Guidance Software | Whitepaper
Best Practices for Integration and Automation of Incident
Response using EnCase® Cybersecurity
Best Practices for Integration and Automation of Incident Response using EnCase® Cybersecurity
“60% [of organizations]
plan to automate incident
remediation within 24
months”
- SANS Endpoint Survey,
2014
“40% of practitioners were
concerned about improved
integration of security
technologies”
- EMA Research Report, The
Evolution of Data Driven
Security, 2014
Executive Summary
Information Security (InfoSec) teams are overwhelmed with the constant deluge of attacks from a
rapidly growing, increasingly complex threat landscape. These threats combined with the vanishing
perimeter, BYOD, the rising number of insider incidents and a host of other social and technological
changes have driven an exponential rise in incidents, alerts and false-positives. Consequently,
organizations are investing in more tools to combat threats.
The modern InfoSec landscape is creating too much data with too many disparate security
components. This compounded with the scarcity of IT resources make these problems untenable. It
is virtually impossible to respond to every alert, so InfoSec teams must decipher what is happening
in organizational networks and prioritize what is important enough to take action. Integration and
automation is the key to conquering all these problems.
SANS recently concluded that “the combination of overwhelming data volumes and challenges in
gathering and correlating operational and security data, [organizations] clearly need an integrated way
to organize their reporting data.”1 Only through an automated integrated approach can organizations
effectively overcome the overwhelming barrage of security threats.
This paper addresses how EnCase security products are providing organizations with integrated
approaches that enable real time automation and elimination, or at least substantial reductions in false
positives. EnCase technology facilitates the integration of Guidance Software products with other
tools in an organization’s IT security arsenal to address a myriad of security challenges.
A use case illustrates how a customer addresses a polymorphic malware problem and reduces false
positives in an integrated automated environment.
Introduction
The threat landscape is continually evolving. Attacks launched by perpetrators are growing
increasingly complex and their tools more sophisticated. Consequently, organizations are investing
in people, processes and technology designed to counteract the sophisticated threats and prevent
malicious access to networks and endpoints. The volume of alerts generated from disparate point
solutions, however, adversely impact the effectiveness of information security investments. Attacks
continue to compromise the sensitive data of well-defended networks while security teams are
overwhelmed with a backlog of countless alerts.
EnCase Analytics and EnCase Cybersecurity can be integrated with most Security Incident Event
Management (SIEM), malware prevention, and Intrusion Detection System (IDS) products, and
out-of-the-box packages are available for most of the leading providers. Integrating third-party SIEM
and other technology systems with EnCase products facilitates faster detection and more effective
remediation of advanced malware threats against enterprise systems, but the greatest value lies in the
automation strategies achieved through integration.
Well-designed integration and automation strategies ease management, enable effective prioritization
and response to the deluge of alerts with limited security resources, and eliminate the false-positives
that plague InfoSec groups. Ideally, InfoSec should have the ability to:
• Quickly understand which alerts are meaningful
• Initiate automatic response actions for those deemed to pose the most risk to
valuable digital assets
• Address these threats without bringing down business-critical systems
1
2014, SANS Security Analytics Survey
Guidance Software | WP | IR Integration/Automation Best Practices | 11-2014
2
Best Practices for Integration and Automation of Incident Response using EnCase® Cybersecurity
Not All Integrations are Equal
Strategic Advantage in Leveraging the Endpoint
EnCase is built on the foundation of trusted, comprehensive visibility to the endpoints through
its servlet technology. The servlet provides unique and powerful kernel-level access across multiple
operating systems with complete visibility into the endpoint including encrypted data, unallocated,
slack and hidden data, the registry, RAM and system data. This component enables a deep and
powerful insight and control over the activities of machines and viruses exposing root vulnerabilities.
The persistent agent speeds time to respond, enables response without interruption to systems, and
a complete pre-configured solution is an easier, smoother deployment. This provides a rich and
powerful environment upon which to integrate SIEM, malware protection, and incident response
systems to build a robust cohesive information security solution.
Enabling Integration and Automation with EnCase Technology
EnCase products currently include pre-built integrations with HP ArcSight ESM and ArcSight
Express, IBM QRadar, RSA Netwitness, McAfee Nitrosecurity, FireEye, Damballa, Blue Coat
Security Analytics, and Palo Alto Networks WildFire.
These integrated environments enable InfoSec teams to:
• Immediately validate the efficacy of a dedicated information security event.
