In today's technology world, information security incidents can pose risks that can cause serious harm to an organization. Security measures are taken before/after any possible risk. The technologies used; While it is expected to be fit for purpose, fast, effective and to alleviate the workload of analysts, its compliance with certain standards and its legal dimension should also be considered.
The global cyber threat has become one of the top three topics on CEOs' agendas, with data breaches increasing in number and changing nature every year. A malware is produced every 15 milliseconds around the world, and a cyber attack occurs every 39 seconds. This number continues to increase by more than doubling every year. The cost of cyber attacks to economies reaches 6 trillion dollars. There are 3 million malware attacks per minute and 1.6 million per year in our country. Corporate networks, on the other hand, receive 200,000 attacks per year. Among the targets of attack, Turkey has been in the top 5 for the last 5 years. In 2020, it is the country most exposed to cyber attacks.
In today's technology world, information security incidents continue to pose risks that can cause serious harm to organizations, while institutions continue to take many different security measures for all kinds of risk before/after processes. Technologies used in these processes; While providing the opportunity to intervene in cyber incidents effectively and quickly, it is of strategic importance for institutions that analysts access and report cyber incidents by accessing fast interpretable incident reports.
QUESTION-ANSWER
What does Binalyze Air do that SIEM cannot?
It is not possible to compare the product with SIEM because the purpose and use cases are quite different. Here, in addition to SIEM, we have 156 different proofs and searches on them, but if we talk only for logs, Sigma rules can be written on Binalyze side. can be used to be made. Most SIEM brands do not offer sigma support directly, it is necessary to translate the rule into their own language structure. Second, a retrospective search in SIEM can take hours in large log directories. In Binalyze, on the other hand, since each agent will run the sigma rule on its own machine, the load is distributed and the searched item becomes faster. Finally, SIEM cannot receive real time logs from machines. Even the best SIEMs work near-real time. One of the first moves an attacker will make after breaking into the machine is to kill the outgoing log service. At this point, as long as it keeps logs on the machine, Binalyze works in a way that it can go and receive them. (Some SIEMs can also work this way, that doesn't mean it's different from all of them)
Can Binalyze Air's reports be used when reporting a data breach within the scope of KVKK?
Available. Since Binalyze's counting of evidence is more valuable than a simple log, almost everything that can be counted as evidence with a log is also evidence with Binalyze.
After the attacker is done, he prefers to erase the traces he left inside, in this case, what visibility can Binalyze Air provide?
There is no possibility of an attacker destroying all the evidence inside. Surely there will be evidence in some places. Of course, it may not be possible to detect all the movements of an attacker who deletes/hides his evidence, but it is possible to extract many parts of the big picture by examining the evidence remaining inside.
Can we collect evidence with Binalyze Air from the moment of infection such as ransomware? Is there a feature about it?
Ransomeware shield feature is available. Binalyze process runs with system level rights (higher than Admin rights) and the process is protected against interupt by any process. Retrieves all unencrypted evidence on a ransomeware infected machine. This includes the RAM image.
Is it possible to use Binalyze Air and find a solution after the attacker encrypts the disk?
If the entire disk is encrypted, it is not possible for the operating system to work properly. This question may differ depending on the case and the type of ransomeware encountered.
What is the difference between Air product and its competitors? Why FTK, Thor etc. Should I not use the Air product?
First of all, Binalyze is ahead of its competitors in the number of evidence it collects against all its other competitors and parsing it and presenting it in the report. In order to compare Binalyze, it is currently necessary to compare 3 different product groups. In addition, these products require 3 different management, 3 different interfaces and 3 different controls, and then these data need to be combined and interpreted. In addition, even with these 3 products, it may be necessary to include a 4th product here due to its live-response capabilities. These are evidence collection, comprimise assessment and basic auto-discovery products. Third, the Binalyze product is superior to its competitors in terms of speed. Some of the named competitors can take an incredible 3 days to do their job. If we only have to wait for one vehicle for a period of 3 days in an emergency or during an incident response, the situation is far from an incident response or urgency situation. Finally, Binalyze has brought a different and innovative approach to forensic and incident response. Instead of classical methods, the product is progressing with the philosophy of racing against time, easy use and progress with what is needed. Availability is very important in 2022 and institutions should not experience interruptions. In such cases, both low resource consumption and being able to work without any interruption provide a great advantage to the institutions. Some competitor products require impossible resources for institutions such as 200GB of ram even for simple scans. (If 200 gb of free ram can be given on the currently running server, it means the system is configured incorrectly)
Can we use the Air product on the IoT and mobile side? If not, will such a feature be added?
No. In the future, it may be able to run on different devices running Thin client or Linux/Windows operating systems, but it will not be Android or IOS.
As forensic lovers, what are the first places or evidences he looks at while he is intervening in an incident while he is ready to catch Emre Bey?
The first place to look depends on the story. In our country, some of the incident response experts start by looking at the evidence they feel comfortable with, but the truth is, you should prioritize the evidence according to the case you come across and choose your beginning. Shellbags or shimcache can be called favorites here.
SPEAKERS
Erdem Eriş
CyberArts
Founder & CEO
Emre Tınaztepe
Binalyze
Founder & CEO
Nurettin Erginöz
SabancıDX
Cyber Security Director
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.