Bird's Eye View Incident Response with Binalyze DRONE
Binalyze AIR is one step ahead in the global competition with the updated version 1.7.35. At the same time, in addition to KVKK and ISO 27001, it offers important conveniences in terms of compliance with ISO 27035, ISO 27701 and Presidential Information and Communication Security Guide.
What's new with this version:
- Binalyze AIR now works on all common Linux systems with Linux support.
- With the Binalyze Drone it is possible to take a quick and proactive view of incident response. In the default flight mode, Binalyze Drone will make it easier for you to catch trouble spots and make compromise assessment.
- En son Sunburst vakasında da gördüğümüz gibi YARA ile hunting yapılması durumunda bir sonraki aşama olan endpoint isolation aşamasını da otomatize etmek gerekiyor. AIR End Point Isolation ile; herhangi bir YARA kuralına lockdown tagı ekleyerek anında aksiyon alınması ve %100 emin olduğumuz alarmlarda önce acquire, sonra lock down yaparak yöneticiye email bildirimi artık mümkün.
- The installation policies support needed in large systems has been activated.
- Delil sıkıştırma özelliğiyle depolama alanından önemli tasarruf edilmeye başlandı.
- While encrypting the evidence, it became possible to keep the collected evidence encrypted with AES-256.
- Added upload collected evidence to SFTP server option, except local and evidence repository.
In terms of compatibility Binalyze AIR:
- Presidential Information and Communication Security Guide: The Circular includes all public institutions and organizations and critical infrastructure sectors such as "Electronic Communication", "Energy", "Water Management", "Transportation", "Banking and Finance", " Binalyze AIR is a domestic technology that successfully carries out the collection, monitoring, analysis and reporting of evidence of all events at endpoints. In these respects, it is a solution in accordance with the requirements of the Guide.
- ISO 27701 Personal Data Management System: It is a standard created by ISO to manage privacy controls in order to reduce the risk to privacy rights of individuals. Binalyze AIR is a solution that complies with the ISO 27701 KVYS standard in terms of managing personal data and ensuring confidentiality.
- ISO 27035: With ISO/IEC 27035, effective management of incidents, recognizing and responding to incidents, minimizing adverse effects, collecting forensic evidence, establishing regulatory and preventive controls, are time-consuming and costly for analysts. Thanks to the Binalyze AIR tool, it is possible to gain speed and cost in this process. Thanks to its remote evidence collection feature, it provides great convenience to analysts and, when appropriate, can submit reports to encourage improvements and learn lessons after the cyber incident.
[mnky_heading title=”QUESTION-Answer” line_color=”#dd1818″]
What standard or regulation is based on when scoring the evidence?
There is no specific standard and regulation. It is possible to integrate Binalyze AIR with other security devices such as SIEM, SOAR and EDR in networks and systems. With Miter Att&ck Framework, Miter Att&ck Framework is used, which indicates the points to be focused during incident response.
Can we also collect evidence from a ransomware-infected computer?
Yes. Ransomware is just one of the threats in the cyber world. It is important to find the root cause of a Ransomware case that has infiltrated through any vulnerabilities in the system and is advancing towards its target. Binalyze AIR is the only global product used to illuminate Ransomware cases. With the Shield feature, it is possible to collect evidence from a Ransomware-infected computer within minutes.
In some solutions, it is stated that they also provide Incident Response in addition to their existing features such as 'Phishing Simulation'. At what points do these features differ from Binalyze's incident response?
Incident response is a process that begins with the collection of evidence from sources that need to be investigated after a cyber incident has occurred. During incident response in Phishing simulation products; There are some features such as by which users the mail is opened, by whom the executable files are downloaded. One of the strengths of the product is that Binalyze AIR obtains all evidence findings from the incident response point of view, except only the features of phising simulation solutions.
What is the difference between having Binalyze AIR installed before exposure to Cryptolocker and performing intervention after eating?
Although Cryptolocker seems to harm devices in a different dimension, it is actually a type of cyber attack. It should be noted that attackers may have stayed in the system for a certain period of time before the systems were exposed to the cryptolocker. Collecting all the findings with Binalyze AIR during the attacker's progress in the system is of great importance in preventing possible risks.
