WHITE PAPER Introduction UNIFIED - Federal News Radio

WHITE PAPER

EXECUTIVE SUMMARYThe accelerating use of communication devices, networks, and information processing technologies improves an agency’s ability to meet its mission requirements more efficiently; however, it also increases the risk of accidental data loss, insider threats, and sophisticated cyber-attacks. According to the Annual Symantec Internet Security Threat Report issued April 30, 2012, “Symantec blocked more than 5.5 billion malicious attacks in 2011, an increase of 81 percent over the previous year. In addition, the number of unique malware variants increased to 403 million, and the number of Web attacks blocked per day increased by 36 percent.” Legacy security technologies, such as intrusion detection systems and network forensics tools, have provided agencies with some of the necessary capabili-ties to understand specific types of security events on their networks. However, these technologies do not provide enough insight to completely recreate events to fully under-stand what has occurred and, more importantly, how it occurred.

Unified Cyber Forensics (UCF) is an innovative approach to understanding and reconstruct-ing security events. It provides IT security organizations with easy-to-use tools to recreate and investigate any and all threats being perpetrated on their enterprise networks. Instead of just capturing basic packet information like source and destination addresses, UCF captures entire communication flows. Once captured, data is stored, enriched, and made readily accessible through intuitive and powerful tools that encourage and enable unrestricted investigation. This provides agency analysts with the critical ability to com-pletely recreate full communication sessions including e-mail, chat messages, documents, and web pages to fully understand what has transpired. UCF makes it possible for agencies to quickly and accurately ascertain the impact of a cyber-incident, understand how to prevent future incursions, or rapidly identify and mitigate insider threats.

Merlin is a federal systems integrator bringing together best-of-breed cyber solutions to provide unparalleled insight into the information passing across Enterprise networks in real time. Our innovative solutions give agencies the ability to view, search, and correlate “data of interest” at any level: from network addresses, to reconstructed application files (and their attributes) in native formats (e.g., html, doc, ppt, pdf…), to metadata generated by forensic analysts. In order to provide agencies with total network situational awareness, Merlin combines industry-leading packet capture capabilities with the secure and reliable storage products from NetApp and the forensic processing and analytical power of Cyber-tap. UCF solutions are deployed on servers specially designed and engineered by Merlin to ensure seamless integration and optimal performance.

UNIFIED CYBER FORENSICS

IntroductionNetwork forensics tools have matured considerably over the last decade. While useful to address specific issues, even modern tools typically only support a single function such as malware detection, insider threats, fraud, or compliance. Use and management of the tools also require significant manual effort. The tools are usually only implemented as a reaction to a predefined event, and then data surround-ing that event is handed to an analyst who must parse through it line by line. These tools typically do not provide a high level of meaningful insight into network transactions that occurred before or after an incident. Knowing what happened immediately before or after an event is valuable intelli-gence that can better illustrate how an attack was perpetrated. Use of forensics tools, due largely to their cryptic character-based views, often require highly skilled analysts to operate and interpret the data. This greatly limits their usability and capacity for building a holistic view of a threat situation.

As the world becomes more “cyber-sophisticated”, agencies need new tools that speed forensic analyses of rapidly growing data sets in the ongoing investiga-tion of evolving threats. Analysts can leverage search engine technology to find clues that warrant further investigation and provide the means for “deep dive” analysis and the ability to explore related event branches and information.

Unified Cyber ForensicsInternet users have become accustomed to easily searching vast amounts of data everywhere at any time. Unified Cyber Forensics makes the same true for cyber analysis; all data from network packets and documents that were sent over the network are now easily searchable on demand.

Employing a search engine as the underly-ing data repository (rather than a traditional database) makes this possible. UCF allows you to capture (get the packets); reassemble them (into sessions or flow); reconstitute the original documents (e-mails, web pages, chats, documents); enrich the data (content, attributes, protocol data, entities); index all of that; and make it available through a powerful, yet intuitive, tool. Processing data, reconsti-tuting original documents, and indexing them while maintaining all original network relationships, and storing this data in a searchable repository can be done constantly. This advanced processing delivers an easy-to-use, powerful, and scalable network forensics capability.

UCF offers highly flexible deployment options allowing an enterprise to store a day of traffic, a week, a month or more depending upon your needs. This process would normally be long and time consum-ing requiring parsing through large amount of network data, but UCF makes this a simple search because all of the network traffic has already been reconstituted and indexed by the tool.

Unified Cyber Forensics enables:

• The investigation of all data that crosses the network,

• Investigators to understand users’ actions on (and to) the network,

• Content-oriented investigations that go beyond network traffic, headers, and IP Addresses and focus on individuals, e-mails, chats, Facebook, web pages, and documents,

• The creation of a suspect’s ePersona allowing an investigator to see and track a suspect’s online activities and online identity.

• Flexibility to investigate any event and hypothesis

The Merlin Unified Cyber Forensics SolutionThe Merlin Unified Cyber Forensics solution is a new integrated technology that utilizes open standards to enable packet-level processing along with fully reconstructed data and a robust storage solution to retain a full copy of the network packet data and reconstituted files. The processing engine extracts and converts packet-level network transactions (from stored or real-time PCAPS) into reconstituted files. The files are saved in their native format (i.e. .wav, .jpg, http, .doc etc.) and further processing is accomplished to index and correlate all of the information. This advanced processing results in an easy-to-use, powerful, and scalable network forensics and cyber analysis capability.

Preprocessing data allows an investigator to parse through mountains of network traffic with ease, instantly extracting relevant

data, and substantially reducing the amount of traffic requiring manual inspec-tion. Relevant data can be anything the investigator defines it to be—all traffic for a given individual, all images, all chats between two people about a given subject, anything that happened during a particular timeframe, or other parameters germane to the investigation. Correlating and assessing related data and events becomes a simple task that can be accomplished quickly. Further, event research can be conducted by investiga-tors without highly specialized skillsets, freeing up forensic experts to spend more time on analysis rather than legwork.

Merlin’s UCF solution employs an intuitive user interface that makes it easy for users without specialized skills or training to find the information they need. It is designed to be used quickly and efficiently by a broad range of investigators such as corporate

and government officials, human resources, IG investigators, regulators, lawyers, cyber security forensic analysts, law enforcement officers, and intelligence analysts. These investigators are able to investigate and monitor network-based activities in support of any type of analysis including insider threat, waste, fraud, abuse, compliance & compliance monitor-ing, network and infrastructure security, lawful intercept, and intelligence gathering.

Investigators will be able to use Merlin’s UCF capabilities to find, visualize and follow the online actions of their suspects to gather evidence and make their cases. Analysts will be able to see and reenact what their suspects saw and did on the network by taking network traffic and turning it back into its original form including web pages, chats, e-mails, attachments, phone calls, etc.

The Merlin Unified Cyber Forensics solution provides a familiar search engine-style user interface that dramatically reduces the learning curve for users. It offers a robust query engine with full word, protocol, meta-data, entity, and Boolean search functions. These features can be combined to support complex queries with sub-second response from very large data sets including reconstructions of file trans-fers, emails, websites, chat, and http creation of ePersona. Merlin’s UCF solutions are built on a platform utilizing open standards. The open standard API-driven nature of this solution supports access to the data repository by many common COTS/GOTS applications customers rely on.

PartnersMerlin’s UCF solution harnesses the incred-ible forensics power of Cybertap Recon and NetApp’s world class enterprise storage capabilities to provide agencies

with an unparalleled forensic investigation solution that is fast, user friendly, reliable, and agile. It has been engineered to quickly and easily scale to meet each customer’s unique business requirements and budget. Agencies can begin with a deployment that meets their immediate needs, then add processing and storage capacity incrementally as their require-ments change.

As shown in the figure below, NetApp’s storage solutions are the critical enabler of UCF solutions. The entire system relies upon the secure, high speed and highly-available storage every step of the way. NetApp’s storage solution provides:

• Secure Encrypted Storage: Maintaining a secure copy of all network traffic and of the reconstituted network data.

• High Speed Access: Allowing for efficient preprocess of the data and improving the performance and user experience of the Forensic investigation.

• High Availability and Reliability: Ensuring availability of data for essential forensics and analysis capabilities.

• Flexible Expansion Options: Permitting additional capacity to be added gracefully as demand grows.

• Efficient Storage Features: Allowing for a reduction in the overall storage require-ments, thus, making the solution more cost effective.

Cybertap Recon provides the intelligence that makes this Unified Cyber Forensics solution possible by performing the pre-processing functions necessary to reconstitute, tag, and index all of the network traffic. Cybertap Recon then presents actionable information to the forensic analyst who initiates an investiga-tional search. Recon provides:

• Data Enrichment: Including network flow reassembly, document reconstitution, content extraction, tagging, and meta-data generation.

• Open Standards: All reconstructed files are output in their original format and all files, indexes, and API calls are in industry standard formats which provide the option to use third party tools.

• Complete Indexing and Searching: Allows for fast searching based on network data, reconstructed content,

tags, generic search terms, and relation-ships with Boolean combinations.

• ePersona: The personification of an individual’s online electronic presence and includes identification and tagging of all electronic identities, linking of relationships, and insight into a user’s network habits.

• Comprehensive Repository: Data includes timestamps, IP & MAC addresses, ports, protocols used, related flow data, certificates, tokens, user IDs,

etc., all in chronological order and with entity relationships (ePersona).

