www.sec.do
6 Ways to Slash Incident
Investigation Time by 80%
Every few days, we read about a new cyber security technology that promises to detect or prevent
advanced threats. Yet the fact is that the number of breaches continues to grow, and more
importantly, the “dwell time” or total time to detection and remediation, is getting longer.
According to Poneman’s Cost of the Data Breach Report 2015, malicious attacks now take an average
of 256 days to identify and 82 days to contain. Another worrisome trend is the rising cost of
detection, investigation and remediation, which has climbed over the past 3 years by nearly 30%.
And as these activities become more complex, the highly skilled experts who can perform them
are in short supply.
It’s time to look at the problem another way. While vendors continue to look for the silver bullet in
threat detection, Security Operations teams can take active steps right now to accelerate incident
investigation, containment and remediation, while reducing the total dwell time of threats. New investigation and Response solutions use automation and analytics to reduce complexity and provide the
visibility to ensure that threats are identified quickly and eradicated completely.
Let’s look at 6 ways that new technology is changing the way that Security Operations teams work
at both enterprises and service providers:
1
Today it’s clear that despite the massive amount of log
Proactive collection
of endpoint and
server activity
information that IT systems are generating, Security
Operations teams simply do not have enough
information about endpoint and server activity to
understand the significance of SIEM alerts. The challenge
is increased by several orders of magnitude when a breach
is verified and it’s time for forensic analysis and cleanup.
To prevent this knowledge gap, SECDO proactively records
all endpoint events necessary to recreate the attack
chain, down to thread-level (sub-process) resolution
and over time. More than 70% of advanced malware injects
code multiple times, so granular resolution is essential.
SECDO includes a lightweight agent/driver and data
harvesting technology that processes, transfers and stores
the information efficiently for up to 100 days. The technology
is architected to scale up to tens of thousands of agents.
2
Today SOC analysts are only validating a small percentage of
Validation of alerts
from SIEM and 3rd
Party detection systems
alerts. Each new security solution promises to be the magic
bullet that blocks or detects intruders and malware with total
accuracy. But the reality is that most of the time, these
solutions pass the buck in the form of alerts that must be
investigated by a trained expert. Since so many alerts are
false positives, analysts are spending a large part of
their time on validation. And still, many alerts are never
investigated, early warning signs are missed, and breach
dwell time continues to increase every year.
SECDO validates alerts from the SIEM and third
party detection systems using thread-level endpoint and
server activity data from the past hundred days. It helps you
to eliminate false positives and identify definite signs of
compromise. It enables you to rapidly prioritize suspicious
activity that requires further investigation and provides a
powerful, visual investigation platform so you can get to the
bottom on any incident.
www.sec.do
1
3
Collecting endpoint and server activity for forensic analysis is
Endpoint visibility
and causality analytics
important, but it’s not enough. In a short time, a massive
amount of data accumulates. Unless you want to spend
a lot of time searching for the needle in the haystack, you
need analytics that can turn the data into useful intelligence.
SECDO’s Causality Engine analyzes millions of events
from the past 100 days and connects the dots to reveal
the behavioral timeline for short term incidents and
persistent threats. It works on the level of a single endpoint,
and on cross-enterprise incidents involving multiple endpoints
and servers. The Causality Engine flags suspicious behaviors
by monitoring the events from each process/dll/user over
time and determining whether they fit behavioral models.
Each suspicious behavior is ranked and aggregated with
related data, including threat intelligence sources, to create
a score for each process under investigation.
4
Automated forensic
timeline analysis
Investigating an alert requires a great deal of skill, experience
and time. After data collection, hunters and investigators work
long and hard to figure out what it all means, to identify the
root cause, to prepare a detailed forensic analysis of the
incident, and to put it right. And all of this must be done over,
and over, and over again. The headache is exponentially larger
for MSSPs and other service providers with multiple customers
and tough SLAs for response time.
SECDO automatically generates a forensic timeline for
every alert by synthesizing and analyzing 100 days of endpoint
activity data along with other relevant alerts from other
detection systems. It shows the root cause, along with every
process, endpoint, and behavior associated with the alert.
At a glance, even a novice analyst can instantly understand
the full narrative behind the alert, and determine whether to
escalate, investigate further, or remediate.
www.sec.do
2
5
Gathering information for investigation and forensic analysis
Visual query language
for investigation
is only the start. Finding what you need can be like locating
the proverbial needle in the haystack. SECDO’s visual query
platform replaces hundreds of manual, text-based
searches with a visual, object-oriented search process
that instantly reveals connections across the enterprise.
It lets you rapidly perform forensic analysis on all affected
endpoints and report on the scope and impact of the incident.
6
During the automated investigation process, the SECDO
Surgical Remediation
platform also creates a specific remediation plan which
removes the traces of the breach on affected endpoints and
servers and closes potential attacks vectors with as little user
impact as possible. The plan can be submitted to a ticketing
system or launched automatically directly from the platform.
IceBlockTM remediation can suspend processes in memory,
quarantine files and even roll back OS changes
automatically or on-demand.
Try a Different Approach to Incident Response
With SECDO, Security Operations teams can take active steps right now to accelerate incident
investigation, containment and remediation, while reducing the total dwell time of threats. The
SECDO platform uses advanced analytics to reduce complexity for the SOC and ensure that threats
are identified quickly and eradicated completely. Sign up for a demo today.
© 2016 Cyber Secdo Ltd. All rights reserved. SECDO is a trademark of Cyber Secdo Ltd.
www.sec.do
3