![Page 2: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/2.jpg)
Saturday, May 17, 2014 slide 2
The problems most SOC have today• Many daily alerts, even after advanced aggregation and
correlation.
• Investigating a server/workstation is not always possible due to lack of physical access, tools, time or knowledge.
• Just starting an investigation may take hours or even days – long after the initial alert was triggered.
• Relevant evidence are hard to collect and analyze.
![Page 3: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/3.jpg)
What a SOC needs
• Start an investigation for every single alert within seconds.
• Get to every host in the network regardless of physical location.
• Collect and analyze relevant evidence.
• Get actionable and refined data from the investigated host ASAP.
Saturday, May 17, 2014 slide 3
![Page 4: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/4.jpg)
The solution – automated response with ECAT
• Automatically deploy (and remove) ECAT agents across the network.
• Automatically scan hosts with multiple scan configurations.
• Automatically collect scan results from ECAT with full analysis data.
• Automatically react to the presence of a suspicious module.
Saturday, May 17, 2014 slide 4
![Page 5: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/5.jpg)
Use Case – Host contacting malicious IP/Domain
Saturday, May 17, 2014 slide 5
Now what?
![Page 6: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/6.jpg)
Use Case – Host contacting malicious IP/Domain
Saturday, May 17, 2014 slide 6
Install ECAT Agent On WS87771
Agent Identifies Agent Insta
lled
Successf
ully
![Page 7: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/7.jpg)
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
Agent Takes Scan
Request Request Sca
n For
WS87771
![Page 8: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/8.jpg)
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
Scan Complete, Sends
Data
Scan Fo
r WS87771
Complete
Here’s All T
he Data
![Page 9: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/9.jpg)
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/DomainModule Name: 6re1fyeg1109.exeModule Path: C:\$Recycle.Bin\S-1-5-21-1844237615-1604221776-725345543-15174\6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860Host Name: WS8771Host IP: 10.2.34.123Bytes In: 3211Bytes Out: 7651819Target IP: 27.1.34.79Target Host: superEvil.infoTarget Port: 21OPSWAT Verdict: CleanYARA Verdict: Infected - super_evil_malware_groupCertificate Status: Not SingedHASH Lookup: UnknownS.L: 49Comment:Found Infected on 19/05/2014 by: super_evil_malware_group
![Page 10: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/10.jpg)
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
Module Name: 6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860
Where else is
this M
D5
located?
![Page 11: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/11.jpg)
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
On WS8771, W
S8291,
WS8101, WS2151Kill Process by MD5, add ‘_’ to file Extension
Module Name: 6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860
WS8291
WS8101
WS2151
iexplore.exe
svchost.exe
tempp.exe
![Page 12: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/12.jpg)
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
Process is down, file extension changed
WS8291
WS8101
WS2151Module Name: 6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860
![Page 13: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/13.jpg)
Saturday, May 17, 2014 slide 6
Use Case – Host contacting malicious IP/Domain
Give Me th
e infecte
d file
Send sample To AV Vendor
AV Vendor
Module Name: 6re1fyeg1109.exeMD5: A87480D346E943491EE107CDB90D2860
![Page 14: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen](https://reader035.vdocuments.net/reader035/viewer/2022062706/5575d278d8b42a917e8b4948/html5/thumbnails/14.jpg)
Questions?
Or Cohen – We Ankor 2014