Devo and SIRP - Fusion of Data Analytics and Automated Incident Response

Devo and SIRP - Fusion of Data Analytics and Automated Incident Response

Devo and SIRP - Fusion of Data Analytics and Automated Incident Response

 

When we talk about what is most important for an organization to protect? Usually the answer is the critical assets i.e. systems, applications, databases, and services that keep the business running. But are these assets really important? Or is there something else that makes them important? It is business data and informational assets that are of paramount importance. After all, a database is merely a tool holding the data. For example, your financial data would have a different value than your SAP ERP holding that data. Similarly, servers are hardware that is processing or storing certain data. These informational assets are at the heart of every aspect of an organization. Now with the advancements in technology, coupled with cheaper storage options, more and diverse kinds of data is being generated and stored every day than ever before. More data is analyzed in various ways to identify unique patterns.

With cybersecurity, organizations are using data analytics platforms to capture security and privacy data from multiple sources and then identifying patterns to fight with complex and targeted cyber attacks. The power to collect data from a wide variety of sources and the ability to query historical data and apply machine learning algorithms, allows security analysts to hunt threats proactively. 

If this proactive approach to collect and correlate alerts and events data is combined with security automation, orchestration and response, the result is:

  • Unified view
  • Quicker detection
  • Faster response 
  • Richer use cases 
  • Events triage
  • Streamlined collaboration and workflows

Devo is a data analytics platform that unlocks the full value of machine data for the world's most instrumented enterprises. On the cybersecurity front, Devo helps organizations in consolidating virtually any type of data required for end-to-end visibility, investigation, and reporting. Some of the useful sources from where Devo collects the data are:

  • NDR (Network Detection and Response)
  • EDR (Endpoint Detection and Response)
  • Business applications
  • Cloud infrastructure
  • Threat Intelligence
  • DLP (Data Leakage Prevention)
  • Email security
  • Firewalls, and more

Now Devo customers can use SIRP’s security orchestration and automation capabilities with Devo to get the best of both worlds. This integration allows analysts to use Devo to monitor and detect advanced threats and use SIRP to automate their triage, response, and collaboration.



Integration Features

  • Run an effective incident response cycle using Devo alerting combined with SIRP risk-based SOAR capabilities.
  • Proactively hunt for threats by running Devo’s custom search queries through SIRP either in real-time or as a playbook action. 
  • Leverage several other SIRP integrations to enrich Devo’s alerts data and coordinate response across security functions.
  • Acquire on-demand or automatic triage of machines for further investigation and forensic analysis.

Challenge

The cybersecurity landscape is constantly challenged by the ongoing development of advanced attack tactics and techniques. Attackers are making use of machine learning to evade defenses. And things are not slowing down because the continuous innovation in technology is opening up new sources of data that needs to be stored, monitored, and evaluated. Therefore, it’s not practical to say that an organization can prevent all the threats. The security solutions work in silos and an experienced security team is hard to build and even harder to retain.


Solution

Cybersecurity data analytics coupled with security orchestration, automation, and response addresses these challenges. Security teams can feed all their security data to Devo and from there, define custom queries and send alerts to SIRP to automate response. Analysts can use SIRP playbooks to automate their artifact triage and response. These playbooks help analysts enrich their investigative data, perform threat hunting activities, gather threat intelligence, and execute endpoint remedial actions.

Use Case 1: Unauthorized User Creation

Consider an example in which SIRP received an alert from Devo about an unauthorized user creation, containing details of the actions and created username. Based on the predefined rules, SIRP automatically executes a playbook. The playbook is set to perform the following actions:

  • Get user details from Microsoft Active Directory
  • Get user’s group details from Active Directory
  • Send email notification to the asset custodians to ask them about the legitimacy of the action
  • Check the response of the asset custodian. If custodian says that the action is not legitimate, then:
    • Change disposition to “Incident”
    • Change severity to “High”
    • Assign incident to L2 analyst 
    • Disable the user
    • Send email notification to the relevant teams
  • Else (if the action is legitimate):
    • Change alert priority to “Low”
    • Change disposition to “False positive”

The entire execution and decision flow of the playbook looks something like this:



The actual playbook in SIRP is shown below:



Use Case 2: Unauthorized User Added to Privileged Security Group

Let’s take our example (of Use Case 1) one step further. Consider an example in which SIRP received an alert from Devo about an unauthorized user being added to a privileged security group in Microsoft Active Directory. Based on the predefined rules, SIRP automatically executes a playbook. The playbook is set to perform the following actions:

  • Get user details from Microsoft Active Directory
  • Get user’s group details from Microsoft Active Directory
  • Send email notification to the asset custodians to ask them about the legitimacy of the action
  • Check the response of the asset custodian. If custodian says that the action is NOT legitimate, then:
    • Remove user from the Privileged Security Group
    • Disable the newly created  user
    • Change Disposition to “Incident”
    • Change Severity to “High”
    • Send email notification to the relevant teams and personnel
  • Else (if the action is legitimate):
    • Change alert Priority to “Low”
    • Change Disposition to “False positive”
    • Change alert Status to “Close”

The entire execution and decision flow of the playbook looks something like this:





The actual playbook in SIRP is shown below:



Use Case 3: Suspicious Powershell Execution at Endpoint

When an unauthorized Powershell script is executed on an endpoint or a critical server, it is potentially malicious and needs to be detected and remediated immediately. As seen in the Petya/NotPetya campaigns, PowerShell is the most attractive internal tool to be exploited by attackers, facilitating fileless malware delivery within the target environment. Therefore, all PowerShell scripts being executed on critical assets need real time monitoring. Such activities are detected by the Event ID 4688 generated by Microsoft Windows machines.

Consider an example in which SIRP received an alert from Devo about a powershell execution activity. Based on the predefined rules, SIRP automatically executes a playbook. The playbook is set to perform the following actions:

  • Get user details from Microsoft Active Directory
  • Send email notification to the asset custodians to ask them about the legitimacy of the action
  • Check the response of the asset custodian. If custodian says that the action is not legitimate, then:
    • Change priority to “Medium”
    • Get Asset Details from SIRP database
    • Check if the type of Asset. If Asset is an Endpoint, then:
      • Isolate the machine using an EDR
      • Acquire triage of the machine
      • Assign further investigation task to an L2 analyst
      • Change Category to “Malware”
      • Change Disposition to “Incident”
    • Else (if the the Asset is a Server)
      • Acquire Triage of the machine
      • Assign further investigation task to an L2 analyst
      • Change Category to “Malware”
      • Change Disposition to “Incident”
  • Else (if the action is legitimate):
    • Change alert severity to “Medium”
    • Change disposition to “Investigation”

The entire execution and decision flow of the playbook looks something like this:




The actual playbook in SIRP is shown below:



Benefits

The key benefits that can be realized out of this integration are:

  • Proactive monitoring and response by leveraging best of both products i.e. data analytics of Devo and automation capabilities of SIRP.
  • Utilization of Devo’s machine learning capabilities
  • Reduced MTTD and MTTR
  • Unified view
  • Automatic execution of response actions
  • Correlate the data ingested from different security technologies as well as organizational risks, asset importance, threat intelligence, and vulnerabilities.
 
Get a Demo