Powerful Threat Detection and Response with a Combination of XDR and SOAR
September 19, 2021Behind the Rise of the Million Dollar Zero-Day Market
December 13, 2021SIRP and ThreatQuotient - Extended Detection and Response with Contextualized Intelligence
An XDR (Extended Detection and Response) platform is currently the most sought-after cybersecurity solution since Gartner called it the Number 1 Security and Risk Trend for 2021. It is defined as a solution that “automatically collects and correlates data from multiple security products into a single incident for increased detection and response efficiency and accuracy.”
SIRP XDR improves upon this definition by integrating with disparate solutions, tools, and systems and unifying them to put forth a single risk-based detection and response ecosystem. SIRP integrates with various threat intelligence platforms and feeds for enhanced detection, investigation, and response — that much we know. But to stand apart from the rest, we must go beyond, and this is where ThreatQuotient comes into play.
ThreatQ enhances SIRP XDR's capability to effectively automate playbooks and provides actionable intelligence that boosts the speed, relevance, and breadth of detections. What does this entail? It means that SIRP, with ThreatQ, integrates with both internal and external data and sources for faster response and automation of manual tasks. By aggregating, prioritizing, and scoring threat intel through SIRP Security Score (S3) and ThreatQ, SIRP is able to provide relevant and prioritized data and automate processes to take the right next steps in your threat intelligence lifecycle.
Integration between SIRP and ThreatQuotient ensures that the automated playbooks don’t automate noise - as the noise gets amplified with continuous repetition. It means that the threat intel from ThreatQ is contextual, relevant, and high priority, and in turn, reduces the redundant playbook runs so that fewer resources are utilized, and the efficiency and effectiveness of SIRP improves.
Integration Features
Challenge
Organizations use at least 10 to 15 external and internal feeds in their environment. These include various government, financial sector, security vendors, open and commercial feeds, and sources. It is critical to take advantage of these multiple threat feeds and map it to the organization's risk to construct a well-structured defense and response strategy. Therein lies the issue; security solutions work in silos and are unable to connect and combine the data from disparate sources into one single platform. The processes and playbooks are also run redundantly without any enhancement.
Solution
SIRP and ThreatQ aggregate internal and external data, normalize it from multiple sources, languages, and formats to a single entity, enrich the data with related and linked intel, prioritize them for relevance and to filter out unnecessary data, and translate it into an intelligible and unified source. Not only does this improve the detection and response capabilities of the XDR, but it also allows the team and analysts to collaborate and correspond to threats. A single incident becomes easier to investigate when its history and similar attacks are clearly visible to an analyst.
Use Case 1: Incident Enrichment
In the following instance, SIRP ingests malicious indicators of compromise (hashes and URL) from ThreatQ. The automatic playbooks are executed where the reputation of the hashes are checked from various sources including VirusTotal, AlienVault OTX, and IBM Xforce, etc. After ingesting the Artifacts, the playbook is set to perform the following actions:
The following Artifacts are ingested:
- Email Address
- IP information
- Domain Information
- URL Information
- Malicious Files
- IF email’s reported score is greater than 7 then:
- Change Severity to “High”
- Change Disposition to “Incident”
- Block the malicious URL on Firewall
- Send Email notifications to Analysts
- ELSE:
- Change Alert Priority to “Low”
- Change Status to “Closed”
- IF IP’s reported score is greater than 7 then:
- Change Severity to “High”
- Change Disposition to “Incident”
- Block the malicious URL on Firewall
- Send Email notifications to Analysts
- ELSE:
- Change Alert Priority to “Low”
- Change Status to “Closed”
- IF domain’s reported score is greater than 7 then:
- Change Severity to “High”
- Change Disposition to “Incident”
- Block the malicious URL on Firewall
- Send Email notifications to Analysts
- ELSE:
- Change Alert Priority to “Low”
- Change Status to “Closed”
- IF URL’s reported score is greater than 7 then:
- Change Severity to “High”
- Change Disposition to “Incident”
- Block the malicious URL on Firewall
- Send Email notifications to Analysts
- ELSE:
- Change Alert Priority to “Low”
- Change Status to “Closed”
- IF File’s reported score is greater than 7 then:
- Change Severity to “High”
- Change Disposition to “Incident”
- Block the malicious URL on Firewall
- Send Email notifications to Analysts
- ELSE:
- Change Alert Priority to “Low”
- Change Status to “Closed”
The actual playbook in SIRP is shown below:
Use Case 2: Sharing Real-time Threat Intel Across Security Controls
In this next example, threat feeds are ingested to SIRP from ThreatQ. These actionable Indicators of Compromise (IoCs) are added to a security platform, like SIEM, EDR, Firewall, etc. If the reported score is higher than 5, then the hashes are blocked at the EDR. If the analyst detects a score higher than 7, then the indicators and hashes are blocked at the firewall. The threat intelligence summary and information on the hashes is also shared inside the organization.
Here’s how the SIRP playbook plays out:
Once the playbook is executed either manually or automatically, it is set to perform following actions:
- The threat feeds are ingested from ThreatQ:
- IF the reported “score” is greater than 5, then:
- Push the file Hashes to EDR.
- Send email notifications to relevant parties.
- ELSE IF the reported score greater than 7, then
- Push the file Hashes to the Firewall.
- Send email notifications to relevant parties.
Benefits
- Consolidated view of threats, indicators, and vulnerabilities in extensive detail with related incidents.
- Immense offloading of resources with a reduction in repetitive tasks.
- Access to multiple security platforms and services under one umbrella.
- Facilitation in collaboration with easy view and management within the team.
- Reduced MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond).
- Playbook automation with reduced noise.
