Trend Micro and SIRP - Automated Incident Response for Endpoint Security

With the alarming number of security alerts being reported on endpoints, it has become pertinent for the security teams to utilize orchestration and automation tools to respond to large volume of repetitive alerts. Manually responding to endpoint protection solution alerts and remediating the issues on the endpoints with the coordination of asset owners and helpdesk teams is no easy feat.

Trend Micro Apex One™ solves this problem for users by providing a web-based console to manage endpoints and ensure up-to-date protection throughout the infrastructure. Now Trend Micro customers can use SIRP’s security orchestration and automation capabilities with Apex Central to respond from a unified console.

Integration Features

Run an effective incident response cycle using Apex Central alerting combined with SIRP risk-based SOAR capabilities.
Lookup malicious files and indicators in your endpoints using Trend Micro Apex Central and SIRP integration, either in real-time or as a playbook action.
Upload Yara rules and IOCs from Threat Intelligence to Apex Central using SIRP playbooks. Leverage several other SIRP integrations to enrich Trend Micro alerts data and coordinate response across security functions.

Challenge

Endpoints being one of the major part of a corporate infrastructure need to be protected vigilantly. Any malicious endpoint, if not handled timely, can be a potential entry point for a cyber attack on the entire organization. Thus, it is critical to orchestrate endpoint protection by utilizing multiple security controls and processes vital to the overall security posture.

Solution

Security teams can automate their response to endpoint alerts received from Trend Micro Apex Central by creating playbooks in SIRP. These playbooks help analysts with enriching their investigative data, threat hunting, and endpoint remedial actions.

Consider an example in which the alert ingested from Trend Micro Apex Central has a SHA-1 hash. SIRP automatically parses all the artifacts received in an alert and then executes a playbook. The playbook fetches the hash reputation from VirusTotal as can be seen in the following screenshot.

After getting the Hash Analysis Report, the playbook is set to change the disposition of alert to incident and increase the severity of the incident to High if the hash is reported by 10 or more malware engines. Furthermore, the playbook supports following actions to ensure that the malicious activity is contained:

Isolate an agent (endpoint)
Restore an agent (endpoint)
Get specific agent (endpoint) details
Create and run scan
Add a Hash, IP or URL to blacklist

Further, after completing the containment actions, an email notification is sent to all the relevant users (defined in the playbook).

The entire execution and decision flow of the playbook looks something like this:

The actual playbook in SIRP is shown below:

Benefit

Analysts can gain a holistic view of their organization’s security posture by leveraging Trend Micro Apex actions and 100s of other integrations available in SIRP. Other than orchestrating and automating comprehensive enrichment and endpoint protection processes, analysts can also correlate the data ingested from other security technologies as well as organizational risks, asset importance, threat intelligence, and vulnerabilities.