SECDO Investigation and
Response Platform
While today’s security teams are inundated with alerts, they lack the intelligence and automation
that are necessary for a rapid investigation and response. The SECDO Platform instantly visualizes
the forensic timeline for any alert or suspicious behavior, and provides unique investigation tools
that enable hunters and first responders to drill-down on 100 days of endpoint and server events
in seconds. SECDO provides unmatched, thread-level visibility into every endpoint on the network
along with patented causality analysis so you can accurately validate alerts, investigate threats, and
remediate with precision.
www.sec.do
Too Much Noise, Not Enough Information
The growing number of prevention and detection systems deployed at a typical enterprise has
created a flood of alerts, events and logs. Each new system that we deploy promises to be the
magic bullet that blocks or detects intruders and malware with total accuracy. But the reality is
that most of the time, these solutions pass the buck in the form of alerts that must be
investigated by a trained expert.
Since so many alerts are false positive, analysts are spending a large part of their time on validation.
The irony is that despite the overflow of alerts and events in the SIEM, once you have identified a
genuinely suspicious behavior and want to get to the bottom of the incident, you often lack the
information you need for a thorough investigation.
Investigating alerts and suspicious behaviors has become a complex, time-consuming process
that often involves hours or even days of data retrieval and analysis. Much time is wasted on false
alarms, and even worse – real breaches go undetected. The breaches at Target and at the US OPM
are just two headline-grabbing examples of breaches that were flagged by detection systems, but
not investigated on time.
To stop breaches as quickly as possible and slash the time wasted on false positives, security
operations teams need a better solution for validating alerts, investigating incidents across the
enterprise, and remediating quickly. The SECDO Investigation and Response platform is
designed to:
Simplify security investigations and increase productivity for the entire SOC team
Improve the quality and accuracy of investigations with forensic analysis of suspicious
behaviors based on complete data
Reduce alert fatigue with automatic validation of alerts to identify false positives
Accelerate remediation with an accurate impact analysis that indicates exactly what steps
need to be taken to block a threat and remove its trail
Provide long-term visibility into all activity on every endpoint and server so there is never
a blind spot in your investigation
www.sec.do
1
Automating Alert Investigation and Validation
The SECDO platform plays an integral role in the Security Operations Center by automating
validation and investigation of SIEM alerts. The SECDO platform enriches alerts from other systems
with detailed endpoint and server data to provide the full context. Using a patented Causality
Engine, SECDO elicits the connections between alerts and endpoint OS-level events and
automatically determines whether it is a suspicious behavior or a false positive.
For example, consider the Suspicious Query alerts in the illustration below. They involve the same
suspicious query to a CC table and appear to be identical. In each case, SECDO enriched the alert
with OS-level events from the affected endpoints and performed causality analysis to determine
the cause and effect timeline. In the first example, SECDO detected human use of a computer
and both the SAP Web GUI and standard DB Query Module, so this alert is a false positive.
Physical Activity
SAP Application
DB Query Module
Database
Suspicious query from CC Table
Visible GUI
In the second example, SECDO determined that there was no human using the endpoint, which
immediately suggests malware. That suspicion is confirmed by additional events: the SAP
Application isn’t invoked, the query does not come through the standard module, and an external
connection is invoked without a human user. So this alert is automatically flagged as a
suspicious behavior.
No Physical Activity
Explorer.EXE
Unknown Module
Database
Suspicious query from CC Table
No GUI
External Connection
The SECDO platform is integrated with several leading SIEM platforms and accepts any third-party alert as a
lead and for automatic validation.
www.sec.do
2
Deep Endpoint and Server Visibility
Today it’s clear that despite the massive amount of log information that IT systems are generating,
Security Operations teams simply do not have enough information about endpoint and server
activity. The only way to understand the full context of an alert like the suspicious query above is to
see the chain of events that both preceded and followed it. The challenge is increased by several
orders of magnitude when a breach is verified and it’s time for forensic analysis and cleanup.
SECDO’s OS Mirroring™ technology proactively records all endpoint events necessary to recreate
the attack chain, down to thread-level (sub-process) resolution and over time. More than 70% of
advanced malware injects code multiple times, so this resolution is essential. For example, if
malware injects code into Internet Explorer, OS Mirroring will capture all of the threads and all of
the actions they execute, over time. Using this detailed breakdown the Causality Engine can then
determine which threads and actions are malicious, and which ones are not.
www.sec.do
3
OS Mirroring is optimized for performance with a very lightweight agent/driver and data harvesting
technology that processes, transfers and stores the information efficiently for up to 100 days. The
technology is architected to scale up to tens of thousands of agents.
Some of the many events that SECDO collects include:
File system activity
Registry activity
Network activity
Memory activity
Thread (sub-process)
resolution
Hardware activity
User activity
www.sec.do
4
3-Dimensional Incident Investigation
Investigation has become the bottleneck in the incident response lifecycle. While focusing on
detection, security vendors have neglected the process that is taking up the lion’s share of
analysts’ time.
SECDO has developed several unique technologies to automate and accelerate the investigation
process while improving overall accuracy. SECDO synthesizes SIEM alerts with thread-level
endpoint events to provide a 3-dimensional forensic timeline of any suspicious behavior. Analysts
can drill down on 100-days of endpoint and server data and use visual query tools to pivot on any
piece of data in order to understand the true scope of the incident.
For example, in this case, the SIEM is showing a group of alerts from Check Point about a
suspicious IP address for a site in China.
www.sec.do
5
When we click on the alert in the SIEM, SECDO's alert history opens and shows the chain of events
that that were involved in making this connection. The alert history on the left shows that Michelle
simply opened a browser and accessed the Chinese news site. It's a false positive.
The alert history on the right shows that the incident started with John. He opened an email
attachment that infected the computer with malware that contacted the Chinese server. Over
100MB of data was exfiltrated. SECDO gave the alert a risk score of 100 since it is clearly a threat.
False Positive
www.sec.do
Real Threat
6
Accurate Remediation Based on Proactive Forensics
Gathering information for forensic analysis is so time-consuming and labor intensive that it
inevitably delays the remediation of a breach. Because the SECDO platform continuously collects
detailed endpoint and server activity and typically saves it for 100 days (the actual number is
configurable), all of the information that is usually needed is already on hand and easily navigated
with the 3-dimensional visualization and query tools.
During the investigation process, the SECDO platform automatically derives the forensic timeline of
any suspicious behavior or cross-enterprise incident, and uses that intelligence to create a very
specific remediation plan which removes the traces of the breach on affected endpoints and
servers and closes potential attacks vectors with as little user impact as possible. The plan can be
submitted to a ticketing system or launched automatically from the SECDO platform. SECDO’s
IceBlock remediation capabilities can suspend processes in memory, quarantine files and
revert OS changes.
www.sec.do
7
The SECDO Advantage
The SECDO platform combines alert validation, interactive visual investigation, and automated
remediation to transform the way security operations centers work. With SECDO, SOC teams at
both enterprises and service providers can finally visualize the attack chain timeline and drill down
to immediately understand the “who, what, where, when and how” behind the incident. Based on
an analysis of exactly how endpoints were compromised, SECDO slashes the time spent on forensic
analysis and enables surgical remediation with minimum user impact.
See for yourself
Contact us to schedule a demo of the SECDO Platform.
www.sec.do/get-a-demo
+972 9 894 4904
|
support@sec.do |
+1 917 338 227
www.sec.do
© 2016 Cyber Secdo Ltd. All rights reserved. SECDO is a trademark of Cyber Secdo Ltd.
www.sec.do
8