Far too often security teams spend their time manually researching a detected security threat using a variety of disconnected tools. Threat Response provides a single pane of glass designed from the ground up for the incident response process. By bringing all the relevant threat information together in one place and helping analysts identify important relationships Threat Response streamlines the workflow required to rapidly respond to a detected security threat. The system includes a number of key components:
- Dashboard – see all your critical threats, open incidents and more all at a glance
- Incident Scoring – scores are automatically adjusted as new details are discovered
- Incident Workflow – assign incidents to analysts and collaborate in an incident
- Incident Details – view all the collected data about an incident in one place
- List Management – add and remove identities and hosts to/from quarantine and containment lists
- Event Sources – view threat detection systems that will be generating alerts
- Device Updates – view devices and update schedules for your existing infrastructure
- Reporting – view real-time trends about malware, infected users, CNC IPs and much more
All of these components are seamlessly integrated to ensure that security teams are able to quickly analyze the collected data so that they can prioritize and respond to security threats as soon as they are detected.
Situational AwarenessSecurity Analytics Pitfalls
Many security alerts lack critical information required to determine the context of a threat and appropriate next steps. Threat Response automatically collects important context data to help security teams quickly understand and respond to detected security threats.
Full situational awareness requires that security teams be able to quickly determine the answers to questions such as:
- Who is the user, or users, that are under attack?
- What department or group do these users belong to?
- Do any of the user's systems contain indicators of a successful attack?
- Has this attack been seen before either in our environment or elsewhere?
- Where is the attack coming from and where are the CNC nodes located?
Through our integration with both internal and external sources of data, Threat Response provides the necessary information to answer these questions, and more, quickly and comprehensively.
Standard Application Programming Interfaces (APIs) are used to pull data from internal sources like Active Directory to provide rich details about the user(s) involved in an attack. External data sources like VirusTotal and Webroot provide threats details and reputation data for specific malware and resources used in an attack.
By having all the necessary information at their fingertips, and through the intelligent data linking in Threat Response, security teams report reductions in investigation times of at least 50%.
One of the most time consuming parts of investigating a new threat report is determining whether or not the user was actually infected (aka “false positives”). Threat Response automatically confirms infections using its built-in IOC Verification Agent.
No matter how elusive the malware, infections often leave behind telltale signs known as Indicators of Compromise (IOC). These IOCs can include things like:
- File system changes
- Registry changes
- And more…
If a user’s system is suspected of being infected with malware, Threat Response automatically deploys a lightweight IOC Verification Agent to collect digital forensics from the user’s system. The collected data is then compared to a database of known IOCs to help security teams quickly confirm whether a system is infected.
The result of Infection Verification is a significant reduction in the number of false positives that security teams have to chase in their environment. And, best of all, there is no need to pre-install an agent on all your users systems, with Threat Response the agent only gets installed on systems that are suspected of being infected.
Threat ContainmentThreat Detection Report
The speed at which malware can damage an organization has continued to get progressively faster, so organizations need a way to instantly contain threats once they have been confirmed. Threat Response integrates with existing security infrastructure to block verified threats, quarantine infected users and protect additional users from being infected.
Organizations have made significant investments in their security infrastructure, such as firewalls and web proxies. These devices already inspect user traffic, but Threat Response helps make them more effective by updating the devices with information from detected threats.
Once a threat has been researched in Threat Response, the objects in that threat (MD5, CNC IP addresses, malicious URLs, etc.) can be “pushed” to existing security devices for use in their security policies.For example, a list of known CNC IP addresses can be pushed to perimeter firewall device where connections to those IP addresses can be blocked. Another example would be pushing a set of malicious URLs to a web proxy to ensure no other users are able to visit an infected website.
Our device update approach has been developed in conjunction with hundreds of security teams out in the “real world”, so you can be sure that your network will continue running smoothly with the added benefit of real-time threat information.
Organizations using Threat Response have reported up to 20X improvements in containment times.
Sometimes organizations want to review detailed information prior to responding a detected security threat and other times they need to contain threats instantly the moment they are detected. Threat Response provides the ability to customize the automation of critical workflows so that organizations get the appropriate level of response for their needs.
The Incident Response process can be time consuming and often involves multiple members of the security team researching and confirming detected threats. Threat Response provides a workflow that was designed from the start for the incident response process.