Automated Context and Incident Response

Similar documents
with Advanced Protection

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

2018 Edition. Security and Compliance for Office 365

Security and Compliance for Office 365

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Machine-Powered Learning for People-Centered Security

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organisation from Impostors, Phishers and Other Non-Malware Threats.

Ad Hoc to Coordinated

TABLE OF CONTENTS Introduction: IS A TOP THREAT VECTOR... 3 THE PROBLEM: ATTACKS ARE EVOLVING FASTER THAN DEFENSES...

Data Privacy in Your Own Backyard

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

PEOPLE CENTRIC SECURITY THE NEW

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

RSA NetWitness Suite Respond in Minutes, Not Months

ybersecurity for the Modern Era Three Steps to Stopping malware, Credential Phishing, Fraud and More

Proofpoint, Inc.

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Best Practices in Securing a Multicloud World

REPORT. proofpoint.com

Building Resilience in a Digital Enterprise

Understanding the Changing Cybersecurity Problem

RSA FRAUDACTION ANTI-PHISHING SERVICE: BENEFITS OF A COMPREHENSIVE MITIGATION STRATEGY

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Abstract. The Challenges. ESG Lab Review Proofpoint Advanced Threat Protection. Figure 1. Top Ten IT Skills Shortages for 2016

The Cyber War on Small Business

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

THE EVOLUTION OF SIEM

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Turning the Tide: Fending off Cyber Threats

CloudSOC and Security.cloud for Microsoft Office 365

Office 365 Buyers Guide: Best Practices for Securing Office 365

THE ACCENTURE CYBER DEFENSE SOLUTION

Security & Phishing

FLIPPING THE SCRIPT ON SECURITY SPENDING

MITIGATE CYBER ATTACK RISK

building an effective action plan for the Department of Homeland Security

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Power of the Threat Detection Trinity

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

SIEM: Five Requirements that Solve the Bigger Business Issues

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Longline Phishing: -borne Threats, Cloud Computing, Big Data, and the Rise of Industrial Phishing Attacks. A Proofpoint White Paper WHITE PAPER

The McGill University Health Centre (MUHC)

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

Synchronized Security

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Evolution of Spear Phishing. White Paper

Managed Endpoint Defense

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

CYBER RESILIENCE & INCIDENT RESPONSE

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

Behavioral Analytics A Closer Look

Threat Centric Vulnerability Management

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

Evolution Of Cyber Threats & Defense Approaches

2018 Guide to Building Your Security Strategy. January 23, pm 2 pm ET

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Cyber Security Stress Test SUMMARY REPORT

Cybersecurity for the SMB. CrowdStrike s Murphy on Steps to Improve Defenses on a Smaller Scale

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

WHITEPAPER. Protecting Against Account Takeover Based Attacks

Combating Cyber Risk in the Supply Chain

RSA Security Analytics

Symantec Advanced Threat Protection: Endpoint

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

IC B01: Internet Security Threat Report: How to Stay Protected

Cyber Security Technologies

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Cyber Insurance: What is your bank doing to manage risk? presented by

Security Automation Best Practices

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cisco Ransomware Defense The Ransomware Threat Is Real

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

ITU Regional Cybersecurity Forum for Asia-Pacific

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

Integrated, Intelligence driven Cyber Threat Hunting

Security by Default: Enabling Transformation Through Cyber Resilience

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

An All-Source Approach to Threat Intelligence Using Recorded Future

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Protecting organisations from the ever evolving Cyber Threat

Crash course in Azure Active Directory

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

4/13/2018. Certified Analyst Program Infosheet

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Transcription:

