Patrick Dennis, President & CEOTwitter: @_patrick_dennis

2

GUIDANCE

SOFTWARENASDAQ: GUID

78 OF THE FORTUNE 100

#1 SOLUTION FOR GOVERNMENT AGENCIES

#1 TOOL FOR IR SERVICE PROVIDERS

FireEye, KPMG, PWC, Deloitte, CSC, AT&T

33M ENDPOINTS DEPLOYED

48% OF THE FORTUNE 500

DIGITAL RISK IS A GLOBAL PROBLEM

30 BillionDevices by 2020

>90 MillionBreaches and

attacks every year

90% AttacksOn organizations

use unique malware

(signatures/hashes)

$3 TrillionLost revenue

opportunity

$.5 TrillionCyber crime related

expenses

FOCUS ON

FORENSIC

SECURITY

5

“IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents”

By 2020, 60% of security budgetswill be allocated for rapid detection & response…

- Gartner, January 2016

• Uncover forensic residue across every

stage of the attack cycle

• Reveal data security risk, no matter how

well hidden

REQUIRES 360° VISIBILITY

ATTACK CYCLE BEGINS

GUIDANCE AGENT

EnCase EndpointInvestigator

GU

IDA

NC

E E

CO

SY

ST

EM

EnCaseeDiscovery

EnCase EndpointSecurity

EnForceRisk Manager

Intel Security

HP Arcsight

IBM QRadar

Cisco FirePower Splunk

Blue Coat

FireEye

Palo Alto

Alerting Tools (SIEM, ATP, IPS, log, network)

ThreatGrid

LastLine

YARA and STIX

VirusTotal

Threat Intelligence

Windows Mac OSX Linux HP-UX Solaris AIX Netware

Endpoints

Office 365

Exchange

SharePoint

Documentum

OpenText

FileNet

Amazon S3

Dropbox

Google Drive

Data and Email Repositories

BoxEnterprise VaultLotus Notes

Source: Piper Jaffray 2016 CIO Survey 2016

2016 CIO SURVEY

ENCASE ENDPOINT

SECURITY: THREE

PRIMARY USE

CASES

9

THREAT DETECTION AND THREAT HUNTING

• ENTERPRISE-WIDE ANALYTICS ON ENDPOINT

TELEMETRY

ACTIVE RESPONSE / ALERT TRIAGE -

CONFIRM AND PRIORITIZE SECURITY ALERTS

• INTEGRATES WITH SIEMS AND OTHER ALERTING

TOOLS

• AUTOMATES COLLECTION FROM ENDPOINT

• REDUCES TIME TO RESPOND

INCIDENT RESPONSE SUPPORT

• INVESTIGATION - DETERMINE ROOT CAUSE AND

SCOPE OF AN INCIDENT

• FORENSICS

• TARGETED REMEDIATION

USE CASE:

ADVANCED THREAT DETECTION

ADVANCED

THREAT

DETECTION

11

• PROACTIVE ENDPOINT SCANS TO

DETECT THREATS USING

• THREAT INTELLIGENCE – SEARCH FOR

KNOWN MALICIOUS HASHES, IP ADDRESSES

• THREAT HUNTING – SEARCH FOR UNUSUAL

PROCESS BEHAVIOR (E.G. UNUSUAL FILE PATHS,

LOADED DLLS, CONNECTIONS, ETC.)

• ANALYTICS - AUTOMATED STATISTICAL

ANALYSIS TO CALCULATE BASELINES AND IDENTIFY

ABNORMAL USER AND SYSTEM BEHAVIOR

Detect threats that bypass the perimeter with forensic level endpoint visibility

and analytics.

