The Road to CEIC 2013: Tuesdays at CEIC

Jessica Bair

The “Road to CEIC 2013” is a series of blog posts on all things CEIC, before, during, and after, from an insider’s point of view.

Tuesday @CEIC_Conf is a day we all look forward to enjoying. By Tuesday morning, essentially all of the lab and session rooms are running smoothly; everyone is familiar with the hotel layout and knows where they are going; you have connected with most of your friends, former colleagues, co-workers and partners you wanted to see at the conference; the excellent keynotes are in the annals of CEIC history, etc. In other words, all of the anxiety and issues around producing or attending such a large event have largely been experienced and worked through, and you can enjoy a full day of learning and networking.

Breakfast was sponsored by HBGary and immixGroup, two of the conference’s Gold Sponsors. The fresh fruit here in Florida has been absolutely amazing! I had the opportunity to connect with my peers in “The War Room” before departing to check on the Cybersecurity and Compliance lab room. These are the Guidance Software team members behind the lab machine and network setup and many of the excellent sessions.

My first session was Incident Response Tools Integration: Creation of Encase Incident Response Toolkit (EIRT) with Mark Morgan, Guidance Software principal consultant, and Laura Johnson, NuWave Solutions cyber engineer. Mark and Laura demonstrated how they integrated the EnCase® Cybersecurity modules, as well as third-party incident response tools (such as volatility, Regripper, PDF Parser, etc.) into the ArcSight console. They explained how these tools can be launched from the ArcSight console as alerts are identified, in order to immediately respond to possible attacks. Mark and Laura shared a graphical user interface they created, which allows new investigators to learn what tools to use and when to use them.

The one-hour morning refreshment break at the Exhibit Hall really helped energize the attendees. Earlier in the conference, I had some one-on-one time with Shawn McCreight, founder and CTO of Guidance Software, where he shared the vision of EnCase® Analytics and beyond. I am grateful I made the right decision in 2001 to join this team, and it is always exciting to catch a glimpse of where we are going as a company and an industry. I saw Shawn sharing some of those thoughts with Sharren Redmond, our veteran technical services manager in the United Kingdom, who has helped hundreds of customers in her career.

After the break, it was time for Compliance Auditing with EnCase® Cybersecurity with Josh Beckett, product manager for EnCase® Cybersecurity. Auditing and compliance personnel are trying to answer two critical questions:
  • Are my systems in compliance with my framework?
  • What is the difference between our policy and reality?
Josh took the attendees through a hands-on lab, creating a job for reporting on potential personal identifying information on the network, including international credit cards; and then how to take action with file remediation on the endpoints. Josh also led the lab attendees in searching for live registry keys, to determine if required registry keys are missing and/or if unauthorized keys are present. He then showed how to enforce acceptable use policies with the Internet History search module. Finally, I assisted him in leading the attendees through creating a whitelist of known good files, for comparison with running processes and executables on host systems.

The final lunch of CEIC was sponsored by Paraben Corporation and Katana Forensics in the Exhibit Hall; with 90 minutes to network and enjoy an excellent meal of steak, mashed potatoes, grilled vegetables, savory rolls, fresh fruit, and amazing dark and white chocolate cakes. The CEIC Lounge has been a popular relaxation oasis in the Exhibit Hall for some private conversations.

After lunch, I returned to the lab for the last sessions of the day. I was surprised with chocolates from Argentina, a hand-carried gift from Gustavo Presman.

Next was Building an Integrated Response Capability with EnCase Cybersecurity, again with Josh Beckett. Josh introduced EnCase Cybersecurity’s Enterprise Service Bus (ESB) architecture and capabilities. He provided an overview on how to use this powerful communication channel into the EnCase Cybersecurity application, to enhance your incident response capability using the built-in integration with FireEye. Attendees were able to configure their own XML file for loading into the ESB, and watch FireEye trigger an EnCase Cybersecurity Snapshot module when test malware was downloaded. Josh also showed examples of integration with Sourcefire, and discussed the latest integration with ArcSight and Q1 Radar.

I stopped by the Exhibit Hall for the final session break before the hall closed for 2013. It was incredible to see the depth and breadth of the sponsors and exhibitors this year! I had the chance to speak with several partners, students, and former colleagues. I love CEIC!

My final lab for the day was Network Forensic Investigation of Hacking Incidents with Ondrej Krehel, Lifars, and Jan Valkovic, Expedia. Investigation of hacking incidents often requires combining the capabilities of different technologies. Network forensics is one of the components in the process of finding compromised hosts, and capturing and reconstructing malicious sessions. This lab provided hand-on experience with open source tools used for network forensics. They used a case study of traffic captured from a hacked web server; and together we analyzed and reconstructed the traffic, discussing the artifacts found in the investigation.

The Guidance Software staff was thrilled to be finished with all responsibilities by 6:00 PM tonight, and can now enjoy the evening. Goodness, do we enjoy Tuesdays at CEIC!

Before departing tomorrow, don’t forget to download your favorite presentations and tools at one of the many kiosks throughout the conference.

Enjoy your last night at CEIC!

Jessica Bair
Senior Director, Curriculum Development

No comments :

Post a Comment