• Zero in on the source and scope of threats
• Locate other instances of detected malware
• Detect and dismiss false positives
• Triage validated events based on data at risk and likeness
• Find variations of detected malicious code
• Determine impact to sensitive data
These integrations enable automation support of advanced EnCase features including:
• IP Range – Zone Mapping: This feature provides the ability to configure an IP
range and assign a zone for the IP range for scans automatically created via the
EnCase Cybersecurity ESB. This will provide the ability for the examiner to only
process jobs for that IP Range (based on matching zone).
• Ability to Integrate with Any External Blacklist Database: Integrate EnCase
Cybersecurity with any external database of blacklisted hashes. This feature scans
endpoints via the System Analysis and Profile (SPA) module to see whether any
endpoint contains hashes that match any of the hashes contained in the external
blacklist database.
• Internet Artifact Scans and Sensitive Data Scans: The Internet Artifact (IA)
module and Personal Information module scan data in allocated space on the
hard drive. Additionally, the IA module on Windows by default will only search
for IA in standard Windows folders that generally contain these artifacts. This
default can be changed.
• Snapshot: This unique EnCase technology feature enables specialized criteria
within an IP or IP range, such as an automatic snapshot of the target’s memory.
• CopyJob: Allows any pre-configured EnCase Cybersecurity job to be leveraged
as an automated response upon receipt of the appropriate information from
a third-party system. For example, a system profile and analysis job can be
automated when a behavior-based alert is triggered in order to expose any
unknown processes that might be responsible for the behavior on the target host.
Guidance Software | WP | IR Integration/Automation Best Practices | 11-2014
3
Best Practices for Integration and Automation of Incident Response using EnCase® Cybersecurity
In addition to the continuously evolving pre-packaged integrations, custom integrations are enabled
through the EnCase Cybersecurity Enterprise Service Bus (ESB).
EnCase Enterprise Service Bus
EnCase Cybersecurity provides a four-layer ESB architecture for receiving and responding to XML requests
that trigger various types of EnCase Cybersecurity jobs. The diagram below shows the flow of a third-party
SIEM request across the four ESB layers to EnCase Cybersecurity.
• SIEM: This is a message that comes from a third-party SIEM in its current, standardized format.
• Listener: This layer interprets the alert and normalizes it to one of several tasks from a preselected
menu of tasks available from EnCase Cybersecurity.
• API: This translates the requested task into a set of instructions for EnCase Cybersecurity to perform.
• Logic: This translates the instructions to EnCase Cybersecurity Business Logic for processing.
Figure 1: ESB Architecture. The EnCase Cybersecurity ESB is included with the various Web
components during the EnCase Cybersecurity installation process.
Guidance Software | WP | IR Integration/Automation Best Practices | 11-2014
4
Best Practices for Integration and Automation of Incident Response using EnCase® Cybersecurity
How It Works
Functionality and sequence of events are variable based on the integration, but in a typical
integration a third-party SIEM request triggers an EnCase Cybersecurity job. The EnCase
Cybersecurity ESB listener may respond with a simple reply, such as task complete or a SIEM ID to
an EnCase Cybersecurity Web link, and other responses can be programmed.
An integrated solution can automate functions as specialized as insider attacks, but focusing on
malware detection, a typical scenario looks like this:
1. Previously undiagnosed polymorphic malware passes from a perpetrator through
the IDS and firewall to an end user.
2. The malware triggers alerts as it passes through the IDS and firewall, which are
sent to the SIEM.
3. The SIEM sends the IP addresses and hash values of recipient endpoints to
EnCase Cybersecurity.
4. EnCase Cybersecurity then automatically scans the infected endpoint, checks
for a host of anomalies, such as signs of packing and compile times, and collects
appropriate information based on defined rules. Information includes running
processes, hash entropy signature, DLLs, open ports, network connections,
evidence of sensitive data and a host of other pertinent points as defined.
5. EnCase Cybersecurity compares the scan against the previous scans, detects
anomalies, and then either securely contains and/or remediates all instances of
the detected malware based on hash and according to integration configuration.
Figure 2: EnCase Cybersecurity automated response.
Guidance Software | WP | IR Integration/Automation Best Practices | 11-2014
5
Best Practices for Integration and Automation of Incident Response using EnCase® Cybersecurity
The following use case illustrates an EnCase integrated solution in action.
Use Case
Despite layers of security, a large corporation was frustrated by polymorphic malware persistently
infiltrating the network compromising endpoints. The malware was generating a high volume of
false-positives, drowning out legitimate alerts. Traditional scans were revealing nothing.
Prior to integration, analysts would run periodic scans on groups of machines with EnCase
Cybersecurity and automatically remediated malware on infected endpoints, but the high number of
endpoints and persistent attacks from numerous vectors necessitated a more proactive approach.
EnCase Cybersecurity and HP ArcSight Integrated Solution
The IT group integrates their HP ArcSight ESM with EnCase Cybersecurity. False-positives are
reduced to actionable alerts. A group of potentially infected machines is promptly identified.
