fns incident management powered by en case

ID#11SS0037 Last Modified 09.20.2011

© 2011 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406

Securely Enabling Business

FishNet Security Incident Management Powered by EnCase® Cybersecurity

OverviewBanking Trojans, Spear Phishing, SQL Injection Attacks, Polymorphic Malware … threats that were relatively rare or unknown a few years ago are causing security teams across the globe to rethink their security strategies as the traditional security approach of “putting up more walls” has been proven to be less effective against a determined adversary. One security discipline rising to meet these challenges is Incident Management and Response. Organizations are moving to what is being referred to as a “zero trust” or “lean forward” model of implementing policy and procedures around the assumption that they may have already been compromised and just don’t know it yet.

Incident Management refers to not only ensuring policies are in place to expose potential threats that may have evaded perimeter defenses, but also that an organization is able to move quickly when a data breach does occur to minimize the impact, cost, recovery time and reoccurrence of each incident.

SolutionFishNet Security and Guidance Software have partnered to provide a complete incident management solution designed to address the gaps left by the traditional layered security through a combination of skilled resources, proven methodology and cutting-edge technology. The approach is designed to enable organizations to adopt a “lean forward” approach, exposing potential risks to a network before those vulnerabilities are fully exploited and used to exfiltrate data as well as to ensure an organization is completely prepared in the event of a data breach.

IMF Key Domains• Communication

ͳ Internal ͳ External

• Collection of Information ͳ Acquisition ͳ Chain of Custody ͳ Data Retention

• Analysis ͳ Technical ͳ Operational

• Containment ͳ Emergency Action

Plans (EAP)• Mitigation

ͳ Remediation ͳ Prevention ͳ Testing

• Legal Counsel ͳ Litigation Hold ͳ Request for Discovery ͳ Liability

• Immediate Response ͳ Active ͳ Passive

• Documentation ͳ Procedures ͳ Formal IR Plan ͳ OperationalTM




FishNet Security ProgramFishNet Security facilitates an approach tailored to the unique aspects of your organization and network architecture. Our consultants recognize business drivers and goals, and tailor solutions to meet the specific initiatives of each organization. The end result is an effective Incident Management Framework (IMF) tailored to a customer’s environment and based on industry-accepted standards of best practice.

FishNet Security provides services to help organizations respond quickly to incidents, develop overall incident management programs, and test their incident response capabilities. Our consultants use industry-best practices to assist clients in the growth and maturity of their incident management programs.

FishNet Security also provides skilled consultants certified in incident response and forensic best practices to respond quickly to any urgent need. Our rapid response team can be in motion anywhere in the world within 24 hours to coordinate a response and conduct a full investigation of the incident. The team also will take the proper steps to mitigate risk and potential fallout.

Today’s Threat Landscape

• Custom Malicious Code• Polymorphic Malware• Hacktivism• 0-day Attack Vectors• Exfiltration of Sensitive

Data• Memory Resident

Malware• Anti-virus Targeted

Malware• Encrypted Malicious

Code Execution

Today, cyber crime is a for-profit industry with huge financial motivation to break into your network and steal your valuable data. As such, the attackers have spent time and resources to learn about your defenses and create highly specialized malware designed to evade those very defenses. Examples of these types of advanced threats include:




Adaptive DefenseFishNet Security investigators leverage the advanced capabilities of EnCase Cybersecurity to enable organizations with the tools and resources necessary to expose and respond to the types of advanced threats that may have already penetrated your layered defenses. Experienced examiners work with internal resources to identify, contain, profile and eradicate the malicious code. This is achieved through EnCase Cybersecurity by exposing unknowns, analyzing anomalous behavior and determining the true scope of infection or breach.

A unique aspect of this approach lies in powerful patent-pending similar-file analysis capabilities of EnCase Cybersecurity, which allows a single iteration of the offending malicious code to be used to find all like iterations across the enterprise. This is useful when attackers are able to change the signature of a piece of malware each time it copies itself to another device on the network. Because this approach does not rely on a static signature or behavioral trait like traditional solutions, it provides a truly adaptive defense against emerging threats.

Guidance Software - EnCase® CybersecurityEnCase Cybersecurity is an all-in-one software solution that provides information security and incident response teams with the ability to dynamically expose covert malicious code, including polymorphic code, and proactively identify unknown threats to endpoints in any networked environment. With EnCase Cybersecurity, organizations can shift from a reactive to a proactive approach by zeroing in on potential threats, completely recovering computers from malicious code infiltration and drastically reducing the cost and time associated with response and recovery.

And if an incident does occur, the EnCase Cybersecurity solution provides everything an organization needs to quickly and effectively respond and answer critical questions essential to mitigate the risk of an incident, such as:

• Where in the network did the threat originate?• How did the threat spread across the network?• What is the full scope of the intrusion?• How has the threat evolved?• And more …

EnCase Cybersecurity includes unique capabilities that put organizations one step ahead of those who wish to compromise corporate networks. With the ability to triage for covert threats, perform detailed memory analysis, and leverage advanced algorithms to determine code similarity, EnCase Cybersecurity allows organizations to recover from the most evasive threats.



About FishNet SecurityWe Focus on the Threat so You can Focus on the Opportunity.Committed to security excellence, FishNet Security is the #1 provider of information security solutions that combine technology, services, support and training. FishNet Security solutions have enabled more than 5,000 clients to better manage risk, meet compliance requirements and reduce cost while maximizing security effectiveness and operational efficiency. For more information about FishNet Security, visit www.fishnetsecurity.com.


Comprehensive ContainmentDuring a security incident, one of the primary concerns is containment of the event and ensuring sensitive data is accounted for and has not been compromised. With the ever-increasing speed and complexity of information technology infrastructures, the ability to fully quantify an event can be very time-consuming. Environments span continents, contain thousands upon thousands of nodes, and each endpoint can have terabytes of data. Ensuring proper containment and validation of data can prove infeasible if not for enterprise grade tools such as EnCase Cybersecurity.

FishNet Security investigators understand the complexities of today’s environments as well as the attack profile used by malicious individuals. Combined with the power of EnCase Cybersecurity, they can help work toward comprehensive containment of an event. Each endpoint can be scanned for malicious code, unauthorized sensitive data, insecure operating configurations, and various other known security weaknesses that are independent of known signatures or behaviors. Identified endpoints can then be remediated to bring the device back into a secure state that meets with internal compliancy requirements.

Finally, certain elements of the newly exposed malware can be retained and scanned against on an ongoing basis to ensure the threat or similar threats are not reintroduced into your environment. Information gleaned through a proper incident management framework gives your security team the intelligence they need to better tailor defenses against subsequent attack and to move away from the never-ending game of “malware whack-a-mole.”

fns incident management powered by en case

Documents