Find out how ELMO can assist with a live incident response situation
In most incident response situations, it is necessary to collect some form of volatile data. While disk forensics continue to play a role in incident response, we know that the tactics of today’s adversaries require different methods from incident responders. One of those tactics is live forensics to capture volatile data.
Much like traditional “dead box” forensics, most investigators will agree that no single tool can meet the needs of every investigation. Instead, investigators commonly use multiple tools to gather information based on the needs of the investigation. Some examples are memory acquisition, running processes, network connections and open file handles.
Running these tools in a Windows environment is most often achieved by scripting multiple tools through the use of a batch file. This achieves several goals. First, it allows the investigator to execute a single file, which will run multiple tools. Second, it ensures that all tools are... read more >
Working from a strong foundation is the key to a successful security program
When a major security vulnerability is disclosed, everyone stops what they are doing and takes notice, especially when that vulnerability comes with its own logo. Now don’t get me wrong, newly disclosed vulnerabilities are important. They provide exciting opportunities for researchers and they do, if only temporarily, focus management’s attention on the often overlooked information security.
Don’t worry, this isn’t another blog about the pros and cons of vulnerability hype. Instead, I’d like to focus on the importance of keeping one eye on the basics, while the other is scrolling through the Twitter feed for the next upcoming disclosure. Because all too often, it is not the latest security vulnerability, but a failure to properly secure and deploy systems that is the root cause of a costly network breach.
Below are several recommendations to help keep your network more secure, and your company safe from new vulnerabilities (or old... read more >
How to Use ELK to Solve Your One-off Log Analysis Problems
Performing log analysis with divergent data sets can be the stuff nightmares are made of. If you are lucky, your organization may have only a few dozen different log types throughout your environment. If you perform log analysis as a service, forget about it. There are many fantastic log management solutions on the market today, including our own ActiveGuard service. These solutions have robust log collection, analysis, and search capability. For a comprehensive, enterprise log analysis solution they are ideal, however they require substantial implementation and tuning for your specific environment and are intended for long term log aggregation and monitoring.
It is not always feasible to stand up one of these solutions on short notice or for a one-off project.
So where does that leave you? Manual log normalization and analysis? Manual techniques do have their... read more >
Understanding the Importance of Checklists
Whether required by industry regulations or simply implemented as part of a solid incident response program, most organizations have at least a rudimentary incident response policy in place. A carefully crafted policy lays a foundation for the entire program. This policy, however, should be viewed as the jumping off point, not the end game. A successful incident response program needs to be supported, and not just by a few policies, but by procedures, checklists, people, training and tools.
An essential part of every incident response program is a checklist. Using procedures as a guide, checklists should provide direction for those who will be carrying out the tasks. Perhaps because they are the last step in the process, or perhaps because of their need for frequent updates, incident response checklists are often overlooked, underutilized, or at best, outdated.
Responding to a security incident can be stressful and chaotic. Well-designed checklists can supplement a... read more >