WEBVTT

1
00:00:13.716 --> 00:00:15.056
My name is Elliot Greenlee,

2
00:00:15.056 --> 00:00:16.546
and I'm a security researcher

3
00:00:16.546 --> 00:00:18.076
at Oak Ridge National Laboratory,

4
00:00:18.356 --> 00:00:20.286
and I work with Jared Smith on Akatosh.

5
00:00:20.576 --> 00:00:23.306
Akatosh enables automated real-time

6
00:00:23.306 --> 00:00:24.406
forensic analysis

7
00:00:24.406 --> 00:00:26.156
after cyber security incidents,

8
00:00:26.496 --> 00:00:27.196
and it does this

9
00:00:27.196 --> 00:00:29.456
by combining intrusion detection systems

10
00:00:29.956 --> 00:00:31.556
with forensic analysis tools,

11
00:00:31.556 --> 00:00:33.716
and that combination allows us to track,

12
00:00:34.266 --> 00:00:36.006
verify, and deal

13
00:00:36.006 --> 00:00:37.426
with cyber security incidents

14
00:00:37.426 --> 00:00:37.966
after the fact.

15
00:00:38.366 --> 00:00:40.666
Akatosh works by installing a host

16
00:00:40.666 --> 00:00:42.626
client on Mac, Linux,

17
00:00:42.856 --> 00:00:44.406
and Windows machines,

18
00:00:44.836 --> 00:00:46.526
and that client communicates

19
00:00:46.526 --> 00:00:48.306
with an overall server.

20
00:00:48.796 --> 00:00:52.356
That server will send any IDS alerts

21
00:00:52.356 --> 00:00:53.776
that are received on the network

22
00:00:54.036 --> 00:00:56.496
to those computers, and any IDS alerts

23
00:00:56.496 --> 00:00:58.816
that occur on the computer will trigger

24
00:00:58.866 --> 00:01:00.606
a snapshot to be taken,

25
00:01:00.606 --> 00:01:01.286
which will be sent

26
00:01:01.286 --> 00:01:02.556
to the overall server.

27
00:01:03.106 --> 00:01:05.416
That after-incident snapshot will be

28
00:01:05.416 --> 00:01:07.326
compared to a baseline image

29
00:01:07.416 --> 00:01:08.496
from each host machine,

30
00:01:08.876 --> 00:01:10.546
and the differences will be extracted

31
00:01:10.546 --> 00:01:12.126
to find out which components were

32
00:01:12.156 --> 00:01:13.326
affected by the incident.

33
00:01:13.856 --> 00:01:16.476
That difference in state can be sent

34
00:01:16.476 --> 00:01:18.616
to a dashboard which security analysts

35
00:01:18.616 --> 00:01:19.816
and IT professionals can look

36
00:01:19.816 --> 00:01:21.296
at to figure out what exactly is

37
00:01:21.296 --> 00:01:21.726
going on.

38
00:01:21.996 --> 00:01:24.956
We reduce the overall cost and time

39
00:01:25.006 --> 00:01:26.306
after an incident occurs,

40
00:01:26.876 --> 00:01:27.766
and we do this

41
00:01:27.766 --> 00:01:29.996
by maintaining a complete end-point

42
00:01:29.996 --> 00:01:31.816
history for all of your hosts,

43
00:01:32.266 --> 00:01:34.256
which allows differences in state

44
00:01:34.256 --> 00:01:36.966
to be extracted from post-incident

45
00:01:37.286 --> 00:01:39.116
and pre-incident snapshots.

46
00:01:39.426 --> 00:01:41.266
Akatosh saves time and money

47
00:01:41.266 --> 00:01:42.636
by being the first of its kind

48
00:01:42.636 --> 00:01:43.906
to combine detection systems

49
00:01:44.146 --> 00:01:45.646
with automated forensic analysis.