Technical Brief Automated Context and Incident Response www.proofpoint.com

Incident response requires situational awareness of the target, his or her environment, and the attacker. However, security alerts from most existing security systems provide high-level, normalised, generic, or unverified information that is not actionable. In addition, incident responders may not want to block every threat reported since many modern attackers use evasive techniques that include attempted connections to destinations like Microsoft update sites, Adobe update sites, Google searches, and Google DNS to mislead automatic systems. These and other evasive tactics complicate the incident response process and force security analysts to do more work. Incident responders need context. Context provides the: Who What Where Adding deeper threat context enables the assignment of priority and accelerates the decision making for efficient incident response. Who Who is involved in the incident? Is the person in the finance department? Is the person an executive? Is this person working in the mailroom? Context tells you if key personnel such as the CFO or source code manager are involved in an incident, because if so, the threat should be taken more seriously. (In contrast, if the incident involves a mailroom employee who does not have any special login credential privileges to sensitive database information, then the threat may be less serious.) If you don t have context, you might prioritise each threat or security alert equally, when you should be focusing on the users or systems with the biggest impact on revenue, operations, or reputation. Additional context of who in this case can include actionable information such as the phone number, physical location, reporting structure, and even the past incidents related to the user and their system. Using this information, analysts can act more quickly to alert, train, schedule a forensics review, quarantine, or otherwise rapidly take action on the system or user. Automated Context and Incident Response Technical Brief 2

What What type of attack is this? Is it a Trojan, click fraud, or spam attack? Is it a credential phish? What type of malware was used? Is it a key logger, source code stealer, bank account screen sharer, or other? Context of the what tells you what tools or methods an attacker is using to compromise your organisation. Certain malware and exploit kits target known vulnerabilities and include specific actions, such as trying to gain administrative privileges, inserting content on bank pages to steal credentials, clicking on ads, logging keystrokes, or taking other criminal actions. Understanding the what context also helps prepare the security team for potential fraudulent action, the data loss, downtime, or system disconnects. Automated Context and Incident Response Technical Brief 3

Where What sites, domains, or geo-locations are involved in the attack or incident? Do those sites have a reputation? Context of the where helps identify connections to sites, domains, and locations that you or people from your organisation may make due to a possible malware infection or attack. In this context, a new or short-lived domain could be suspicious, just as accessing a site in North Korea or in Tunisia might seem suspicious. In addition, thirdparty reputation and threat intelligence feeds can be used to identify already known bad actors sites, domains, and URLs and use those to identify bad actors. Caution should be applied here: security analysts need to be especially careful due to the recent trends in strategic web compromises and watering holes. In these cases, known good sites are temporarily infected and the security analysts cannot or should not block the sites permanently. For example, some malware will attempt to connect to 8.8.8.8, which is a Google DNS. If an incident response analyst does not know that a particular IP has an important function, they might block it and negatively impact many corporate users or other devices that depend on that Google DNS. Automated Context and Incident Response Technical Brief 4

Automated Context Collection and Threat Scores Proofpoint Threat Response goes several steps beyond collection of basic context. First, Threat Response collects the context of the who, what, and where in a consistent, reliable, and automated process. Next, Threat Response also collects indicators of compromise from targeted systems and confirms if a threat has compromised an endpoint. The collected context and indicators of compromise are then analysed in a regular and consistent manner to extract singular incidents out of multiple events. For example, if an incident is comprised of 15 related events, the net benefit is that instead of 15 independent analyses for those 15 events, only one analysis is done on a single incident with all the supporting the event information provided at a glance. In addition, all the events that comprise an incident are analysed, weighted, and then combined to create a threat score. This threat score also calculated automatically can enable organisations to assign analysts to the highest scoring and riskiest incidents first. Note: All of these steps are completed by Threat Response even before a security analyst begins to work on an incident analysis. Applied Automated Context Context is critical for incident response, however, automated context and analysis provides an even faster, more reliable, and more consistent method to deliver situational awareness. This sets the stage for correlating incidents from a number of related events, and enables a reliable and consistent scoring method to prioritise incident response assignments and workflow for analysts. The result is accelerated response decision making which lowers risk and exposure for an organisation. Automated Context and Incident Response Technical Brief 5

ABOUT PROOFPOINT Proofpoint, Inc. (NASDAQ:PFPT), a next-generation cybersecurity company, enables organizations to protect the way their people work today from advanced threats and compliance risks. Proofpoint helps cybersecurity professionals protect their users from the advanced attacks that target them (via email, mobile apps, and social media), protect the critical information people create, and equip their teams with the right intelligence and tools to respond quickly when things go wrong. Leading organizations of all sizes, including over 50 percent of the Fortune 100, rely on Proofpoint solutions, which are built for today s mobile and social-enabled IT environments and leverage both the power of the cloud and a big-datadriven analytics platform to combat modern advanced threats. www.proofpoint.com Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback