The Five Point Palm Exploding Heart Technique for Forensics. Andrew Hay The 451 Group

Similar documents
National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Integrated, Intelligence driven Cyber Threat Hunting

SIEM: Five Requirements that Solve the Bigger Business Issues

NEXT GENERATION SECURITY OPERATIONS CENTER

Reduce Your Network's Attack Surface

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

Not your Father s SIEM

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

TRUE SECURITY-AS-A-SERVICE

Cybersecurity Auditing in an Unsecure World

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

RSA NetWitness Suite Respond in Minutes, Not Months

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

SIEM Solutions from McAfee

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Novetta Cyber Analytics

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

securing your network perimeter with SIEM

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Security. Made Smarter.

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

INTELLIGENCE DRIVEN GRC FOR SECURITY

We re Gonna Need a Bigger Boat

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Cylance Axiom Alliances Program

MITIGATE CYBER ATTACK RISK

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Click to edit Master title style. DIY vs. Managed SIEM

locuz.com SOC Services

The Future of Threat Prevention

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

An All-Source Approach to Threat Intelligence Using Recorded Future

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

Business Context: Key for Successful Risk Management

How to Prepare a Response to Cyber Attack for a Multinational Company.

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

Symantec Security Monitoring Services

PULLING OUR SOCS UP VODAFONE GROUP AT RSAC Emma Smith. Andy Talbot. Group Technology Security Director Vodafone Group Plc

How Vectra Cognito enables the implementation of an adaptive security architecture

The McGill University Health Centre (MUHC)

Reserve Bank of India Cyber Security Framework

Run the business. Not the risks.

ForeScout ControlFabric TM Architecture

CYBER SOLUTIONS & THREAT INTELLIGENCE

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

What matters in Cyber Security

भ रत य ररज़र व ब क. Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

Here s a look at some of the latest technology trends and key offerings from providers.

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

SOLUTION BRIEF RSA NETWITNESS SUITE & THE CLOUD PROTECTING AGAINST THREATS IN A PERIMETER-LESS WORLD

Case Study. Encode helps University of Aberdeen strengthen security and reduce false positives with advanced security intelligence platform

Popular SIEM vs aisiem

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Securing the Modern Data Center with Trend Micro Deep Security

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Copyright 2011 Trend Micro Inc.

Power of the Threat Detection Trinity

Secure & Unified Identity

Automated Threat Management - in Real Time. Vectra Networks

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Encryption Vision & Strategy

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Datacenter Security: Protection Beyond OS LifeCycle

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

CERT Development EFFECTIVE RESPONSE

Securing Digital Transformation

Securing Your Digital Transformation

Microsoft Security Management

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Deception: Deceiving the Attackers Step by Step

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

MATURE YOUR CYBER DEFENSE OPERATIONS with Accenture s SIEM Transformation Services

The Cognito automated threat detection and response platform

Consumerization. Copyright 2014 Trend Micro Inc. IT Work Load

Qualys Cloud Platform

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Seamless Security in the Age of Cloud Services: Securing SaaS Applications & Cloud Workloads

Security Operations in Flux

ForeScout Extended Module for Splunk

Transforming IT: From Silos To Services

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION

OVERVIEW BROCHURE GRC. When you have to be right

Transcription:

The Five Point Palm Exploding Heart Technique for Forensics Andrew Hay The 451 Group

The 451 Group 451 Research is focused on the business of enterprise IT innovation. The company s analysts provide critical and timely insight into the competitive dynamics of innovation in emerging technology segments. Tier1 Research is a single-source research and advisory firm covering the multi-tenant datacenter, hosting, IT and cloud-computing sectors, blending the best of industry and financial research. The Uptime Institute is The Global Data Center Authority and a pioneer in the creation and facilitation of end-user knowledge communities to improve reliability and uninterruptible availability in datacenter facilities. TheInfoPro is a leading IT advisory and research firm that provides real-world perspectives on the customer and market dynamics of the enterprise information technology landscape, harnessing the collective knowledge and insight of leading IT organizations worldwide. ChangeWave Research is a research firm that identifies and quantifies change in consumer spending behavior, corporate purchasing, and industry, company and technology trends.

