An XDR is an improved alternative to commonly found security solutions that have their limitations. It innovates the already existing EDR and NTA with integrated threat intelligence, improved analytical capabilities of internal and external traffic, correlation and orchestration techniques, and a scalable solution that improves over time. Carbon Black (CB) and SIRP’s integration enables our XDR’s above-mentioned capabilities with its unparalleled visibility, rapid remediation on alerts, and threat detection and containment abilities.
With SIRP’s XDR and CB, the Security Operations Centers (SOCs) improve their response time due to increased speed and threat hunting qualities. The SOC analysts are less fatigued as SIRP enables partial or full automation using our automation playbooks, a single-pane-of-glass view lowers tool switching as the information appears in an easily viewable format, case management also simplifies as process details and enrichment of alerts is ingested from CB.
A SOC analyst, without an integrated solution, runs multiple software to keep their environment secure. These solutions include an EDR, WAF, SIEM, or anti-virus. Once they receive a threat or note any malicious activity, they will first ingest behaviors related to the threat online, investigate the threat, and then take remediation steps to keep their environments safe. Now let’s multiply this threat by a thousand. This is the ballpark figure of how many threats an analyst will have to analyze to perform their job (excluding the false positives, of course).
It is imaginable how many screen switches analyzing these many threats will require. Not only will it limit the investigative abilities of the analyst but, it will also hinder their alert management and triage capabilities.
With SIRP’s XDR, the multiple steps taken to mitigate a threat are all taken using a single dashboard. Since an XDR is an accumulation of multiple platforms and software, the threat can be investigated, enriched, and mitigated directly from SIRP. Details on the processes, endpoint details, available IOCs, and history of the incident are all available to SIRP through CB. And then automated playbooks escalate the issue so that the analysts' redundant tasks get reduced.
In this scenario, an alert containing malicious hash is inserted through the threat intelligence feeds using automated playbooks. In this playbook, the parsed hash is analyzed, enriched, and then blocked if found malicious - all using SIRP and CB. The playbook is set to perform the following actions.
IF the hash is found to be malicious:
SIRP can leverage Carbon Black for automated investigation of behavior anomalies. In this scenario, an asset performs a task or repetition of tasks which are unusual for it (For instance drive-by downloads). Behavior-based alerts are generated at Carbon Black and ingested into SIRP through “get_alerts” action. Below is the Playbook that will be executed from SIRP.
IF the process information indicates that the actions are malicious: