Rethinking incident response

As businesses face increasing regulatory-compliance pressure from Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley, many companies are finding themselves deploying intrusion detection systems, log analyzers, and other security tools to assist in finding when an incident has occurred. But when an alarm’s been triggered, every security analyst faces the problem of what to do next.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld EnCase Enterprise 5 Guidance Software, guidancesoftware.com Very Good  8.0 criteria score weight Features 8 25% Management 8 20% Performance 9 20% Integration 8 15% Ease-of-use 7 10% Value 7 10% Cost: $85,000 as tested: SAFE, Examiner, three concurrent connections to Servlets, and Snapshot Incident Response capability Platforms: Windows, Linux 2.4 and later, Solaris 8, Solaris 9 Bottom Line: EnCase Enterprise offers a solid set of tools and processes to empower the trained investigator. Coupled with intrusion detection, EnCase will yield accurate investigations to help any company ensure that it is within regulatory requirements and is protecting its intellectual capital. About our Reviews and Scoring Methodology

Should your IT security group or forensics team seize the affected machine for analysis, even if it means that an employee may be sitting idle for some time? Assuming you even have a dedicated security or forensics team (wouldn’t that be nice?), launching a full search and seizure typically isn’t the best use of company resources, considering that the vast majority of alarms turn out to be false ones.

Instead of the conventional forensics process, Guidance Software suggests an alternative that it calls automated incident response. Incorporating the same investigative tools as Guidance’s well-known Forensic software for law enforcement, and the ability to reach out to virtually any operating system and file system over the network, EnCase Enterprise makes a compelling argument as an incident-response solution.

EnCase opens the door

EnCase Enterprise is built around three components: Examiner, the SAFE (Secure Authentication For EnCase) authentication server, and EnCase Enterprise Servlets. In addition to installing and configuring these pieces, you must also configure EnCase to receive alerts from your IDS.

SAFE ensures that Examiner and Servlets not only communicate securely but also handle the evidence in a way that will subsequently stand up in court. SAFE also manages the granting of discretionary access to examiners. Examiner rights can be limited to viewing snapshots, acquiring data from hard drives, killing running processes, and so on. In addition to granting the privileges, SAFE logs the events to track all reads or writes to evidence.

The Servlet component, which is installed on network hosts, facilitates communication between the Examiner and the host being analyzed. SAFE and Servlet communication is secured with certificate-based 128-bit AES encryption. New Servlet features in Enterprise 5.0 include the ability to change the default listening port and rename the process or hide the process from the user. The Servlet can run on Windows, Linux 2.4 and later, and Solaris 8 and 9, but not on BSD Unix platforms.

As soon as EnCase Enterprise receives an alarm from your IDS, it takes a snapshot of the target computer’s processes, loaded drivers, registry, network connections, and other information to be stored in a secured database. You can then analyze the captured data using EnScripts -- EnCase’s scripting language -- or SQL database queries.

For example, during our testing, our IDS detected that a command prompt was returned to a remote host from an internal host over 8080/tcp. EnCase received the alarm and took a snapshot of the host, allowing us to quickly determine the process that was sending the 8080/tcp traffic.

Furthermore, we could compare the current snapshot with a historical one to see whether any new network services or processes were running. Then we built a query to search snapshots of other hosts on the network for the hash sum of the malicious process, to see how far the infection may have spread. Finally, we conducted forensics on the affected machines to determine how much data was compromised and potentially to prepare for legal proceedings. All of this can be done without disturbing the work of employees using the compromised computers.

Needles and haystacks

Examiner is where the investigator can load the EnCase GUI and analyze the snapshots, or connect directly to the Servlet running on a network host. Being able to undelete files from host hard disks, search slack space for hidden data, and discover running processes is a short list of Examiner’s useful capabilities.