Devo and SIRP – Fusion of Data Analytics and Automated Incident Response
August 26, 2020Automate and Orchestrate Investigation and Response of Phishing Attacks
December 30, 2020INTEGRATION
Lastline and SIRP - Automated Threat Intelligence and Network Detection and Response
It’s a common notion that it’s not about when you will be hacked, rather, it’s a matter of when you will find out that you were hacked. The traditional reactive approaches to security approaches, which primarily rely on blocking known attacks, are no longer sufficient. Organizations are now going for proactive detection and response approaches. We have already seen this shift in the endpoint detection and response technologies in the form of EDR (Endpoint Detection & Response).
On the network-side, a similar proactive approach is achieved through NDR (Network Detection & Response). NDR offers advanced detection and response mechanisms including anomaly detection, machine learning capabilities, and correlation. Some NDR solutions also provide sandbox analysis and integration capabilities to support forensic investigation and threat hunting use cases. This allows security teams to proactively search for active attacks rather than just relying on predefined alerts.
The data from these advanced network detection tools allows security teams to build on the data they capture from endpoints. This enhanced visibility is the key for detection, threat hunting, forensic investigation, and containment.
Lastline Defender is an AI powered Network Detection and Response platform that detects and contains sophisticated threats before they disrupt your business.
Now Lastline customers can use SIRP’s security orchestration and automation capabilities with Lastline Defender to monitor and respond to threats from a unified console.
Integration Features
- Run an effective incident response cycle using Lastline Defender incident and breach alerting combined with SIRP risk-based SOAR capabilities.
- Lookup malicious files and indicators across your endpoints using Lastline Defender and SIRP integration, either in real-time or as a playbook action.
- Upload files and URLs from Threat Intelligence to Lastline Defender for sandbox analysis using SIRP playbooks.
- Leverage several other SIRP integrations to enrich Lastline incidents and breaches alerts data and coordinate response across security functions.
Challenge
Consider a laptop of an employee in the finance department has been compromised. The compromise could be the result of an employee not being vigilant enough while opening emails or clicking the links. Or for some reason the host-based detection and response solution failed to prevent an advanced targeted attack. In this case, the laptop becomes the gateway for the attacker to reach the internal network and other machines.
Solution
The Network Detection and Response (NDR) platform continuously monitors network traffic to identify potential attacks. In our example, the NDR technology may pick up the attack that EDR missed. If the attacker has bypassed host-based detection and logging capabilities, the real time network data visibility provided by NDR can be of tremendous help in detecting such attacks.
With SIRP and Lastline integration, security teams can create SIRP playbooks to automate their response to network alerts by leveraging Lastline Defender’s response functions. These playbooks help analysts enrich their investigative data, perform threat hunting activities, gather threat intelligence, and execute forensic investigations through sandboxing.
Use Case 1: Malicious Email Investigation and Response
Consider an example in which SIRP received a malicious email alert from Lastline containing potentially malicious SHA-1 hash and URLs. Based on the predefined rules, SIRP automatically executes a playbook. The playbook fetches the hash and URL reputation from various sources including VirusTotal, AlienVault OTX, and IBM Xforce, etc.
After ingesting the Artifacts, the playbook is set to perform the following actions:
IF the Artifacts contain URL(s):
- Get the URL Reputation from VirusTotal
- IF URL’s reported score is greater than 7 then:
- Change Severity to “High
- Change Disposition to “Incident”
- Block the malicious URL on Firewall
- Send Email notifications
- ELSE:
- Change Alert Priority to “Low”
- Change Status to “Closed”
IF the Artifacts contain Hash(es):
- Get the Hash Reputation from VirusTotal
- IF URL’s reported score is greater than 7 then:
- Change Severity to “High
- Change Disposition to “Incident”
- Assign investigative tasks to L2 analyst
- Push malicious Hash to the EDR
- Send Email notifications
- ELSE:
- Change Alert Priority to “Low”
- Change Status to “Closed”
The entire execution and decision flow of the playbook looks something like this:
The actual playbook in SIRP is shown below:
Use Case 2: Malicious File Investigation and Response
Let’s consider another example in which the security analyst found a maliciou file that he wants to investigate and perform remedial actions. The analyst would attach the malicious file in the Evidence of an alert and then execute the “Lastline Malicious File investigation” playbook.
Let’s review how this SIRP playbook is set to function:
The purpose of this simple playbook is twofold:
- Check if the file is malicious
- If it is malicious then Initiate response actions
Once the playbook is executed either manually or automatically, it is set to perform following actions:
- Submit File for analysis to Lastline
- Check the file scan results returned from Lastline. IF the reported “score” is greater than 5, then:
- Push the file Hash to EDR
- Send email notifications to relevant parties
- ELSE IF the reported “score” from Lastline is less than or equal to 5, then
- Get Hash reputation from VirusTotal
- Check IF the reported score is greater than or equal to 5. If Yes, then:
- Push the file Hash to EDR
- Send email notifications to relevant parties
- ELSE:
- Change Priority to “Low”
- Change alert Status to “Close”
Apart from just pushing the Hash to EDR, analysts can also proactively hunt for the hash in the network by initiating scans through EDR. And if that hash is found, then it can be either deleted or the system itself can be isolated. For example, security analysts can utilize FireEye and SIRP integration for Automated Threat Intelligence and Incident Response for Endpoint Security.
The entire execution and decision flow of the playbook looks something like this:
Benefits
The key benefits that can be realized out of this integration are:
- Proactive monitoring and response by leveraging best of both products i.e. NDR capabilities of Lastline Defender and automation capabilities of SIRP.
- Reduced MTTD and MTTR
- One window operation
- Automatic execution of response actions
- Automatic updates to the EDR threat library for future monitoring
- Correlate the data ingested from Lastline Defender and other security technologies as well as organizational risks, asset importance, threat intelligence, and vulnerabilities.
