Guidance Software reduces the time from alert to remediation: a conversation with Frank Coggrave
Guidance Software has announced EnCase Cybersecurity version 4.3. The big thing is that it includes an API to allow integration with other security products – and it’s worth looking at the implications.
It evolved, explained EMEA general manager Frank Coggrave, from “a very clunky integration between ArcSight and EnCase” that Guidance did for a couple of major customers – it is, in short, a response to genuine customer need. So let’s look at this. ArcSight is a leading SIEM. SIEM products can scan your logs in realtime and look for, shall we say, anomalies. Something is happening that shouldn’t be happening. By correlating anomalies, they can come to a pretty strong conclusion that there’s a serious security incident. They can even show you where bad things are happening. But they suffer from one great flaw: they look at effects; they don’t analyse causes.
EnCase is forensic software. Forensic software can go deep into a system to analyse exactly what is going on. It can explain the cause of the anomaly; and from that you can learn how to catch the criminal and prevent the breach from happening again. But it also suffers from its own great flaw. It can examine the cause; but you have to tell it where to look.
So here we have two highly sophisticated security applications that together can provide deep insight into security incidents’ cause and effect. The problem is that they do it the wrong way round: we recognise the effect before we can look at the cause. It’s like closing the stable door after the hacker has bolted. But not quite. Gaining access to your network is not the same as stealing your data. Today’s hacker likes to get in and hide himself. He thinks he can go undetected (and often can and does) while he infiltrates deeper into the network looking for the most valuable data. Hacking comes with its own latency – and you need to use that latency between infiltration by the hacker and exfiltration of your data in order to stop him.
In short, you need to combine the anomaly detection of SIEMs with the cause-of-anomaly of forensics as quickly as possible. This is exactly the scenario addressed by Guidance Software’s EnCase forensics and the new, no longer ‘klunky’, API. “This new version,” explained Frank, “is about opening up our cybersecurity product to third parties, such as HP’s ArcSight. ArcSight is a classic SIEM solution that allows you to consolidate all the alerts that come from all the other security devices in your infrastructure, and to make sense of them – to say, I’m getting alerts from all these different things, therefore I can calculate that there is a problem.” This is great as far as it goes, he continued. “It gives users a consolidated view of what is happening across the enterprise network. But then the question is, what next? What do I do now that I’ve had this alert and know that there is an incident of critical importance?” SIEM products tend to tell us there’s a problem, but they don’t really allow you to do anything about it.
Frank gave me an example. One of the filtering systems picks up that something is happening that shouldn’t. It reports it to the SIEM. Correlation with other alerts indicates that it’s potentially a serious incident. “But what do you do if it’s 2:00am. Or it’s just part of a whole series of other alerts happening at the same time? Well, the SIEM can now trigger EnCase Cybersecurity Solution to automatically and immediately dive in and do an investigation. We can capture who is on the machine in question, what applications are running at the time, what processes are in memory; we can kill the applications if we want to, and we can clear up the incident before it becomes too serious.” Going back to our earlier metaphor, SIEM+EnCase can now close the stable door before the hacking latency expires, while the hacker is still in the stable and before too much damage is done.
But it does more. One of the biggest problems with SIEMs is getting the rules right. We err on the side of safety when our knowledge is limited; so the SIEM throws up vast amounts of alerts, most of which are false positives. “EnCase can be used to capture snapshots of the systems and processes concerned at the time of the alert, so that the analysts can examine exactly what is going on in more detail when they get time. As a result of this, the analysts can fine tune their SIEM by getting rid of more and more of the false positives, allowing them to focus on the real issues.”
SIEM plus forensics has the potential to improve the SIEM and, by reducing the time to remediation, to defeat the hacking latency.