THREAT DETECTION – ANALYTICS ON

ENTERPRISE-WIDE SNAPSHOTS

Running Processes

Open Ports

Loaded DLLs

Logged in Users

Connected Remote Ips

Storage Volume Serial #s

…

Enterprise-wide

Endpoint scans

Data

WarehousingAnalytics

Running Processes

Open Ports

Loaded DLLs

Logged in Users

Connected Remote Ips

Storage Volume Serial #s

…

Running Processes

Open Ports

Loaded DLLs

Logged in Users

Connected Remote IPs

Storage Volume Serial #s

…

Visualization

μ = (ΣXi) / Nσ = sqrt [ Σ (Xi-μ)2 / N ]σ2 = Σ (Xi-μ)2 / Nρ = [ 1 / N ] * Σ { [ (Xi-μX) / σx ] * [ (Yi-μY) / σy ] }

Scales to 100s of thousands of endpoints

Historical database of endpoint telemetry

System performs statistical analysis to compute baseline behavior and identify outliers

Results are visualized to easily spot anomalies and potential threats

ARTIFACTS COLLECTED WITH EACH SCANEACH SCAN TAKES SECONDS, PAYLOAD IS 0.3 – 0.5 MB AND IS EXTREMELY SCALABLE

Host Information

• Hostname

• IP address

• Operating System

• Processor

• System Type

• System version

• Service Pack

• Is64Bit [Y/N]

Accounts and Users

• Account Name

• SID

• Last Accessed (logged in)

Open Files

• Full Path

• Filename

• Process Name

• Process Path

• Process ID

DLLs

• DLL Path

• DLL Name

• Injected DLL [Y/N]

• DLL Size

• DLL Hash

• Related Process Metadata (see

“Process” section)

(Network) ARP Cache

• IP Address

• MAC Address

• ARP Type Name

• Adapter Name

(Network) Network Interfaces

• Interface name

• IP address

• Net Mask

• MAC Address

(Network) Open Ports

• Local Port

• Local IP

• Remote Port

• Remote IP

• Protocol

• State

• Port Name

• Process Name

• Process ID

• Parent Process ID

• Hidden [Y/N]

• DLL Path

• DLL Name

• Injected DLL [Y/N]

• Dll Size

Processes

• Process Name

• Instance Name

• Hidden [Y/N]

• Process ID

• Parent Process ID

• Executable Size

• Executable Hash

• File Path

• Parameter

• Service DLL Path

• Process Type

• Service DLL

• Start Time

• User Name

• DLL Count

• Child Processes

• Service Type

• Is64Bit [Y/N]

• Running [Y/N]

• File Name Only [Y/N]

• Root Directory

• User ID

Anomalous Process SpreadThese artifacts are used to baseline process activity on endpoints across the enterprise and detect net new processes or processes spreading across machines at an unusual rate in a malware-like behavior.

USE CASE:

ACTIVE RESPONSE / ALERT TRIAGE CONFIRM AND PRIORITIZE SECURITY ALERTS

ACTIVE

RESPONSE /

ALERT TRIAGE

15

AUTOMATE COLLECTION FROM ENDPOINTS IN

RESPONSE TO A SECURITY ALERT

• REDUCES TIME TO RESPOND, DWELL TIME OF

THREATS, PROBABILITY OF DATA

EXFILTRATION/THEFT.

• PROVIDES ENDPOINT CONTEXT TO AN ALERT TO

HELP SECURITY TEAM CONFIRM IF THE ALERT IS A

TRUE POSITIVE OR NOT.

• AUTOMATICALLY CAPTURES ENDPOINT DATA AT

THE TIME OF COMPROMISE. WITHOUT

AUTOMATION, CRITICAL ARTIFACTS CAN BE

MISSED.

Automation reduces man-hours required to respond to incidents and reduces

likelihood of data loss/theft.