Is it possible to integrate with SIEM?
Yes. Offering a fast and proactive solution to cyber incidents, Binalyze AIR integrates into products such as SIEM, SOAR, and EDR running on your systems in a very short time. Binalyze AIR, whose initial purpose was integration with SIEM, integrates into SIEM systems easily and quickly with its "Trigger" feature. After this process is completed, it is possible to instantly respond to the warnings that may come from the systems.
How do we prove the legal dimension of the evidence collected by the drone?
Binalyze examines in detail all evidence obtained as a result of incident response with its drone. In this way, it provides analysts with the opportunity to analyze and report in detail how evidence is obtained from the areas where the evidence is found. Since the evidence obtained is stored with a time stamp, its legal basis is provided.
Can it extract detailed information from registry files such as SYSTEM, SOFTWARE, SAM, SECURITY?
Yes. Binalyze Drone collects evidence from fields such as Memory(RAM+Pagefile), event logs, browsing history at endpoints and presents the collected evidence to the analyst without the need to parse it. It is possible to access all the evidence collected from the registry files with the Binalyze report obtained.
You said that experience is very important in cyber incident response, how to learn from incident response and if there are any examples of cyber incident response that you have constantly followed, where do you follow them?
With Binalyze AIR, the root cause of the incident can be found thanks to the detailed and fast evidence obtained as a result of the incident response. In this way, similar events can be prevented with the right actions.
How can we be sure that he didn't have any evidence he missed while he was collecting evidence so quickly?
Binalyze Drone evaluates each transaction as a finding while collecting evidence from the devices. For this reason, in accordance with its working mechanism, it easily determines the criticality level of the event and presents it to the analyst quickly. With predefined automatic evidence collection, there is no oversight in the collection of evidence.
[mnky_heading title=”SPEAKERS” line_color=”#dd3333″]
Erdem Eriş
CyberArts
Founder & General Manager
Emre Tınaztepe
Binalyze
Managing Director
[:en]
Bird’s Eye View Incident Response with Binalyze DRONE
Binalyze AIR stands out one step further in global competition with the updated version 1.7.35. At the same time, in addition to KVKK and ISO 27001, it offers important facilities in terms of compliance with ISO 27035, ISO 27701 and the Presidential Information and Communication Security Guide.
What’s new with this version:
- Binalyze AIR now runs on all common Linux systems with Linux support .
- With the Binalyze Drone , it is possible to have a fast and proactive view on incident response. In the default flight mode, Binalyze Drone will make it easier for you to catch trouble spots and make compromise assessment.
- As we have seen in the last Sunburst case, when hunting with YARA, it is necessary to automate the next stage, endpoint isolation. With AIR End Point Isolation ; By adding a lockdown tag to any YARA rule, it is now possible to take immediate action and to get an email notification to the administrator by first acquire and then lock down the alarms that we are 100% sure.
- Support for installation policies needed in large systems was introduced.
- Significant savings in storage space began with the evidence compression feature.
- While encrypting the evidence , it became possible to keep the collected evidence encrypted with AES-256 .
- The option of uploading the evidence collected outside the local and evidence repository to the SFTP server has been added.
Binalyze AIR in terms of compatibility:
- Presidency Information and Communication Security Guide: Circular provides public services in the fields of “Electronic Communications”, “Energy”, “Water Management”, “Transportation”, “Banking and Finance”, “Health”, among all public institutions and organizations and critical infrastructure sectors. Binalyze AIR is a local technology that successfully carries out the collection, monitoring, analysis and reporting of all events at endpoints. In these respects, it is a suitable solution for the requirements of the Guide.
- ISO 27701 Personal Data Management System: It is a standard created by ISO to manage privacy controls in order to reduce the risk of individuals’ privacy rights. Binalyze AIR is a solution in accordance with ISO 27701 KVYS standard in terms of managing personal data and ensuring privacy.