The screenshot in Figure 3 illustrates an overview of the investigations providing an “at a glance” view
of endpoint security posture. Analysts view all EnCase Cybersecurity investigations, giving them
visibility into what investigations are open, closed or rejected, the machines with the most number of
incidents, as well as the source of the alert (i.e. SIEM or manual), which triggered the investigation.
Custom reports can also be generated to provide further graphical representations of the vast volume
of data collected.
Figure 3: EnCase Cybersecurity Investigations Overview provides graphical representation of
investigation status, machines with alerts, and the source of alerts in upper pane, with detailed list
provided in bottom pane. User can hover over bubbles for machine specific details.
Guidance Software | WP | IR Integration/Automation Best Practices | 11-2014
6
Best Practices for Integration and Automation of Incident Response using EnCase® Cybersecurity
Based on data gathered from multiple perimeter security devices, the HP ArcSight ESM triggers
intelligent alerts based on rules, which are executed upon conditions that are defined down to
specific endpoint behaviors, including changes to hashes.
Having identified a malicious file that has traversed the network EnCase Cybersecurity performs a
function known as a “snapshot.” This is triggered when an alert is received from the HP ArcSight
ESM. Immediate analysis from the source and target machines reveals details of known, unknown,
and hidden processes, TCP network socket information, open files, device drivers, services and
more, revealing whether machines have been compromised, and virtually eliminating false positives.
Subsequent automated snapshots are triggered shortly after the event to show attack results in time
slices, so security analysts can confirm that the event actually occurred, and its impact and origin.
With a specific group of endpoints identified as destinations where the file may have landed,
ArcSight ESM sends an intelligent alert to EnCase Cybersecurity to run the ‘verifybyhash’ job type.
This confirms whether the hash value received matches the hash value of any of the files on the
targets. Hash values are automatically provided and scans are conducted on machines identified at
risk to find if the file(s) with the particular hash running or on disk. EnCase Cybersecurity locates
the files and collects a copy for analysts to review.
The integrated solution includes an automated, real-time incident response process. Upon approval,
EnCase Cybersecurity automatically remediates the infected files on each endpoint.
The entire incident response is reduced to minutes.
Summmary / Conclusion
Information security breaches are inevitable, the complexity of the threat landscape is growing more
complex, and the sheer volume of alerts is growing exponentially. The speed at which breaches are
identified and resolved, progress of infectious malware halted, access and exfiltration of sensitive
data stopped, and threats remediated will make significant difference in controlling risk, costs, and
exposure during an incident. An integrated automated solution at the endpoint is the key.
The EnCase Cybersecurity integrated automated solution enables fast results. Data requests can be
processed simultaneously on a large number of endpoints, which fosters efficiency.
The user cited in this paper realized significant value and efficiency when they integrated their HP
ArcSight investments with EnCase Cybersecurity.
Guidance Software | WP | IR Integration/Automation Best Practices | 11-2014
7
Best Practices for Integration and Automation of Incident Response using EnCase® Cybersecurity
Our Customers
Guidance Software customers are corporations and government agencies in a wide variety
of industries, such as financial and insurance services, technology, defense contracting,
pharmaceutical, manufacturing and retail. Representative customers include Allstate,
Chevron, FBI, Ford, General Electric, Honeywell, NATO, Northrop Grumman, Pfizer, SEC,
UnitedHealth Group, and Viacom.
About Guidance Software (NASDAQ: GUID)
Guidance Software is recognized worldwide as the industry leader in endpoint investigation
solutions for security incident response and forensic analysis. Its EnCase® Enterprise
platform, deployed on an estimated 20 million endpoints, is used by more than 70 percent
of the Fortune 100 and more than 40 percent of the Fortune 500, and numerous government
agencies, to conduct digital investigations of servers, laptops, desktops and mobile devices.
Built on the EnCase Enterprise platform are market-leading cyber security and electronic
discovery solutions, EnCase® Cybersecurity, EnCase® Analytics, and EnCase® eDiscovery.
They empower organizations to conduct speedy and thorough security incident response,
reveal previously hidden advanced persistent threats or malicious insider activity, perform
sensitive data discovery for compliance purposes, and respond to litigation discovery requests.
For more information about Guidance Software, visit www.encase.com.
This paper is provided as an informational resource only. The information contained in this document should not be
considered or relied upon legal counsel or advice.
EnCase®, EnScript®, FastBloc®, EnCE®, EnCEP®, Guidance Software™ and Tableau™ are registered
trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and
may not be used without prior written permission. All other trademarks and copyrights referenced in this
press release are the property of their respective owners.