Last week I attended the ‘Cyber Intelligence and Response Technology roadshow' from vendor AccessData.
Fresh from taking the roadshow around the world, the digital investigation and forensic vendor's director of network forensics Jason Mival said that ‘forensics are the core of our business' and said that it had ‘launched into information security to change the landscape of security as we know it today'.
He claimed that there is a gap with the way that solutions work with there being no cohesion with what the technologies do and that there is ‘no full view of the landscape for a 350 degree view of your assets'.
Mical said: “It is not just about looking at logs, it is about juggling solutions and teams and their toolboxes. They have the tools but they are not collaborating or communicating with each other. For CERT teams, they are trying to pull the needle out of the haystack; they look at the landscape and decide how to change their approach and provide a different visibility that they have not seen before.”
The company launched the second version of its Cyber Intelligence and Response Technology (CIRT) at Black Hat earlier this year, before this first showing in the UK.
It said it is designed to pull together data for information assurance, compliance, anti malware and network security professionals so that they can correlate information on different threats.
According to the company, this looks at both data which is in motion and at rest on the network, and can scan information that is being stored to removable devices.
Mical said when it comes to a large scale data audit, you can often only report on what you have, and this technology is designed to help with that process.
“With removable media monitoring, you want to know what is moved to USBs and CDs and see it as it happens,” he said.
“You may say ‘I have DLP' for that, but this will show where it came from. We are not in the DLP space but we can identify what was moved.”
CIRT 2.0 will also tell IT teams precisely which computers and removable devices were compromised, so that forensics teams know which data was affected. For intrusion detection, CIRT 2.0 will alert IT teams to unauthorised port 433 traffic and drill down into suspect hosts; while for DLP it allows IT managers to see if an employee is posting pictures, files or video to Facebook.
The malware analysis component of CIRT 2.0 is named ‘Cerberus' and runs in two stages: scoring the threat and then disassembling the code of suspected malware and running elements of the code, without running the actual executable, to see what the binary is capable of.
Mical said that this is a first step towards reverse engineering and for ‘respondents' to get to the characteristics as quickly as possible. It allows IT managers can to look at malware packets and see which files they try to copy, what they attempt to delete and which hosts they call out to.
Mical said: “You don't have to sift through raw packet data, it's there for you. You can see on the dashboard if someone has uploaded a post, or picture or file. You also have full visibility of SMTP and can also drill into FTP.
“IT teams can search for stolen documents and also search for .pst files and drill down into emails from the dashboard, using it to look for file types or file sizes. You can also use CIRT 2.0 to undertake software inventory, to check that different departments are using the latest patches, for example, or to manage licences. Previously this would have required multiple tools. Everything that you would traditionally need twenty point solutions to complete, you have right here.”
As detailed by Assuria's Terry Pudwell last week, as more is demanded from users there will be more need for forensic technologies combined with the standard needs of IT managers to know what employees are doing and what is happening on the network. AccessData may have walked into the UK market at just the right time.