• Ease-of-Use: Usable by all investigators, it presents the data exactly as it was originally viewed by the suspect, and allows you to query the data any way you like through a graphical web-based user interface.

• Universal Applicability: Useful for all enterprise network investigations.

Use CasesMerlin’s Unified Cyber Forensic solution provides a robust capability to meet the traditional and non-traditional forensics needs of agencies. The 100% packet capture and storage capability provides

agencies with a centralized tool for all of their forensics analysis requirements. Analysts will have access to the entire network transaction (including documents and application data) so they will not have to spend time accessing other computers or servers. This also means one tool can be used for every organization, from opera-tions and security to legal and HR.

The pre-processing and user-friendly GUI interface provide real-time results in an intuitive format. With all of the information already categorized and indexed, this means results will be instantaneous and more investigating can occur in a shorter period of time. The GUI interface requires little training and leverages common search engine commands. This means

non-technical users in groups such as HR and legal will be able to reconstruct a Microsoft Word document or PowerPoint file and actually review the content, see data accessed relative to the time it was accessed in a link analysis fashion, or successively follow links.

The powerful analytics tools allows an agency to constantly monitor for predefined data sets that can be viewed as threats, as well as search historical events to look for patterns of behaviors or investigate specific instances thoroughly. A few of the many

potential use cases for Merlin’s integrated solution are shown in Figure 4.

ExampleScenario: A federal agency that accepts credit card payments for citizen service has been notified by their credit card clearing house that credit card information from multiple customers appears to have been stolen.

STEPS: A forensic analyst working for the agency investigated this situation and

employed the Merlin UCF tool and took the following steps:

1. Performed a search for all of the stolen credit card numbers – no results were found.

2. Performed a search for last names associated the stolen credit card numbers – multiple results were found

3. The files and communications associated with the results were reconstituted and the analyst was able to review multiple Microsoft Word documents, Excel File and Instant Messenger streams that revealed illegal transmission of credit card data.

4. The analyst then identified the source of the communications stream and performed an in-depth search on this individual communications streams for the past six months and found additional sensitive information that was being sent out on a regular basis.

RESULTS: The agency was able to quickly analyze and collect evidence against an employee who was passing sensitive customer information to criminal organiza-tions. The initial investigation began with a tip from the credit card clearing house and with the use of the Merlin UCF tool suite, the agency was able to uncover the extent and methods of the breach and stop them.

ConclusionEnterprise security is crucial for any size agency. UCF offers innovative capabilities that greatly enhance security and compli-ance monitoring while also providing efficiencies that allow limited resources to accomplish more. Merlin provides the capability to do in-depth cyber forensics, in real-time, across all of the information traversing its network, and it provides the means for anyone who needs access to the data to easily search it. Built on open standards, Merlin’s solution allows quick and easy access by third party applications requiring use of the same information, thus removing the need for additional storage. Investigators from many backgrounds and skill levels can use the tool to gain a greater understanding of what is happening on the Enterprise.

The Merlin UCF solution is highly flexible and agile for various deployment scenarios. Agencies can deploy all or part of the tool’s capabilities and scale the processing power based on the level of traffic on their network. Storage of network traffic and the reconstituted data is no trivial concern, but thanks to scalable, secure, and cost effective storage solutions from NetApp, agencies can leverage best-in-class storage products to ensure consistent and optimized results are obtained every time.















COMPUTER INTRUSIONS BY HACKERS, CRIMINALS AND NATIONS AGAINST U.S. INFRASTRUCTURE INCREASED SEVENTEEN FOLD FROM 2009 TO 2011

-- GEN. KEITH ALEXANDER, U.S. CYBER COMMAND

MERLIN INTERNATIONAL | UNIFIED CYBER FORENSICS2









































































FIGURE 1: UNIFIED CYBER FORENSICS DATA CAPTURE, ENRICHMENT, AND INDEXING PROCESS

FIRST: captured PCAP data is reassembled into flows and furthermore into actual content (i.e., webpages, emails, attachments, downloaded/ uploaded files, etc.). All of the PCAPs and Native Files are stored in a single repository.

SECOND: the resulting reconstituted files are enriched (content, attributes, metadata, protocols, tags, relationships) to enable powerful searches

THIRD: files and their enriched data are indexed and made easily and powerfully searchable on both specific string matches and general entity (Name, Phone, SSN, Credit Card Number) searches, individually or in complex combinations.

ePERSONA ALLOWS YOU TO IDENTIFY EVERYTHING AND EVERYONE INVOLVED IN AN ACTIVITY.








































MERLIN INTERNATIONAL | UNIFIED CYBER FORENSICS 4





UNIFIED CYBER FORENSICS PROVIDES USERS ACROSS AN AGENCY A METHOD TO QUICKLY AND EASILY SEARCH, ANALYZE AND RECONSTRUCT EVENTS UNIQUE TO THE INVESTIGATION OF ANY TYPE OF THREAT.






































