ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

ArcSight & ECAT Integration

Or Cohen – We Ankor 2014

[email protected]

Saturday, May 17, 2014 slide 2

The problems most SOC have today• Many daily alerts, even after advanced aggregation and

correlation.

• Investigating a server/workstation is not always possible due to lack of physical access, tools, time or knowledge.

• Just starting an investigation may take hours or even days – long after the initial alert was triggered.

• Relevant evidence are hard to collect and analyze.

What a SOC needs

• Start an investigation for every single alert within seconds.

• Get to every host in the network regardless of physical location.

• Collect and analyze relevant evidence.

• Get actionable and refined data from the investigated host ASAP.


The solution – automated response with ECAT

• Automatically deploy (and remove) ECAT agents across the network.

• Automatically scan hosts with multiple scan configurations.

• Automatically collect scan results from ECAT with full analysis data.

• Automatically react to the presence of a suspicious module.


Use Case – Host contacting malicious IP/Domain


Now what?



Install ECAT Agent On WS87771

Agent Identifies Agent Insta

lled

Successf

ully



Agent Takes Scan

Request Request Sca

n For

WS87771



Scan Complete, Sends

Data

Scan Fo

r WS87771

Complete

Here’s All T

he Data


Use Case – Host contacting malicious IP/DomainModule Name: 6re1fyeg1109.exeModule Path: C:\$Recycle.Bin\S-1-5-21-1844237615-1604221776-725345543-15174\6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860Host Name: WS8771Host IP: 10.2.34.123Bytes In: 3211Bytes Out: 7651819Target IP: 27.1.34.79Target Host: superEvil.infoTarget Port: 21OPSWAT Verdict: CleanYARA Verdict: Infected - super_evil_malware_groupCertificate Status: Not SingedHASH Lookup: UnknownS.L: 49Comment:Found Infected on 19/05/2014 by: super_evil_malware_group



Module Name: 6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860

Where else is

this M

D5

located?



On WS8771, W

S8291,

WS8101, WS2151Kill Process by MD5, add ‘_’ to file Extension


WS8291

WS8101

WS2151

iexplore.exe

svchost.exe

tempp.exe



Process is down, file extension changed

WS8291

WS8101

WS2151Module Name: 6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860



Give Me th

e infecte

d file

Send sample To AV Vendor

AV Vendor


Questions?

Or Cohen – We Ankor 2014

ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

Technology

Transcript of ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen