Name: Beyond Perimeter Defence: Delivering Unprecedented Visibility and Security

Text: Beyond Perimeter Defence
Delivering Unprecedented Visibility
and Security
Graham Hughes – EMEA Channel Manager
Guidance Software

February 2007

Session Agenda
P A G E

! Session objectives
! Threats – What are they and where do they come from ??
! Business Challenges and Drivers
! The Guidance Software Proposition
! Fraud Detection
! Incident Response
! Session Summary & Close

2

Session objectives
P A G E

To provide a high level overview and insight into identifying, managing and
controlling computer fraud & security threats through innovative techniques and
legally accepted process. This session will cover some of the challenges faced by
HR, Legal and Information Technology Security teams within Corporate
Organizations today, with a focus on how Guidance Software helps its customers
address, manage and add value to these challenges, working alongside industry best
practices and regulatory requirements such as ISO17799, Basel Accord and
Sarbanes Oxley.

3

But First ………………. Why do cars have brakes ?
P A G E

4

Why do cars have brakes ?
P A G E

5

Why do cars have brakes ?
P A G E

6

Where do the threats originate from?
P A G E

Foreign Governments

Fraud Internal & External

Competitors

Human Error

Internal Threats
Your
Business

Organised Crime

Hackers
Viruses

Deliberate Attack

Natural Disasters
Accidents

7

Business challenges & drivers
P A G E

Intellectual property

Corporate Policy

!

Corporate espionage

!

Internal use

!

Organised crime / Planted employees / Sabotage

!

Inappropriate Conduct

!

Control of Quarterly Financials and Marketing
plans

!

!

Unauthorised software and / or rootkits

Interdepartmental knowledge and
information sharing, policies &
process

!

Mergers and Acquisitions
Document or data leakage to competitors /
Intellectual property rights theft (IPR)

!

!

Identifying and locating the risks
to the organisation

Employees

Regulatory compliance
!

SOX

!

Harassing co workers

!

ISO17799

!

Not doing their job (performance issues)

!

BASEL II

!

Violent acts

!

!

Inappropriate content

Reducing risk / Increasing
efficiencies

!

Contractor employment controls

!

!

Reliance upon contactors and individuals with
required expertise

Leveraging regional initiatives and
knowledge share between key
national infrastructure organisations

8

Sarbanes Oxley, ISO 17799, Basel II–
Why enterprise computer forensics?
P A G E

9

Enterprise Computer Forensics Required for Effective Internal Investigations
Congress enacted the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) to protect investors by combating
corporate crime and improving corporate governance.2 Sarbanes-Oxley requires companies to implement
extensive corporate governance policies to prevent and respond to fraudulent activity within the company,
including vigilant self-policing to deter and quickly investigate and contain internal financial fraud.3 For example,
Sarbanes-Oxley expressly requires publicly traded companies to create anonymous hotlines for the reporting of
fraud, to investigate those instances of fraud, and certify that they have disclosed any instances of fraud
involving management and other key employees to the Board of Directors.
Well before the enactment of Sarbanes-Oxley, courts recognized the importance of preserving electronic data in
connection with litigation, including securities fraud investigations. For example, in In re Bristol-Myers Squibb
Securities Litigation,12 the court determined that the discovery of computer evidence was critical to ensure a
proper investigation of alleged corporate fraud. The court noted that as the vast majority of documentation now
exists in electronic form, electronic evidence discovery should be considered a standard and routine
practice going forward.13 The provisions of Sarbanes-Oxley will certainly induce courts and auditors to look
closely at a company’s ability to forensically preserve and analyze electronic data.
Other agencies and groups have also adopted standards regarding computer forensics. The leading
international information security best practices standard, ISO 17799, calls on enterprises to use computer
forensics to preserve the admissibility of evidence.

