Secdo automates alert investigation with preemptive incident response  

The company says its platform cuts incident response by correlating alerts with endpoint forensic data, revealing the attack chain, root cause and damage assessment

alert hacking threat detected
Thinkstock

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

“We don’t receive enough alerts in our security operations center,” said no security analyst ever. The fact is, most SOC teams are overwhelmed with security alerts and they must prioritize which ones to investigate. Many alerts are simply ignored for lack of resources, yet quite often after a data breach it turns out there was an alert pointing at the breach early on.

In the case of one prominent breach at a major retailer a few years ago, many sources report that a FireEye tool generated an alert confirming that malicious software showed up on a company system. Because so many of those particular alerts were false positives, it was ignored, which subsequently led to one of the largest and most costly retail data breaches in history.

Enterprise organizations generate many thousands and sometimes millions of alerts every day, and many of them point at network endpoints. However, security analysts don’t have continuous visibility into endpoints; they don’t know what is happening on every device at any given time. If an incident happens and the enterprise SIEM generates an alert, there is little context about the event to help the analyst conduct an investigation. In this environment, it can take days, weeks or even months to determine what happened.

The founders of Secdo are experienced SOC analysts, having been responsible for investigating incidents for major companies and government agencies. Dissatisfied with the investigation and response tools available to help them do their jobs, they set out to create a new kind of tool that automates much of what a security analyst has to do. The result is the Secdo Platform.

Most cybersecurity solutions focus on the prevention and/or detection phases of incidents. These stages are certainly important for generating alerts, but once the SOC has those alerts, these tools typically offer little in terms of automating the incident validation and response. Consequently, this is where analysts devote most of their time and effort. The Secdo Platform aims to fill the need in the final phase, the incident response phase.

Secdo says its solution starts by recording everything that takes place on all of an organization’s servers and endpoints all the time, similar to a video surveillance camera that never shuts off. By virtue of an agent on each device, every action is recorded, regardless of whether there is a threat. This preemptive forensic evidence is sent to a centralized server where it is retained for hundreds of days. The data provides context around events that are detected by other security solutions, like a SIEM.

The Secdo Platform connects to the organization’s SIEM and other detection devices to continuously receive alerts, where they are correlated with the forensic evidence via a patented analysis technology developed by Secdo called a “causality engine.” This engine builds the story around alerts using the data recordings from the endpoints and servers. Secdo says this is best explained with an example.

A SIEM generates an alert that indicates a computer assigned to an admin attempted to communicate with a blacklisted Chinese IP address. Fortunately, the organization’s Check Point firewall detected this communication and blocked it from going through.

In the Secdo Platform, the analyst can search on the Chinese IP address and ask questions about it. For example, by asking who or what communicated with that IP, he discovers an application called CALC.EXE did. It doesn’t make sense that a calculator program would communicate with China.

Going deeper, the analyst pivots the data to see what files on the network were accessed by this program CALC.EXE. It turns out the program read all the files on the administrator’s desktop. Now it is known there is this process called CALC.EXE impersonating the Windows calculator, communicating with China and reading internal files. This is bad.

The analyst can continue to investigate manually using the information in the Secdo Platform, or choose a more automated approach (see graphic). This is known as the forensic timeline. Some of the data came from other vendors (i.e., Check Point, Microsoft) and the rest of the data was collected by Secdo from the endpoints or servers. It’s worth noting that the only information the SIEM would provide is the alert about the failed outreach to the Chinese server.

secdo SECDO

The forensic timeline of an alert

With the Secdo Platform, the analyst has access to all recorded activity correlated to this alert, including activity that took place prior to the outreach to the Chinese IP address. The graphic display reveals the attack chain, root cause, entities involved and damage assessment.

In this story, a user called SECDO-SUPPORT\admin browsed a website called pr-news.cn, and downloaded a presentation called rsa conference 2016 ticket.ppsx, which is probably infected because that presentation installed CALC.EXE on the user’s computer. Next the program CALC.EXE tried to communicate with the Chinese IP, hence triggering the Check Point alert.

The first thing the malicious CALC.EXE did was kill the antivirus to prevent being detected. Then the malware created persistency to make sure it survives the computer being restarted. After the blocked outreach to the Chinese IP, the malware kept working. It read the documents on the admin’s computer and sent those documents to a U.S.-based IP that was not blocked by any proxy or firewall. This action managed to evade the Check Point firewall rules. Then the malware started port scanning to do lateral movements and infect other hosts.

Everything shown here is how the Secdo Platform automatically does the investigation. The next step is rapid response enabled by a variety of responder features that function like a virtual tier 3 or tier 4 analyst.

The company says the platform provides for remote containment and remediation of actual threats on any host without the expensive and time-consuming reimaging that is prevalent today. Security analysts and IT can remotely view, retrieve, assess, isolate, contain and delete individual processes and threads on any host from a single pane of glass.

The Secdo Platform enables organizations to attend to more alerts than humans alone can get to because it does the investigation, validation and response work for them, and in less time. SOCs can operate with fewer analysts and less skill and expertise in the remediation process. This helps organizations scale their SOCs and reduce risk by responding to and resolving alerts much more quickly.  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT