Seamless Orchestration and Workflow
Threat Response orchestrates several key phases of the incident response process.
It absorbs security alerts from multiple security tools. It collects context, target histories and intelligence from external and internal sources. Also, it collects and analyzes endpoint forensics.
Using all of this information, it will automate workflows and response actions. It builds lists and objects for enforcement and activates quarantine and containment actions. You can measure the effectiveness of your incident response with auto-generated reports detailing key performance indicators at every stage.
All orchestration is performed through an integrated central console that connects to security alert sources, as well as built-in enforcement and quarantine tools. The integrated design provides an at-a-glance view of the incident response process for real-time visibility.
All collection, comparisons, and analysis by the platform are performed automatically. This means increased efficiency, enabling incident responders to quickly and accurately review key details, make a decision, and take action. Quarantine and containment actions operate at an automation level you choose. You might set workflows to automatically trigger firewall updates in some cases while building a simple block list for change control in other cases.
Forensic Collection and IOC Verification
No matter how elusive the malware, infections often leave behind telltale signs on endpoints. These are known as indicators of compromise (IOC). Threat Response automatically confirms malware infections with built-in IOC verification.
These IOCs can include:
File system changes
Web page history
When a security alert reports a system has been targeted with malware, Threat Response will automatically deploy an endpoint collector to pull forensics from the targeted system. This data will be compared to a database of known IOCs to quickly confirm whether a system is infected with IOCs related to the current attack. Teams can also gain visibility into IOCs from previous attacks that were not completely resolved. This built-in infection verification can save hours upon hours per incident. It dramatically reduces the amount of time-wasting false positives that lead to needless reimaging and backup-restoration cycles. The endpoint forensic collectors deploy to systems suspected of being infected on demand. The collectors will run temporarily in memory and uninstall themselves when finished.
Context and Situational Awareness
Many security alerts lack the critical information required to determine the context of a threat and the steps to follow. Threat Response automatically cultivates security alerts by collecting important internal and external context, intelligence, and data to create an actionable view for each alert. With this insight, security teams will quickly understand, prioritize, and respond to security threats.
With Threat Response, security teams can quickly answers questions such as:
Which users are under attack?
Have the affected users been infected before?
To what department or group do the affected users report?
Do any of affected systems contain indicators of a successful attack?
Has this attack been seen before in our environment or elsewhere?
Where is the attack coming from, and where are the command-and-control (C&C) nodes located?
Does the browser or connection history contain anything unusual, such as visits to a suspect website, or open connections to C&C servers?
Easy Quarantine and Containment
Threat Response integrates with your current security infrastructure tools to block verified threats, quarantine infected users, and protect other users by stopping the infection’s spread.
For example, Threat Response can update targeted users’ Active Directory group memberships to:
Restrict access to file-sharing websites
Control VPN access
Update network access control (NAC) and application control systems
The ability to update block lists on enforcement tools protects you by restricting access to web pages and URL using web filters.You can allow or deny network connections to compromised “watering-hole” sites and criminal domains and hosts.
Emails that have malicious attachments can be moved to a safe area at any time—even after they’ve been delivered. This stops the risk of your people clicking the attachments again.