Enterprise Products
P A G E

Data at rest

Volatile data

Forensic concurrent connections let you:

Snapshot concurrent connections let you:

! Discreetly investigate and analyze many
machines simultaneously at a disk level

! Scan more than 10,000 machines in 30 minutes

! Acquire and preserve data in a forensically
sound (court-accepted) manner
! Proactively audit groups of machines for
sensitive information

! Rapidly identify all trusted, untrusted and
unknown data
! Integrate with IDS/SIM tools to provide
actionable real time incident response
capabilities

10

The Guidance Software Proposition
P A G E

“We provide an Investigative Infrastructure that lowers the cost and response
time while increasing the breadth and depth of computer related investigations
and incident response…with the overall goal of reducing operational risk”
Enterprise
Investigative
Infrastructure

Fraud Detection
and Mitigation

Fraud/HR
Investigations

Policy &
Regulatory
Compliance

Incident Response

Automated
Response

Compromise
Assessment

eDiscovery/Audit

Litigation
Support

Software, Services, Partners & Best Practices

Info
Assurance

11

Fraud Detection and Mitigation
P A G E

Fraud Detection
and Mitigation

Fraud/HR
Investigations

Policy &
Regulatory
Compliance

Intellectual property issues such as:

Classified Data
Spillage
& Recovery

Corporate Policy

!

Corporate espionage

!

Internal use

!

Quarterly Financials and Marketing plans

!

In appropriate Conduct

!

Mergers and Acquisitions

!

Organizational Deterrent

!

Drug research

Employee integrity

Regulatory compliance

!

Harassing co workers

!

SOX

!

Not doing their job (performance issues)

!

ISO17799

!

Violent acts

!

Inappropriate content

12

Detection and Prevention
P A G E

PERCEPTION
BLOCKING

DETERRENTS

DETECTION

Outsiders

Intellectual
Property

Employees

$$$

Partners
Executives

Reputation
Sources
of Threat

Physical and
Virtual Barriers
! Barriers prevent
access to all but
the most skilled

Policy
and Laws
! Deterrents prevent
access to all but the
most determined

Audits
! Detection prevents
access to all but the
most stealthy

Assets

13

Detection and Prevention
P A G E

14

REALITY
BLOCKING

DETERRENTS

DETECTION

Outsiders

Intellectual
Property

Employees
Partners

$$$

SubContractors

Physical and
Virtual Barriers
! Most sources of fraud are
on the wrong side of the
barrier.

Reputation
Policy
and Laws

Sampling
Audits

! Inside sources are
not deterred by
policies and laws.

! Based on sampling
audits, detection is
Swiss cheese,
further undermining
deterrents.

Assets

As the likelihood of
detection decreases,
so does the power to deter
by using punishments.

Case Study:

Synopsys (IP Theft)
P A G E

Issue:
Synopsys believed that a former employee removed files containing corporate secrets from their
network and used these secrets to establish ‘Nassda’ and creating a competitive product.
Problem:
Synopsys needed to prove that the former employees had in fact removed the sensitive data from
their network and then used it to build Nassda’s business.
Size of the challenge:
Nassda was for obvious reasons less than cooperative and by the time Guidance Software got
involved the case was more that two years old a lots of computer evidence had been lost or
erased.
Our solution:
Using EnCase Enterprise and a court order Guidance Software was able to search through
Nassda systems and locate documents identical to those on Synopsys’ network.
Result:
“The terms of the deal call for Synopsys to acquire Nassda (including its $100 million cash
reserves) for $192 million, and for Nassda's co-founders – all of whom were one-time Synopsys
employees – to pay Synopsys a $61 million settlement. The net purchase price of $30 million
compares favorably to Nassda's earlier market cap of $500 million”
— CBS MarketWatch

15

Case Study:

Network Associates (M&A)
P A G E

Customer:
Network Associates
Issue:
Contracted to sell its Sniffer Technologies unit for $275 million.
Problem:
The contractual terms required Network Associates to ensure that none of Sniffer’s source code
remained on Network Associates’ computer systems.
Size of the challenge:
5,000 computers in 20 different locations worldwide (100 TB).
Our solution:
Guidance Software Professional Services used the eDiscovery suite containing all the relevant
search terms.
Result:
Guidance Software completed the engagement in 4 weeks and significantly under budget. 105
dirty machines were found.
"EnCase Enterprise saved us more than $1 million in the first six months of its use. It also allowed us
to complete a critical M&A discovery issue that would have been impossible with any other
software or services options in the market today."
- Ted Barlow, CSO & VP, Risk Management, Network Associates

16

Computer Related Incident Response
P A G E

Computer Network
Defense

Incident
Response
& Remediation

Automated
Incident
Response

Compromise
Assessment

Automated Incident Response

Compromise Assessment

!

Single Machine Incident response (confirm/deny
an event took place)

!

Breadth of the compromise

!

Automatically responding to events from IDS
and SIMs

!

Remediation

!

Documentation / closing the response loop
(future controls and best practices)

!

Automatically responding to events from content
management systems

!

Enables complete remediation

17

IR process — Broken
P A G E

18

IR process — Best Practice
P A G E

Clean Network
Scan entire network
for similar exploits

Write/Rewrite

Response
Response
Policy
Policy

Enterprise
Enterprise Wide
Wide
Cleanup
Cleanup
Investigate
infected
machines

IDS/SIM

Incident
Incident
Response
Response

Monitor
Monitor

Hacker,
Rogue Employee,
Zero Day Event

19

Automated Incident Response
P A G E

AIRS Architecture

20

Incident Response
P A G E

! Where EnCase Enterprise fits into the security landscape
Vulnerability
Assessment
• Vulnerability
scanners
• Threat /Risk
Assessments

Perimeter
Defense

Detection/
Correlation

• Firewalls

• IDS

• IPS

• SIM

• Access Control

• Content
Management
Systems

• Authentication

Incident Response
and Forensics

• People and
process
• Solutions &
techniques

21

Case Study:

The Hartford (Incident Response)
P A G E

Issue:
Conducting efficient incident response on a large distributed network without
disrupting operations
Problem:
During a zero day incident the Hartford needed to locate and remediate a
worm prior to getting the signature from their anti-virus company
Size of the challenge:
30,000 node network
Our solution:
EnCase Enterprise with servlets deployed throughout their network.
Result:
During a worm outbreak the Hartford was able to scan 30,000 nodes to
identify compromised machines and establish a timeline of the machine that
introduced the worm into their environment. After identifying compromised
machines they were able to remediate the malicious worm quickly without
disrupting business operations or quarantining workstations/servers.

22

The Enterprise Investigative Infrastructure
P A G E

Processes
Standalone
Forensics

Implementation Options
Un-integrated

Network Forensic
Investigations

Point Solutions

Comp Assess

Multiple deployments

Automated
IR
eDiscovery
Information
Assurance

Integrated

Error prone

High maintenance
Reliance upon technical
contractors

Result: Wasted revenue,
time and No Intelligence
Across Solutions, Risk

Process Minded,
Modular, Integrated
Solutions
Result: Complete
integrated and
business focused

23

The power of One – a collective approach
P A G E

Human Resources

Information Security
Team

Legal Team

Incident Response/
Forensics Team
CIRT

Fraud Team

Network Team

Procurement Team

24

Session Summary
P A G E

! Identify and Mitigate Risks
"
"
"
"

Conduct network-enabled forensic investigations for anything, anywhere, anytime
Disqualify unnecessary investigations
Conduct network-enabled HR investigations
Contain and reduce corporate fraud

! Employ a Proactive Approach to Enterprise Investigations
"
"
"

Conduct network-enabled document discovery
Discovering documentation related to legal issues
Support Information Assurance efforts in a much more cost effective manner with no business
disruption

! Compliance
"
"
"

Meet regulatory mandates to demonstrate due care and limit loss
Effectively and efficiently validate and enforce corporate computer use polices
Utilise regional directives and initiatives. Knowledge share to address common threats

! Automate Inefficient Processes
"
"
"
"

Respond immediately to Zero Day events
Perform a complete compromise assessments after a security intrusion
Reducing business disruption and losses due to security breaches
Respond to more security incidents with less manpower

25

Thank you

[email protected]
www.guidancesoftware.com

February 2007

Document Path: ["183-200702-iss-guidance.pdf"]

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh