It’s a common notion that it’s not about when you will be hacked, rather, it’s a matter of when you will find out that you were hacked. The traditional reactive approaches to security approaches, which primarily rely on blocking known attacks, are no longer sufficient. Organizations are now going for proactive detection and response approaches. We have already seen this shift in the endpoint detection and response technologies in the form of EDR (Endpoint Detection & Response).
On the network-side, a similar proactive approach is achieved through NDR (Network Detection & Response). NDR offers advanced detection and response mechanisms including anomaly detection, machine learning capabilities, and correlation. Some NDR solutions also provide sandbox analysis and integration capabilities to support forensic investigation and threat hunting use cases. This allows security teams to proactively search for active attacks rather than just relying on predefined alerts.
The data from these advanced network detection tools allows security teams to build on the data they capture from endpoints. This enhanced visibility is the key for detection, threat hunting, forensic investigation, and containment.
Lastline Defender is an AI powered Network Detection and Response platform that detects and contains sophisticated threats before they disrupt your business.
Now Lastline customers can use SIRP’s security orchestration and automation capabilities with Lastline Defender to monitor and respond to threats from a unified console.
Consider a laptop of an employee in the finance department has been compromised. The compromise could be the result of an employee not being vigilant enough while opening emails or clicking the links. Or for some reason the host-based detection and response solution failed to prevent an advanced targeted attack. In this case, the laptop becomes the gateway for the attacker to reach the internal network and other machines.
The Network Detection and Response (NDR) platform continuously monitors network traffic to identify potential attacks. In our example, the NDR technology may pick up the attack that EDR missed. If the attacker has bypassed host-based detection and logging capabilities, the real time network data visibility provided by NDR can be of tremendous help in detecting such attacks.
With SIRP and Lastline integration, security teams can create SIRP playbooks to automate their response to network alerts by leveraging Lastline Defender’s response functions. These playbooks help analysts enrich their investigative data, perform threat hunting activities, gather threat intelligence, and execute forensic investigations through sandboxing.
Consider an example in which SIRP received a malicious email alert from Lastline containing potentially malicious SHA-1 hash and URLs. Based on the predefined rules, SIRP automatically executes a playbook. The playbook fetches the hash and URL reputation from various sources including VirusTotal, AlienVault OTX, and IBM Xforce, etc.
After ingesting the Artifacts, the playbook is set to perform the following actions:
IF the Artifacts contain URL(s):
IF the Artifacts contain Hash(es):
The entire execution and decision flow of the playbook looks something like this:
The actual playbook in SIRP is shown below:
Let’s consider another example in which the security analyst found a maliciou file that he wants to investigate and perform remedial actions. The analyst would attach the malicious file in the Evidence of an alert and then execute the “Lastline Malicious File investigation” playbook.
Let’s review how this SIRP playbook is set to function:
The purpose of this simple playbook is twofold:
Once the playbook is executed either manually or automatically, it is set to perform following actions:
Apart from just pushing the Hash to EDR, analysts can also proactively hunt for the hash in the network by initiating scans through EDR. And if that hash is found, then it can be either deleted or the system itself can be isolated. For example, security analysts can utilize FireEye and SIRP integration for Automated Threat Intelligence and Incident Response for Endpoint Security.
The entire execution and decision flow of the playbook looks something like this:
The key benefits that can be realized out of this integration are:
Automated page speed optimizations for fast site performance