FIGURE 2: UNIFIED CYBER FORENSICS IMPROVES SPEED, SCALABILITY, INTEGRATION, AND INFORMATION CLARITY FOR INVESTIGATORS

























































Utilizes pre-processing for tagging and indexing of information in conjunction with an easy-to-use search interface.

BENEFIT: Enables faster analysis than parsing the data manually and returns useful results the first time.

Fast & Efficient Forensic Scenario Investigation

Nothing is missed and all potential data is accounted for.

BENEFIT: Any analysis done on the traffic is complete and accurate.Zero Packet Loss

Information is categorized and tagged.

BENEFIT: This allows investigators the flexibility to search any and all criteria quickly and easily without having to learn a specific format, language, or style.

Index Everything

Ability to expand from a single collection point to multiple collection points across the enterprise and act as a single storage agent for all Enterprise forensics tools.

BENEFIT: Simple and cost effective ability to expand and meet future needsScalability

Based on non-proprietary industry standards

BENEFIT: Quickly integrate with other enterprise forensics tools, collectors and other related technologies.

Open Standards

Provides a clear copy of all files sent over the network including webpages, attachments, emails, VoIP calls, etc.

BENEFIT: Investigators can open actual files reconstructed from network packets.Full Traffic

Reconstruction















MERLIN INTERNATIONAL | UNIFIED CYBER FORENSICS 6

















CYBERTAP

Network Operations

IG/Legal

Security Operations

Compliance

HR

Law Enforcement

DoD/Intelligence

CASE MATERIAL

METADATA

ePERSONA

RECONSTRUCTION

ATTRIBUTES

DOCUMENTS

FLOW

PACKETS

BITS

NETAPP

MERLIN

PRE-PROCESSING ENGINE

GUI INTERFACESEARCH ENGINE &

CASE ANALYSIS TOOLS

REAL-TIME NETWORK PACKETS

PCAPs







FIGURE 3: MERLIN'S UNIFIED CYBER FORENSICS SOLUTION HARNESSES ADVANCED CAPABILITIES FROM NETAPP AND CYBERTAP




















Merlin Unified Cyber Forensics Solution

FIGURE 4: THE ABILITY TO QUICKLY AND EASILY SEARCH ANY KIND OF NETWORK DATA MAKES MERLIN'S UNIFIED CYBER FORENSICS SOLUTION USEFUL FOR A WIDE RANGE OF APPLICATIONS

























































• Network Security• Application PerformanceNetwork Operations

IG/Legal• eDiscovery• Waste, Fraud and Abuse• Internal Investigations

Security Operations• Insider Threat• Theft Prevention• Data Loss• Malicous Actions• Malware Impact

Compliance• IPII/SPII• HIPAA• PCI• Financial• eFOIA

HR• Acceptable Use• Employee Productivity

Law Enforcement• Survellience• Child Protection• Net-Based Crimes

DoD/Intelligence• Enemy Intent• Active Monitoring• Computer Attacks

MERLIN UNIFIED CYBER FORENSICS
























































SALES REPRESENTATIVE [email protected] 1.877.430.3021

MERLIN GOVERNMENTCONTRACTSSEWP# NNG07DA23BGSA# GS35F0783M

CORPORATE OFfiCE4B Inverness Court East | Suite 100Englewood, CO 80112T 303.221.0797 | F 303.496.1420

FEDERAL OPERATIONS8381 Old Courthouse Rd | Suite 200 Vienna, VA 22182T 703.752.2928 | F 703.752.2935

Merlin International, Inc. Copyright © 2012 Merlin International, Inc. All rights reserved. October 2012

ABOUT MERLINMerlin International® is one of

the fastest growing information

technology solutions providers

in the country. Founded in

1997, the veteran-owned,

privately held business has

consistently grown both its

revenue and its staff since

the company’s inception.

Merlin is approximately 100

employees strong, with its

seasoned professionals

possessing decades of

experience – working in the

public and private sectors –

as well as top-secret security

clearances.

Working alongside its system

integrator and vendor

partners, Merlin provides

turn-key IT solutions that solve

complex and critical problems

while fulfilling mission objec-

tives for federal government

agencies and organizations

involved in civilian services,

defense, intelligence, health

care and a variety of other

areas.

WHITE PAPER Introduction UNIFIED - Federal News Radio

Documents

Transcript of WHITE PAPER Introduction UNIFIED - Federal News Radio