
全社横断データ活用推進のコツと その負債とのつき合い方
masatoshi0205
0
170
Lambdaと地方とコミュニティ
miu_crescent
2
240

Featured

See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Designing Experiences People Love
moore
138
23k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Building Applications with DynamoDB
mza
90
6.1k
4 Signs Your Business is Dying
shpigford
180
21k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Building a Scalable Design System with Sketch
lauravandoore
459
33k
What's new in Ruby 2.0
geeforr
343
31k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
Designing for Performance
lara
604
68k

Transcript

  1. The Orchestration of Forensics and Incident Response with ESIM Andrew

    Hay, Senior Security Analyst Enterprise Security Program (ESP) The 451 Group

  2. About Andrew Hay • Senior Security Analyst, The 451 Group

    • Author, Speaker and Blogger • Coverage Areas: – ESIM (SIEM & Log Management) – Forensics & Incident Response – IT-GRC – Intrusion Detection/Prevention • Macro research areas: – Cyber Security & Critical Infrastructure Protection

  3. THE CURRENT STATE OF FORENSICS Before we jump into the

    presentation we should first frame…

  4. The Current State of Forensics • Primarily host-centric focus –

    IR and forensic response • Ancillary network-centric helpers – Packet analysis, log inspection, IDS, etc. • Combined forensic/IR workbench? – “This is what the SIEM sales guy told me their product was for!?!” Source: http://preview.tinyurl.com/3hqfcpg

  5. OK, So What’s SIEM? • Security Information & Event Management

    (SIEM) – Compliance, security and operational monitoring and reporting – Correlation and normalization of device and host logs and events in addition to network traffic related information Source: http://preview.tinyurl.com/3qage67

  6. Leaning Backward NIDS/NIPS Alerts Packet Captures Network Flows Firewall Logs

    Remote Access Logs Proxy Logs Host OS Logs HIDS/HIPS Alerts Application Logs

  7. Leaning Forward

  8. The Forensics & IR Sweet Spot Leaning Forward Leaning Backward

  9. A Traditional Forensic Exercise

  10. THE FORENSICS & IR SWEET SPOT It’s an extensive process

    but we may be able to leverage…

  11. The Forensics & IR Sweet Spot Leaning Forward Leaning Backward

    The Forensics and IR Sweet Spot - Where SIEM was Supposed to Help

  12. We Were Promised This… Source: http://preview.tinyurl.com/3ux8bo6

  13. We Got Was This… Source: http://preview.tinyurl.com/3wtpgre

  14. A LOOK TOWARDS THE FUTURE It’s not all doom and

    gloom, let’s take…

  15. The Future • The Future is Enterprise Security Information Management

    (ESIM) • Combines traditional SIEM with: – Vulnerability management – Patch and configuration management – DAM, WAF and more! • SIEM talks about ‘helping’ with forensics but doesn’t help enough to provide a useable forensics & IR workbench Source: http://preview.tinyurl.com/3qage67

  16. The ESIM Forensic Ecosystem Collaboration All logo’s copyright of their

    respective owners

  17. Let’s Revisit Our Exercise

  18. Using ESIM: Murdock • Captain H.M. "Howling Mad” Murdock –

    Detect incident precursors and alert on, or potentially prevent, the breach before it occurred – Build a complete story of the incident based on logs, flows, packet captures, etc. – Inform Hannibal of similarly exploitable systems based on incident timeline, VM, deployed patches, configuration profiles, etc.

  19. Using ESIM: Face • First Lieutenant Templeton "Faceman" Peck –

    Draw from centralized investigatory notes from other team members during interviews (as they make them) – Easily corroborate story on-the-fly (e.g. ‘I didn’t log into that machine on that day’) – Have a complete view into the organizational identity and access information for each suspect

  20. Using ESIM: B.A. • Master Sergeant Bosco Albert ("B.A.") Baracus

    – Could right-click on asset and kick-off remote forensic image acquisition • Downside: Less driving around in the cool van – Automated analysis searching for evidence already identified by team • Reduce investigatory dataset by leveraging third- party data sources and previous investigation data

  21. Using ESIM: Hannibal • Colonel John "Hannibal" Smith – Can

    easily determine value of assets and redirect team as needed – Achieves complete situational awareness of all aspects of the investigation from a central location - easy coordination of team – Able to create incident walkthrough for management team and make recommendations on on how to prevent in the future

  22. What if Hannibal Worked Alone?

  23. And In Proper A-Team Form… “I love it when a

    plan comes together!” Source: http://preview.tinyurl.com/3fvujww

  24. Conclusions • ESIM is not yet here and SIEM just

    isn’t cutting it from a forensic and IR perspective • Vendors must strive to “play together” for ESIM to become the forensic and IR workbench that WE need it to be • Some vendors are starting down the path but the ESIM goal is still out of reach • WE need to teach SIEM vendors forensics!

  25. Thank You / Questions? Andrew Hay, Senior Security Analyst Enterprise

    Security Program (ESP) The 451 Group [email protected] (403) 388-4315