Работа EnCase с системами класса SIEM

(Открыть диаграмму в новом окне)

Well, since no compressed air is involved, perhaps it is not technically a turbocharger, but EnCase Cybersecurity now makes SIEM tools much more effective, by automating the digital forensics capture and analysis activity required as part of incident response. 

As Martin Kuppinger has observed, the “art of SIEM is to – at best – identify exactly the critical situations which need to be handled. Not more, not less.” The problem is, no organization can do that perfectly – no SIEM is ever tuned to such a fine degree of precision so that only the “critical situations which need to be handled” are immediately presented to the incident response team. Often, there are too many “situations,” or, the critical nature of certain “situations” is not apparent until a later time, when perhaps more related data points are correlated by the SIEM. Determining what happened, whether critical data was exfiltrated from the organization, or whether the attack spread to other computing assets, is crucial. In order to do so, the data around the critical situations needs to be captured, either for immediate response, or for later analysis. As NIST has noted in its Guide to Computer Security Log Management, “data regarding a particular event could be needed weeks or months after the event occurred.” What’s more, when one of these critical situations occurs, you may want to assess a broader set of machines, even a subnet, as part of the analysis.

EnCase Cybersecurity now facilitates this data capture and analysis in three ways. First, if an analyst sees a highly critical situation identified in the organization’s SIEM tool, he or she can now, right from the SIEM, perform an EnCase collection. Second, an organization, in its tuning of its SIEM, can establish rules so that for critical events, forensic collection occurs automatically. Third, an assessment can be automatically run on a broad set of endpoints to determine the extent of the problem – by way of example, assessing what binaries are running that are not part of the organization’s approved builds.

Пример совместно работы EnCase с системой ArcSight