Introductions Andrew Hay Senior Security Analyst, The 451 Group Author, Speaker and Blogger Coverage Areas: ESIM (SIEM & Log Management) IT-GRC Forensics & Incident Response Intrusion Detection/Prevention Macro research areas: [Nation State] Cyber Security & Critical Infrastructure Protection

What is this talk about? Forensics has traditionally been viewed as very system-specific Only recently, has external (off of the target machine) sources of corroborating evidence been considered valuable by investigators Image Source: http://infosecnewbie.blogspot.com/2010/11/open-source-forensics-fundamental.html

Essentially, we need less of this Image Source: http://preview.tinyurl.com/3wtpgre

And more of this Image Source: http://preview.tinyurl.com/3ux8bo6

Idea for this talk The idea for this talk came from Tarantino s Kill Bill two-part epic revenge drama In it, martial arts master Pai Mei teaches The Bride a technique wherein pressure points on the victim's chest are struck leaving them with a few footsteps before their death This technique is referred to as the Five Point Palm Exploding Heart Technique Image Source: http://inatitude.files.wordpress.com/2009/02/pai-mei.jpg

So what are the five points? Data Reduction Network Forensics Corroborators Platform Forensics Orchestration

Point 1 Platform forensics Traditional forensics No one will argue that the artifacts residing on the suspect endpoint hold lots of information Volatile memory, application artifacts and other foot prints One should be cognizant, however, of the other sources of information spread throughout an enterprise environment NOT residing on the target system Image Source: https://cagandoregra.wordpress.com/2010/08/03/the-36th-chamber-of-shaolin-a-camara-36-de-shaolin/

Point 1 Platform forensics: possible tools Platform Forensics

Point 2 Network forensics If a host needs to talk to the world, it needs to leverage the network Likewise, if an attacker interacted with the machine remotely there may be a trail Deep packet inspection (DPI), network flow generation/collection/inspection, packet sniffers and flow analytics engines Image Source: http://www.imdb.com/media/rm2382076160/ch0001814

Point 2 Network forensics: possible tools Network Forensics

Point 3 Data reduction Feeds and sources of third party data that help analysts focus on the bad Why look at what we know we don t need to look at? Get by with a little help from your friends Application whitelisting, threat intelligence feeds, known compromised IP addresses/ranges, etc. Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/

Point 3 Data reduction: possible sources Data Reduction

Point 4 Corroborators Helpers or sources of additional information Vulnerability & patch management Perimeter detection/protection Endpoint protection Change, configuration and policy management System management DLP, NAC, etc. Image Source: http://1morefilmblog.com/wordpress/dis-enchanted-female-power-and-authority-in-ella-enchanted-and-kill-billvolume-2/

Point 4 Corroborators: possible sources Corroborators

Point 5 Orchestration Tools designed to correlate, normalize and alert on enterprise information (not just security information) Central repositories of information are well central repositories of information! SIEM, log management, IT GRC, compliance management, etc. Image Source: http://celluloidamazing.blogspot.com/2009/11/when-i-woke-up-i-went-on-what-movie.html

Point 5 Orchestration: possible tools Orchestration

What will it look like? Data Reduction Network Forensics Corroborators Platform Forensics Orchestration

The result? Many hands make light work this extremely true with regards to forensics Evidence on a system can almost always be enriched by external sources of corroborating evidence Hindsight is 20/20 deploy now to help later Image Source: http://totallyradicalsportz.wordpress.com/2010/10/11/smackfest/

The result? Vendors must strive to play together for this integration to work Some vendors are starting down this path but primarily to enrich their own data WE need to teach nonforensics vendors the value of forensic data WE need to teach forensics vendors the value of integration Image Source: http://blog.lowpricelessons.com/wp-content/uploads/2011/01/kill-bill-uma-in-car.jpg

The result? Image Source: http://en.wikipedia.org/wiki/file:clenched_human_fist.png

Thank You Questions? Questions? andrew.hay@the451group.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback