ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen
-
Upload
cohen88or -
Category
Technology
-
view
264 -
download
2
description
Transcript of ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen
Saturday, May 17, 2014 slide 2
The problems most SOC have today• Many daily alerts, even after advanced aggregation and
correlation.
• Investigating a server/workstation is not always possible due to lack of physical access, tools, time or knowledge.
• Just starting an investigation may take hours or even days – long after the initial alert was triggered.
• Relevant evidence are hard to collect and analyze.
What a SOC needs
• Start an investigation for every single alert within seconds.
• Get to every host in the network regardless of physical location.
• Collect and analyze relevant evidence.
• Get actionable and refined data from the investigated host ASAP.
Saturday, May 17, 2014 slide 3
The solution – automated response with ECAT
• Automatically deploy (and remove) ECAT agents across the network.
• Automatically scan hosts with multiple scan configurations.
• Automatically collect scan results from ECAT with full analysis data.
• Automatically react to the presence of a suspicious module.
Saturday, May 17, 2014 slide 4
Use Case – Host contacting malicious IP/Domain
Saturday, May 17, 2014 slide 5
Now what?
Use Case – Host contacting malicious IP/Domain
Saturday, May 17, 2014 slide 6
Install ECAT Agent On WS87771
Agent Identifies Agent Insta
lled
Successf
ully
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
Agent Takes Scan
Request Request Sca
n For
WS87771
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
Scan Complete, Sends
Data
Scan Fo
r WS87771
Complete
Here’s All T
he Data
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/DomainModule Name: 6re1fyeg1109.exeModule Path: C:\$Recycle.Bin\S-1-5-21-1844237615-1604221776-725345543-15174\6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860Host Name: WS8771Host IP: 10.2.34.123Bytes In: 3211Bytes Out: 7651819Target IP: 27.1.34.79Target Host: superEvil.infoTarget Port: 21OPSWAT Verdict: CleanYARA Verdict: Infected - super_evil_malware_groupCertificate Status: Not SingedHASH Lookup: UnknownS.L: 49Comment:Found Infected on 19/05/2014 by: super_evil_malware_group
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
Module Name: 6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860
Where else is
this M
D5
located?
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
On WS8771, W
S8291,
WS8101, WS2151Kill Process by MD5, add ‘_’ to file Extension
Module Name: 6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860
WS8291
WS8101
WS2151
iexplore.exe
svchost.exe
tempp.exe
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
Process is down, file extension changed
WS8291
WS8101
WS2151Module Name: 6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
Give Me th
e infecte
d file
Send sample To AV Vendor
AV Vendor
Module Name: 6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860
Questions?
Or Cohen – We Ankor 2014