2
GUIDANCE
SOFTWARENASDAQ: GUID
78 OF THE FORTUNE 100
#1 SOLUTION FOR GOVERNMENT AGENCIES
#1 TOOL FOR IR SERVICE PROVIDERS
FireEye, KPMG, PWC, Deloitte, CSC, AT&T
33M ENDPOINTS DEPLOYED
48% OF THE FORTUNE 500
DIGITAL RISK IS A GLOBAL PROBLEM
30 BillionDevices by 2020
>90 MillionBreaches and
attacks every year
90% AttacksOn organizations
use unique malware
(signatures/hashes)
$3 TrillionLost revenue
opportunity
$.5 TrillionCyber crime related
expenses
FOCUS ON
FORENSIC
SECURITY
5
“IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents”
By 2020, 60% of security budgetswill be allocated for rapid detection & response…
- Gartner, January 2016
• Uncover forensic residue across every
stage of the attack cycle
• Reveal data security risk, no matter how
well hidden
REQUIRES 360° VISIBILITY
ATTACK CYCLE BEGINS
GUIDANCE AGENT
EnCase EndpointInvestigator
GU
IDA
NC
E E
CO
SY
ST
EM
EnCaseeDiscovery
EnCase EndpointSecurity
EnForceRisk Manager
Intel Security
HP Arcsight
IBM QRadar
Cisco FirePower Splunk
Blue Coat
FireEye
Palo Alto
Alerting Tools (SIEM, ATP, IPS, log, network)
ThreatGrid
LastLine
YARA and STIX
VirusTotal
Threat Intelligence
Windows Mac OSX Linux HP-UX Solaris AIX Netware
Endpoints
Office 365
Exchange
SharePoint
Documentum
OpenText
FileNet
Amazon S3
Dropbox
Google Drive
Data and Email Repositories
BoxEnterprise VaultLotus Notes
ENCASE ENDPOINT
SECURITY: THREE
PRIMARY USE
CASES
9
THREAT DETECTION AND THREAT HUNTING
• ENTERPRISE-WIDE ANALYTICS ON ENDPOINT
TELEMETRY
ACTIVE RESPONSE / ALERT TRIAGE -
CONFIRM AND PRIORITIZE SECURITY ALERTS
• INTEGRATES WITH SIEMS AND OTHER ALERTING
TOOLS
• AUTOMATES COLLECTION FROM ENDPOINT
• REDUCES TIME TO RESPOND
INCIDENT RESPONSE SUPPORT
• INVESTIGATION - DETERMINE ROOT CAUSE AND
SCOPE OF AN INCIDENT
• FORENSICS
• TARGETED REMEDIATION
ADVANCED
THREAT
DETECTION
11
• PROACTIVE ENDPOINT SCANS TO
DETECT THREATS USING
• THREAT INTELLIGENCE – SEARCH FOR
KNOWN MALICIOUS HASHES, IP ADDRESSES
• THREAT HUNTING – SEARCH FOR UNUSUAL
PROCESS BEHAVIOR (E.G. UNUSUAL FILE PATHS,
LOADED DLLS, CONNECTIONS, ETC.)
• ANALYTICS - AUTOMATED STATISTICAL
ANALYSIS TO CALCULATE BASELINES AND IDENTIFY
ABNORMAL USER AND SYSTEM BEHAVIOR
Detect threats that bypass the perimeter with forensic level endpoint visibility
and analytics.
THREAT DETECTION – ANALYTICS ON
ENTERPRISE-WIDE SNAPSHOTS
Running Processes
Open Ports
Loaded DLLs
Logged in Users
Connected Remote Ips
Storage Volume Serial #s
…
Enterprise-wide
Endpoint scans
Data
WarehousingAnalytics
Running Processes
Open Ports
Loaded DLLs
Logged in Users
Connected Remote Ips
Storage Volume Serial #s
…
Running Processes
Open Ports
Loaded DLLs
Logged in Users
Connected Remote IPs
Storage Volume Serial #s
…
Visualization
μ = (ΣXi) / Nσ = sqrt [ Σ (Xi-μ)2 / N ]σ2 = Σ (Xi-μ)2 / Nρ = [ 1 / N ] * Σ { [ (Xi-μX) / σx ] * [ (Yi-μY) / σy ] }
Scales to 100s of thousands of endpoints
Historical database of endpoint telemetry
System performs statistical analysis to compute baseline behavior and identify outliers
Results are visualized to easily spot anomalies and potential threats
ARTIFACTS COLLECTED WITH EACH SCANEACH SCAN TAKES SECONDS, PAYLOAD IS 0.3 – 0.5 MB AND IS EXTREMELY SCALABLE
Host Information
• Hostname
• IP address
• Operating System
• Processor
• System Type
• System version
• Service Pack
• Is64Bit [Y/N]
Accounts and Users
• Account Name
• SID
• Last Accessed (logged in)
Open Files
• Full Path
• Filename
• Process Name
• Process Path
• Process ID
DLLs
• DLL Path
• DLL Name
• Injected DLL [Y/N]
• DLL Size
• DLL Hash
• Related Process Metadata (see
“Process” section)
(Network) ARP Cache
• IP Address
• MAC Address
• ARP Type Name
• Adapter Name
(Network) Network Interfaces
• Interface name
• IP address
• Net Mask
• MAC Address
(Network) Open Ports
• Local Port
• Local IP
• Remote Port
• Remote IP
• Protocol
• State
• Port Name
• Process Name
• Process ID
• Parent Process ID
• Hidden [Y/N]
• DLL Path
• DLL Name
• Injected DLL [Y/N]
• Dll Size
Processes
• Process Name
• Instance Name
• Hidden [Y/N]
• Process ID
• Parent Process ID
• Executable Size
• Executable Hash
• File Path
• Parameter
• Service DLL Path
• Process Type
• Service DLL
• Start Time
• User Name
• DLL Count
• Child Processes
• Service Type
• Is64Bit [Y/N]
• Running [Y/N]
• File Name Only [Y/N]
• Root Directory
• User ID
Anomalous Process SpreadThese artifacts are used to baseline process activity on endpoints across the enterprise and detect net new processes or processes spreading across machines at an unusual rate in a malware-like behavior.
ACTIVE
RESPONSE /
ALERT TRIAGE
15
AUTOMATE COLLECTION FROM ENDPOINTS IN
RESPONSE TO A SECURITY ALERT
• REDUCES TIME TO RESPOND, DWELL TIME OF
THREATS, PROBABILITY OF DATA
EXFILTRATION/THEFT.
• PROVIDES ENDPOINT CONTEXT TO AN ALERT TO
HELP SECURITY TEAM CONFIRM IF THE ALERT IS A
TRUE POSITIVE OR NOT.
• AUTOMATICALLY CAPTURES ENDPOINT DATA AT
THE TIME OF COMPROMISE. WITHOUT
AUTOMATION, CRITICAL ARTIFACTS CAN BE
MISSED.
Automation reduces man-hours required to respond to incidents and reduces
likelihood of data loss/theft.
ACTIVE RESPONSE / ALERT TRIAGE: INTEGRATION AND AUTOMATION
ATTACKER
ALERTING TECHNOLOGY
IDS FIREWALLTARGET
ENCASE
ENDPOINT
SECURITY
COLLECTED FORENSIC DATA
Provide Endpoint Context
to Security Alerts• Visibility to endpoint state at time of
alert
• Snapshot module
• Baseline comparison to detect suspicious observables
• System Profile Analysis module
• Configuration
Assessment
module
INCIDENT
RESPONSE
SUPPORT
19
AN INCIDENT RESPONSE SUITE OF TOOLS TO
ASSIST IR TEAM IN
• DETERMINING ROOT CAUSE OF A SECURITY
INCIDENT
• ASSESS AND CONFIRM SCOPE OF INFECTION
• CONTAINMENT OF MALWARE
• IDENTIFY POLYMORPHIC VARIANTS
• SCAN ENDPOINTS FOR IOCS (INDICATORS OF
COMPROMISE)
• REMEDIATION OF MALWARE
Powerful incident response capabilities ensure threats are
mitigated/remediated and completely understood to prevent future incidents.
DETERMINE ROOT CAUSE AND SCOPE OF INCIDENT
Host based artifacts collection
Internet artifact collection
Live RAM acquisition
Registry Search
Entropy Near Match
IOC Search using YARA rules / STIX
Forensic Endpoint Event Timeline
Incident Response Modules
THREAT INTELLIGENCE AND INDICATORS OF COMPROMISE (IOCS)
13
• Search endpoint memory and disk for known indicators
• Broadest OS support
• Supports IOC formats STIX and YARA
• Enhance investment in threat intelligence with integrations
• VirusTotal
• ThreatGrid
• Lastline
REALTIME MONITORING TIMELINE
• Efficient root-cause analysis of
incidents
• Continuous capture of volatile
artifacts at the endpoint
• Visibility to off-LAN endpoint activity
• Can be automatically triggered by
third party security alerting tool
• Network usage only when endpoint
involved in an incident
Chronological view of process, disk, and network activity on an endpoint before and during an
incident, using forensic artifacts for root cause analysis.
File Created(Initial malware drop)
Process started
Connection
File Created
File Modified
Connection(Alert triggered)
Automatic collection and correlation of disk and memory
artifacts
Display timeline of events, pinpoint
root cause of infection
Agentcontinuously
records Activity on Target
OPEN SOURCE
INTEGRATIONS
23
INTEGRATES OPEN SOURCE TOOLS WITH THE
ENCASE PLATFORM
Volatility for Windows/Linux/Mac
MFT Parser
USNJrnl
Prefetch Parser
MWD Registry
Find Temp Executables
Malware Entropy Date Range
Known Malware Paths
RAM Dump
Strings
Disk Capture
Malware Grab
MD5
RegRipper
PDF Tool Analysis
A single GUI to drive these command-line based tools and integrate them with
the EnCase collection platform
TARGETED CONTAINMENT AND REMEDIATION
Remote Process Kill
Remote File Wipe
Remote Registry Key
Deletion
Alter endpoint state remotely and discreetly, without reboot, to contain threats and remediate
them.
With thousands of customers, Guidance helps companies and agencies turn chaos and unknown into
order and the known. Here are just a few examples of our mission critical applications at work.
25
HEALTHCARE
26
CASE STUDY:
Problem: Protect yet-to-be-patented intellectual property (IP)
Solution: EnCase Endpoint Security. Forensic and EDiscovery
Results: Savings of over $2 million per year and a reduction of 93% in
data storage needs for legal documentation.
Details: Since IP data is accessible to many in the organization, the threat
of internal activity putting such data at risk is high. EnCase Endpoint
Security has ability to see where risk lies across the enterprise while also
automating the incident response process by integrating the product with
the company’s threat alerting technologies.
CUSTOMERFortune 500 Global Healthcare Organization
FINANCE
27
CASE STUDY:
Problem: Concerned that a possible well-publicized worm had
infected their systems. Billions of dollars in daily transactions in
jeopardy.
Solution: EnCase Endpoint Security for response to run a complete
network-wide scan to expose any instance of the worm hiding in the
environment.
Results: An automated assessment by EnCase Endpoint Security for
Response revealed several machines with unknown processes which
upon further inspection confirmed an instance of the worm.
Details: The bank’s InfoSec team leveraged this instance of the worm
as a source for enterprise-wide similar file analysis using EnCase
Endpoint Security to detect and remediate
CUSTOMERFortune 500 International Bank
MINING
28
CASE STUDY:
Problem: Needed a solution for compliance with data privacy laws
Solution: EnCase Endpoint Security deployed at headquarters and
regional operations (2,000 endpoints in the region)
Results: Derived ROI within 1 year
Details: Company deployed the EnCase agent in over 60,000 endpoints
across Africa, Asia, Australia, Europe, North America, and South
America
CUSTOMERInternational Billion-Dollar Mining Company
MANUFACTURING
29
CASE STUDY:
Problem: Suffered from an average of 50 security breaches per year
Solution: EnCase Endpoint Security to prioritize, investigate, and
remediate incidents
Results:
• 89% reduction in time to validate and triage threats
• 90% reduction in time to remediate security breaches
• 98% reduction in server downtime per year
• 680% return on investment with a payback period
of 2.6 months
• Savings of over $2.4 millions in incident-related costs
Details: Financial and productivity impact of about 100 days of server
downtime per incident, including servers used to process auto loans and
payments
CUSTOMERFortune-500 Global Automobile Manufacturer
THE FUTURE HOLDS MORE…
HACKS
BREACHESDATA THEFT
CRIMES UTILIZING
ELECTRONIC DEVICES & LESS CONTROLOF YOUR SENSITIVE DATA
PRIVACY CONCERNS
YOUR
SENSITIVE
DATA
32
1. WHERE IS IT LOCATED?
2. HOW VALUABLE IS IT?
3. WHO HAS ACCESS TO IT? SHOULD THEY
HAVE ACCESS TO IT?
4. WHAT TYPE OF RULES SHOULD BE
ATTACHED TO IT?
5. HOW EASY IS IT TO REMOVE?
THE CHALLENGES AND COSTS
OF DATA EXPOSURE
Risk of Non-compliance
Monetary fines or end of business
Expensive and time-consuming remedial actions
Greater regulatory scrutiny
Cost of non-compliance is 2.6 more than cost of compliance*
Security Risks
Financial and reputational damage
Loss of consumer confidence
Potential litigation and fines
Decline in share value
* Ponemon Institute – 2011 The True Cost of Compliance: A Benchmark Study of Multinational Organizations
Information Management and Data Knowledge
• Data continues to grow sharply, exponentially
• Increasingly complex regulatory data landscape
• Evolving cyber threats to sensitive data
• Customers’ changing attitude and behaviors regarding privacy
Need understanding of…
- What data exists (and is it sensitive)
- Where it resides
- How valuable it is to your organization
- How it is being used and who is using it
BREACH AND
LOSS
PREVENTION
34
ALTHOUGH BREACHES CANNOT FULLY BE
PREVENTED, THE IMPACT IN TERMS OF $$
SAVED AND REPUTATION PRESERVED
CAN BE MITIGATED WITH AN
APPROPRIATE DATA RISK AND PRIVACY
PROGRAM.
ENFORCE™
RISK MANAGER
35
Understand Data Location
• System-agnostic. Find data anywhere - on premise or in the
cloud
• 360⁰ Visibility ensures the most comprehensive results
Categorize Sensitive Information
• Visualize your sensitive data landscape
• Categorize risk by data type, users, geography, and more
Reduce Risk of Loss and Non-Compliance
• Remove sensitive data from unauthorized locations
• Comply with internal and external regulations
• Produce detailed reports on risk exposure and reduction
Reduce your digital risk exposure with
proactive management of sensitive information
KEY BENEFITS
36
Mitigate Risks
Reduce Sensitive Data Loss or Theft
Ensure Regulatory Compliance
Improve Business Intelligence
Make evidence-based business decisions
Operational Efficiency
Storage optimization
Single unified agent architecture
Increase Confidence
Minimize reputational damage
Meet customer expectations