- ISO 27035: Effectively managing events with ISO / IEC 27035, recognizing and responding to events, minimizing negative effects, collecting forensic evidence, creating regulatory and preventive controls, this process, which is long and costly by analysts, thanks to the Binalyze AIR tool. It is possible to gain speed and cost. Thanks to its ability to collect evidence remotely, it provides great convenience to analysts and, when necessary, can submit reports to encourage improvements and learn lessons after the cyber incident
[mnky_heading title=”QUESTION ANSWER” line_color=”#dd1818″]
Which standard or regulation is based on when scoring evidence?
There is no specific standard or regulation. It is possible to integrate with Binalyze AIR, other security devices in networks and systems such as SIEM, SOAR and EDR. With Miter Att & ck Framework, Miter Att & ck Framework is used, which specifies the points to be focused during the incident response.
Can we also collect evidence from a ransomware infected computer?
Yes. Ransomware is just one of the threats in the cyber world. It is important to find the root cause of a Ransomware case that has infiltrated from any vulnerability of the system and is moving towards its target. Binalyze AIR is the only globally used product to illuminate Ransomware cases. With the Shield feature, it is possible to collect evidence from a Ransomware infected computer within minutes.
In some solutions, it is stated that they do Incident Response in addition to their existing features such as 'Phishing Simulation'. At what points does the incident made by Binalyze differentiate with the intervention?
Incident intervention is a process that starts with collecting evidence from sources that need to be investigated after the cyber incident occurs. During the incident response in phishing simulation products; There are some features such as by which users the mail is opened, by whom the executable files are downloaded. One of the strengths of the product is that Binalyze AIR obtains all evidence findings apart from the features of phising simulation solutions in terms of incident response.
How does it differ from having Binalyze AIR installed before being exposed to Cryptolocker, and then intervening after eating?
Although cryptolocker seems to harm devices in a different way, it is actually a type of cyber attack. It should be noted that the attackers may have stayed on the system for a certain period of time before the systems were exposed to the cyptolocker. Collecting all the findings with Binalyze AIR during the attacker’s progress in the system is of great importance in preventing possible risks.
Is it possible to integrate with SIEM?
Yes. Offering a fast and proactive solution to cyber incidents, Binalyze AIR integrates products such as SIEM, SOAR, EDR that are running on your systems in a very short time. Binalyze AIR, the first purpose of which is to integrate with SIEM, easily and quickly integrates into SIEM systems with its “Trigger” feature. After this process is completed, it is possible to instantly respond to the warnings that may come from the systems.
How can we prove the legal dimension of the evidence collected by the drone?
With the Binalyze Drone, it examines in detail all the evidence obtained as a result of the incident response. In this way, it offers analysts the opportunity to analyze and report in detail how the evidence is obtained from the areas where the evidence is found. Since the obtained evidence is stored with time stamp, legal basis is provided.
Can it extract detailed information from registy files such as 'SYSTEM, SOFTWARE, SAM, SECURITY' ?
Yes. Binalyze Drone collects evidence from areas such as Memory (RAM + Pagefile), event logs, browsing history in endpoints and presents the collected evidence to the analyst without the need to parse. It is possible to access all the evidence collected from the registry files with the Binalyze report obtained.
You said that experience is very important in cyber incident intervention, how can we learn from the incident interventions and if there are any examples of cyber incident interventions that you have constantly followed, where do you follow them?
With Binalyze AIR, the root cause of the incident can be found thanks to the detailed and rapid evidence obtained as a result of the incident response. In this way, similar events can be prevented with the right actions.
How can we be sure that there is no evidence he missed while collecting evidence so quickly?
While Binalyze Drone collects evidence from devices, it evaluates each process as a finding. Therefore, in accordance with the working mechanism, it can easily determine the criticality level of the event and quickly present it to the analyst. The collection of evidence is not overlooked thanks to the predefined automatic collection of evidence.
[mnky_heading title=”SPEAKERS” line_color=”#dd3333″]
Erdem Eriş
CyberArts
Founder & CEO
Emre Tınaztepe
Binalyze
Managing Director
[:]