ACTIVE RESPONSE / ALERT TRIAGE: INTEGRATION AND AUTOMATION

ATTACKER

ALERTING TECHNOLOGY

IDS FIREWALLTARGET

ENCASE

ENDPOINT

SECURITY

COLLECTED FORENSIC DATA

Provide Endpoint Context

to Security Alerts• Visibility to endpoint state at time of

alert

• Snapshot module

• Baseline comparison to detect suspicious observables

• System Profile Analysis module

• Configuration

Assessment

module

KEY INTEGRATIONS

17

USE CASE:

INCIDENT RESPONSEINVESTIGATION TO REMEDIATION

INCIDENT

RESPONSE

SUPPORT

19

AN INCIDENT RESPONSE SUITE OF TOOLS TO

ASSIST IR TEAM IN

• DETERMINING ROOT CAUSE OF A SECURITY

INCIDENT

• ASSESS AND CONFIRM SCOPE OF INFECTION

• CONTAINMENT OF MALWARE

• IDENTIFY POLYMORPHIC VARIANTS

• SCAN ENDPOINTS FOR IOCS (INDICATORS OF

COMPROMISE)

• REMEDIATION OF MALWARE

Powerful incident response capabilities ensure threats are

mitigated/remediated and completely understood to prevent future incidents.

DETERMINE ROOT CAUSE AND SCOPE OF INCIDENT

Host based artifacts collection

Internet artifact collection

Live RAM acquisition

Registry Search

Entropy Near Match

IOC Search using YARA rules / STIX

Forensic Endpoint Event Timeline

Incident Response Modules

THREAT INTELLIGENCE AND INDICATORS OF COMPROMISE (IOCS)

13

• Search endpoint memory and disk for known indicators

• Broadest OS support

• Supports IOC formats STIX and YARA

• Enhance investment in threat intelligence with integrations

• VirusTotal

• ThreatGrid

• Lastline

REALTIME MONITORING TIMELINE

• Efficient root-cause analysis of

incidents

• Continuous capture of volatile

artifacts at the endpoint

• Visibility to off-LAN endpoint activity

• Can be automatically triggered by

third party security alerting tool

• Network usage only when endpoint

involved in an incident

Chronological view of process, disk, and network activity on an endpoint before and during an

incident, using forensic artifacts for root cause analysis.

File Created(Initial malware drop)

Process started

Connection

File Created

File Modified

Connection(Alert triggered)

Automatic collection and correlation of disk and memory

artifacts

Display timeline of events, pinpoint

root cause of infection

Agentcontinuously

records Activity on Target

OPEN SOURCE

INTEGRATIONS

23

INTEGRATES OPEN SOURCE TOOLS WITH THE

ENCASE PLATFORM

Volatility for Windows/Linux/Mac

MFT Parser

USNJrnl

Prefetch Parser

MWD Registry

Find Temp Executables

Malware Entropy Date Range

Known Malware Paths

RAM Dump

Strings

Disk Capture

Malware Grab

MD5

RegRipper

PDF Tool Analysis

A single GUI to drive these command-line based tools and integrate them with

the EnCase collection platform

TARGETED CONTAINMENT AND REMEDIATION

Remote Process Kill

Remote File Wipe

Remote Registry Key

Deletion

Alter endpoint state remotely and discreetly, without reboot, to contain threats and remediate

them.

With thousands of customers, Guidance helps companies and agencies turn chaos and unknown into

order and the known. Here are just a few examples of our mission critical applications at work.

25

HEALTHCARE

26

CASE STUDY:

Problem: Protect yet-to-be-patented intellectual property (IP)

Solution: EnCase Endpoint Security. Forensic and EDiscovery

Results: Savings of over $2 million per year and a reduction of 93% in

data storage needs for legal documentation.

Details: Since IP data is accessible to many in the organization, the threat

of internal activity putting such data at risk is high. EnCase Endpoint

Security has ability to see where risk lies across the enterprise while also

automating the incident response process by integrating the product with

the company’s threat alerting technologies.

CUSTOMERFortune 500 Global Healthcare Organization

FINANCE

27

CASE STUDY:

Problem: Concerned that a possible well-publicized worm had

infected their systems. Billions of dollars in daily transactions in

jeopardy.

Solution: EnCase Endpoint Security for response to run a complete

network-wide scan to expose any instance of the worm hiding in the

environment.

Results: An automated assessment by EnCase Endpoint Security for

Response revealed several machines with unknown processes which

upon further inspection confirmed an instance of the worm.

