How SOAR can help in Responding to 2020 Threat LandscapeJuly 14, 2020
SIRP 2020 Security Analysts Survey Attitudes to AutomationJuly 23, 2020
Trend Micro and SIRP - Automated Incident Response for Endpoint Security
With the alarming number of security alerts being reported on endpoints, it has become pertinent for the security teams to utilize orchestration and automation tools to respond to large volume of repetitive alerts. Manually responding to endpoint protection solution alerts and remediating the issues on the endpoints with the coordination of asset owners and helpdesk teams is no easy feat.
Trend Micro Apex One™ solves this problem for users by providing a web-based console to manage endpoints and ensure up-to-date protection throughout the infrastructure. Now Trend Micro customers can use SIRP’s security orchestration and automation capabilities with Apex Central to respond from a unified console.
- Run an effective incident response cycle using Apex Central alerting combined with SIRP risk-based SOAR capabilities.
- Lookup malicious files and indicators in your endpoints using Trend Micro Apex Central and SIRP integration, either in real-time or as a playbook action.
- Upload Yara rules and IOCs from Threat Intelligence to Apex Central using SIRP playbooks. Leverage several other SIRP integrations to enrich Trend Micro alerts data and coordinate response across security functions.
Endpoints being one of the major part of a corporate infrastructure need to be protected vigilantly. Any malicious endpoint, if not handled timely, can be a potential entry point for a cyber attack on the entire organization. Thus, it is critical to orchestrate endpoint protection by utilizing multiple security controls and processes vital to the overall security posture.
Security teams can automate their response to endpoint alerts received from Trend Micro Apex Central by creating playbooks in SIRP. These playbooks help analysts with enriching their investigative data, threat hunting, and endpoint remedial actions.
Consider an example in which the alert ingested from Trend Micro Apex Central has a SHA-1 hash. SIRP automatically parses all the artifacts received in an alert and then executes a playbook. The playbook fetches the hash reputation from VirusTotal as can be seen in the following screenshot.
After getting the Hash Analysis Report, the playbook is set to change the disposition of alert to incident and increase the severity of the incident to High if the hash is reported by 10 or more malware engines. Furthermore, the playbook supports following actions to ensure that the malicious activity is contained:
- Isolate an agent (endpoint)
- Restore an agent (endpoint)
- Get specific agent (endpoint) details
- Create and run scan
- Add a Hash, IP or URL to blacklist
Further, after completing the containment actions, an email notification is sent to all the relevant users (defined in the playbook).
The entire execution and decision flow of the playbook looks something like this:
The actual playbook in SIRP is shown below:
Analysts can gain a holistic view of their organization’s security posture by leveraging Trend Micro Apex actions and 100s of other integrations available in SIRP. Other than orchestrating and automating comprehensive enrichment and endpoint protection processes, analysts can also correlate the data ingested from other security technologies as well as organizational risks, asset importance, threat intelligence, and vulnerabilities.