Despite adding layers of security to its infrastructure, a large corporation was still seeing a great deal of polymorphic malware get inside its network and compromise its endpoints. The malware was generating a high volume of false positives, drowning out legitimate alerts. Yet traditional scans were revealing nothing that would give them a clue where to hunt for the source.
So this company’s IT team decided it needed a new solution and decided to integrate HPE ArcSight ESM alongside Guidance Software’s EnCase Endpoint Security. The result? An immediate dramatic reduction in false positives to only actionable alerts, and dramatically faster identification of potentially infected machines.
Integrated Solution: EnCase Endpoint Security and HPE ArcSight
Here is how it worked: Based on data gathered from multiple perimeter security devices, the HPE ArcSight ESM triggers intelligent alerts from pre-defined policies. These alerts identify malicious files that have traversed the network and sends out alerts when an event is triggered. EnCase Endpoint Security picks up this information and then performs a “volatile data snapshot” to analyse the target machines, showing details of known, unknown and hidden processes; TCP network socket information; open files; device drivers; services and more.
The analysis reveals whether an endpoint has been compromised or not, virtually eliminating false positives. EnCase Endpoint Security then delivers automated volatile data snapshots, which IT teams can use to compare with previous or ongoing volatile data snapshots, showing attack results in time slices and confirming whether an event actually occurred, and its impact and origin.
With a specific group of endpoints identified as targets where a specific file may have landed, HPE ArcSight ESM then sends an intelligent alert to EnCase Endpoint Security to run the ‘‘VerifybyHash’’ job. This confirms whether the hash value of the file within the HP Arsight ESM alert matches the hash value of any of the files on the targets. From here, the EnCase software validates the existence of the file in question and forensically collects a copy for security analysts to review.
This integrated solution also includes an automated, real-time incident response process. So, upon approval, EnCase Endpoint Security automatically remediates the identified files and all variants on each endpoint. And this entire incident response process has been reduced from days or hours… to just minutes.
To learn more, download Guidance Software’s whitepaper, Best Practices for Integration and Automation of Incident Response Using EnCase Endpoint Security.
Last modified: March 9, 2017