Details: The bank’s InfoSec team leveraged this instance of the worm

as a source for enterprise-wide similar file analysis using EnCase

Endpoint Security to detect and remediate

CUSTOMERFortune 500 International Bank

MINING

28

CASE STUDY:

Problem: Needed a solution for compliance with data privacy laws

Solution: EnCase Endpoint Security deployed at headquarters and

regional operations (2,000 endpoints in the region)

Results: Derived ROI within 1 year

Details: Company deployed the EnCase agent in over 60,000 endpoints

across Africa, Asia, Australia, Europe, North America, and South

America

CUSTOMERInternational Billion-Dollar Mining Company

MANUFACTURING

29

CASE STUDY:

Problem: Suffered from an average of 50 security breaches per year

Solution: EnCase Endpoint Security to prioritize, investigate, and

remediate incidents

Results:

• 89% reduction in time to validate and triage threats

• 90% reduction in time to remediate security breaches

• 98% reduction in server downtime per year

• 680% return on investment with a payback period

of 2.6 months

• Savings of over $2.4 millions in incident-related costs

Details: Financial and productivity impact of about 100 days of server

downtime per incident, including servers used to process auto loans and

payments

CUSTOMERFortune-500 Global Automobile Manufacturer

THE FUTURE HOLDS MORE…

HACKS

BREACHESDATA THEFT

CRIMES UTILIZING

ELECTRONIC DEVICES & LESS CONTROLOF YOUR SENSITIVE DATA

PRIVACY CONCERNS

Where is your Sensitive Data?

YOUR

SENSITIVE

DATA

32

1. WHERE IS IT LOCATED?

2. HOW VALUABLE IS IT?

3. WHO HAS ACCESS TO IT? SHOULD THEY

HAVE ACCESS TO IT?

4. WHAT TYPE OF RULES SHOULD BE

ATTACHED TO IT?

5. HOW EASY IS IT TO REMOVE?

THE CHALLENGES AND COSTS

OF DATA EXPOSURE

Risk of Non-compliance

Monetary fines or end of business

Expensive and time-consuming remedial actions

Greater regulatory scrutiny

Cost of non-compliance is 2.6 more than cost of compliance*

Security Risks

Financial and reputational damage

Loss of consumer confidence

Potential litigation and fines

Decline in share value

* Ponemon Institute – 2011 The True Cost of Compliance: A Benchmark Study of Multinational Organizations

Information Management and Data Knowledge

• Data continues to grow sharply, exponentially

• Increasingly complex regulatory data landscape

• Evolving cyber threats to sensitive data

• Customers’ changing attitude and behaviors regarding privacy

Need understanding of…

- What data exists (and is it sensitive)

- Where it resides

- How valuable it is to your organization

- How it is being used and who is using it

BREACH AND

LOSS

PREVENTION

34

ALTHOUGH BREACHES CANNOT FULLY BE

PREVENTED, THE IMPACT IN TERMS OF $$

SAVED AND REPUTATION PRESERVED

CAN BE MITIGATED WITH AN

APPROPRIATE DATA RISK AND PRIVACY

PROGRAM.

ENFORCE™

RISK MANAGER

35

Understand Data Location

• System-agnostic. Find data anywhere - on premise or in the

cloud

• 360⁰ Visibility ensures the most comprehensive results

Categorize Sensitive Information

• Visualize your sensitive data landscape

• Categorize risk by data type, users, geography, and more

Reduce Risk of Loss and Non-Compliance

• Remove sensitive data from unauthorized locations

• Comply with internal and external regulations

• Produce detailed reports on risk exposure and reduction

Reduce your digital risk exposure with

proactive management of sensitive information

KEY BENEFITS

36

Mitigate Risks

Reduce Sensitive Data Loss or Theft

Ensure Regulatory Compliance

Improve Business Intelligence

Make evidence-based business decisions

Operational Efficiency

Storage optimization

Single unified agent architecture

Increase Confidence

Minimize reputational damage

Meet customer expectations

THANK YOUPatrick Dennis, President & CEOTwitter: @_patrick_dennis