ESP - Forensic Analysis
Elemental Forensic Analysis
By combining automatically collected and consolidated traffic statistics, host and network configuration information as well as various commands output data, the ESP solution provides precious artifacts and evidence for targeted forensic analysis after or during a potential breach or for some threat hunting activities.
ESP continuously monitors each host’s hardware and software inventory, configuration, OS configuration and processes, installed or missing security updates, trust relationships, risk and compliance scores, application parameters, net shares, communication ports, and many other critical attributes. In addition, ESP continuously gathers and aggregates results from various command outputs (netstat, arp, ipconfig, net statistics, nfsstat, df, ifconfig, lsmod, and others).
Narrowing the scope of the analysis
Any of these attributes can be used to group target hosts together in order to narrow the scope of the forensic analysis for quicker and more reliable results.
ESP can be used to quickly identify any endpoints on the network that are sending or receiving data to/from any IP, or using a specific port. These hosts can then be grouped together, so more detailed analysis of their traffic activities or application activities can be performed. In the meantime, customized notifications can be created to continue alerting the security team of any new endpoints that start to exhibit that specific potentially malicious behavior.
ESP can continuously collect in promiscuous mode traffic statistics on any of the managed endpoints’ network interface controllers (NIC). Resulting information is recorded and aggregated to create network flow patterns statistics. This information can be gathered for a specific host, for a group of hosts, for several groups of hosts, or for all the managed hosts on the network. Although ESP is not a dedicated network packet analyzer, it can supplement other tools on the network by providing distributed capabilities not only to gather data, but also to take proactive or reactive response actions quickly.
Speed, accuracy, granularity
When in the midst of a potential breach, quick access to detailed, accurate data is one of the most precious capabilities the security team can have. ESP puts the security team in control from minute one. ESP Management Console is designed for quick, effortless action. For example, if your team needs to gather traffic data statistics, then activating (or deactivating) traffic flow tracking on any all interfaces for any number of devices is done from the ESP Management Console and it takes only a few mouse clicks, so the traffic statistics start to be recorded by the ESP agents and aggregated by the ESP server within minutes.
The result is immediate, granular and reliable data, ready to be transformed into an investigation or remediation action. This data is automatically stored in the ESP database, where it can serve as immediate or historic evidence for the forensic research of indicators of attack or compromise. It can also provide insights on the patterns of activity and links between potential sources of concern.
Traffic statistics recording and monitoring can be turned on and off without making any changes to the network itself, so there would be no contamination or loss of evidence that could slow down the investigation.