By: Carolyn Crandall, CMO
This week we announced that ThreatOps™ had been added to the Attivo ThreatMatrix™ Deception and Response Platform. The new ThreatOps solution is designed to accelerate incident response by automatically taking disparate attack information to correlate and display it within one dashboard where attacks can be scored and playbooks created. The playbooks can then be used to create repeatable processes, simplifying incident response. Through 3rd party integration with prevention systems (Firewall, NAC, End-point, SIEM), attacks will automatically be blocked and quarantined, expediting response actions and preventing the attack from continuing to spread through the network. Additionally, through an Attivo end-point agent or through integration with end-point companies like Carbon Black and ForeScout, information is shared so that customers can threat hunt for forensic artifacts in other parts of the network and confirm that they have eradicated the attack.
With the Attivo Networks ThreatMatrix Platform, organizations have access to:
Investigation Automation: The ThreatOps Platform works hand-in-hand with the ThreatMatrix BOTsink engagement server for in-network threat detection, attack analysis, and acceleration of incident response. The ThreatOp Platform, through automation, ingests information from threats detected by the BOTsink enagement server, SIEMs, and other devices, correlating attack data, logs, end-point memory forensics, and use of deception credentials by tracking failed log-ins. Additionally, through the Attivo solution or through integrations with end-point vendors, like ForeScout and McAfee (ePO), threat hunting can be activated to find the root cause – of the infection. This approach provides a more complete picture of the attack and ultimately reduces false positives and investigation time, thereby simplifying overall incident response.
Adaptive Deception: The ThreatOps Platform uses advanced analytics to profile the attackers and dynamically deploy deception of indistinguishable quality and redirect attackers to decoys where specific activities can be tracked to the level of details needed by other security solutions in the network for detection and remediation. This severely impacts attackers by making them spin meaningless cycles in a deception maze.
Collaboration: The ThreatOps Platform is designed to provide a single source for the security team to review correlated attack information and to collaborate on incident response. Collaboration allows teams to see real threats they might have missed on their own from a partial view of threat activity throughout the network. Additionally, it creates a consolidated environment for InfoSec teams to post IR activities and comments so that data can be easily shared and not lost in transition or over time.
Scoring and Playbook Automation: Once the attack has been analyzed, the threat is scored and playbooks created based on the security policies of an organization. This helps customers prioritize threat response and creates playbooks for repeatable processes when the same attack is seen in the future. Automated playbooks not only reduce incident response time, but also the skill set required to respond to future attacks.
Automated Incident Response Handling: Based on the security organization’s policies and playbooks, through 3rd party integration, the correlated attack information can be automatically shared with prevention and detection systems to block and isolate an attack for quick handling and remediation.
Remediation: Providing the complete picture needed for swift and effective incident response, a trouble ticket is generated by ThreatOps. It can then be integrated with applications such as ServiceNow or Jira to give the IT Help Desk information on exactly what is needed for immediate remediation of an infected system or unit.
In their “Best Practices for Detecting and Mitigating Advanced Threats, 2016 Update”, published last March, Gartner analysts Lawrence Pingree, Neil MacDonald and Peter Firstbrook recommended “when possible, consider automating your IR investigation triage efforts with integration between forensic analysis tools and other security monitoring software to more rapidly respond to potential suspicious security events when they occur.” They also noted as a best practice, considering “utilizing deceptions across endpoint, application, data, identity (fake credentials) and network infrastructure to enhance your advanced-threat and insider-threat detection goals.”
The Attivo vision for the ThreatMatrix Deception and Response Platform is to provide our customers with the most efficient and comprehensive solution for continuous threat management. The addition of the ThreatOps Incident Response solution now expands the value of the ThreatMatrix solution to achieve dramatic acceleration of investigations and incident response, in addition to real-time deception-based detection. Our customers are excited about the opportunity to create repeatable processes through playbooks and to be able to optimize their current infrastructure to simplify and automate their incident response.
For more information on Deception Technology for Incident Response Automation>> Distributed Deception Platforms for Automating Incident Response