Attivo ThreatDefend™ Platform Accelerates Investigation and Improves Incident Response Operations with Automated Attack Data Correlation, Threat Scoring, and Repeatable Playbooks
Attivo Networks®, the award-winning leader in deception for cybersecurity defense, today announced that ThreatOps™ which has been added to the Attivo ThreatDefend™ Deception and Response Platform, will be launched at next week’s RSA Conference. The new ThreatOps solution is designed to accelerate incident response by automatically taking disparate attack information to correlate and display it within one dashboard where attacks can be scored and playbooks created. The playbooks can then be used to create repeatable processes, simplifying incident response. Through 3rd party integration with prevention systems (Firewall, NAC, End-point, SIEM), attacks will automatically be blocked and quarantined, expediting response actions and preventing the attack from continuing to spread through the network. Additionally, the solution empowers customers to threat hunt for forensic artifacts in other parts of the network and confirm that they have eradicated the attack.
Investigation Automation: The ThreatOps Platform works hand-in-hand with the ThreatDefend BOTsink engagement server for in-network threat detection, attack analysis, and acceleration of incident response. The ThreatOp Platform, through automation, ingests information from threats detected by the BOTsink engagement server, SIEMs, and other devices, correlating attack data, logs, end-point memory forensics, and use of deception credentials by tracking failed log-ins. Additionally, through the Attivo solution or through integrations with end-point vendors, like ForeScout and McAfee (ePO), threat hunting can be activated to find the root cause of the infection. This approach provides a more complete picture of the attack and ultimately reduces false positives and investigation time, thereby simplifying overall incident response.
Adaptive Deception: The ThreatOps Platform uses advanced analytics to profile the attackers and dynamically deploy deception of indistinguishable quality and redirect attackers to decoys where specific activities can be tracked to the level of details needed by other security solutions in the network for detection and remediation. This severely impacts attackers by making them spin meaningless cycles in a deception maze.
Collaboration: The ThreatOps Platform is designed to provide a single source for the security team to review correlated attack information and to collaborate on incident response. Collaboration allows teams to see real threats they might have missed on their own from a partial view of threat activity throughout the network. Additionally, it creates a consolidated environment for InfoSec teams to post IR activities and comments so that data can be easily shared and not lost in transition or over time.
Scoring and Playbook Automation: Once the attack has been analyzed, the threat is scored and playbooks are created based on the security policies of an organization. This helps customers prioritize threat response and creates playbooks for repeatable processes when the same attack is seen in the future. Automated playbooks not only reduce incident response time, but also the skill set required to respond to future attacks.
Automated Incident Response Handling: Based on the security organization’s policies and playbooks, through 3rd party integration, the correlated attack information can be automatically shared with prevention and detection systems to block and isolate an attack for quick handling and remediation.
Remediation: Providing the complete picture needed for swift and effective incident response, a trouble ticket is generated by ThreatOps. It can then be integrated with applications such as ServiceNow or Jira to give the IT Help Desk information on exactly what is needed for immediate remediation of an infected system or unit.
“The Attivo vision for the ThreatDefend Deception and Response Platform is to provide our customers with the most efficient and comprehensive solution for continuous threat management. The addition of the ThreatOps Incident Response solution now expands the value of the ThreatDefend solution to achieve dramatic acceleration of investigations and incident response, in addition to real-time deception-based detection,” comments Tushar Kothari, CEO of Attivo Networks. “Our customers are excited about the opportunity to create repeatable processes through playbooks and to be able to optimize their current infrastructure to simplify and automate their incident response.”
In their “Best Practices for Detecting and Mitigating Advanced Threats, 2016 Update,” published last March, Gartner analysts Lawrence Pingree, Neil MacDonald and Peter Firstbrook recommended “when possible, consider automating your IR investigation triage efforts with integration between forensic analysis tools and other security monitoring software to more rapidly respond to potential suspicious security events when they occur.” They also noted as a best practice, considering “utilizing deceptions across endpoint, application, data, identity (fake credentials) and network infrastructure to enhance your advanced-threat and insider-threat detection goals.”
The ThreatOps Incident Response Solution joins the BOTsink engagement servers and decoys, the Threat Strike End-point Suite, and ThreatPath attack path visualization software, in the portfolio that makes up the Attivo ThreatDefend Deception and Response Platform.
Attivo will have two booths at this year’s RSA conference: S323 in the South Expo and N2906 in the North Expo. Information on the Attivo ThreatDefend Deception and Response Platform will be presented at both booths and a magician will be featured in the N2906 demonstrating the power of deception.
Deception Technology for Incident Response Automation here. https://attivonetworks.com/documentation/Attivo_Networks-ThreatOps.pdf
About Attivo Networks
Attivo Networks® is the leader in deception technology for real-time detection, analysis, and accelerated response to advanced, credential, insider, and ransomware cyber-attacks. The Attivo ThreatDefend™ Deception and Response Platform accurately detects advanced in-network threats and provides scalable continuous threat management for user networks, data centers, cloud, IoT, ICS-SCADA, and POS environments. Attivo Camouflage dynamic deception techniques and decoys set high-interaction traps to efficiently lure attackers into revealing themselves. Advanced attack analysis and lateral movement tracking are auto-correlated for evidence-based alerts, forensic reporting, and automatic blocking and quarantine of attacks. For more information visit www.attivonetworks.com
415-963-4082 ext. 101