SECDO Investigation and Response Platform While today’s security teams are inundated with alerts, they lack the intelligence and automation that are necessary for a rapid investigation and response. The SECDO Platform instantly visualizes the forensic timeline for any alert or suspicious behavior, and provides unique investigation tools that enable hunters and first responders to drill-down on 100 days of endpoint and server events in seconds. SECDO provides unmatched, thread-level visibility into every endpoint on the network along with patented causality analysis so you can accurately validate alerts, investigate threats, and remediate with precision. www.sec.do Too Much Noise, Not Enough Information The growing number of prevention and detection systems deployed at a typical enterprise has created a flood of alerts, events and logs. Each new system that we deploy promises to be the magic bullet that blocks or detects intruders and malware with total accuracy. But the reality is that most of the time, these solutions pass the buck in the form of alerts that must be investigated by a trained expert. Since so many alerts are false positive, analysts are spending a large part of their time on validation. The irony is that despite the overflow of alerts and events in the SIEM, once you have identified a genuinely suspicious behavior and want to get to the bottom of the incident, you often lack the information you need for a thorough investigation. Investigating alerts and suspicious behaviors has become a complex, time-consuming process that often involves hours or even days of data retrieval and analysis. Much time is wasted on false alarms, and even worse – real breaches go undetected. The breaches at Target and at the US OPM are just two headline-grabbing examples of breaches that were flagged by detection systems, but not investigated on time. To stop breaches as quickly as possible and slash the time wasted on false positives, security operations teams need a better solution for validating alerts, investigating incidents across the enterprise, and remediating quickly. The SECDO Investigation and Response platform is designed to: Simplify security investigations and increase productivity for the entire SOC team Improve the quality and accuracy of investigations with forensic analysis of suspicious behaviors based on complete data Reduce alert fatigue with automatic validation of alerts to identify false positives Accelerate remediation with an accurate impact analysis that indicates exactly what steps need to be taken to block a threat and remove its trail Provide long-term visibility into all activity on every endpoint and server so there is never a blind spot in your investigation www.sec.do 1 Automating Alert Investigation and Validation The SECDO platform plays an integral role in the Security Operations Center by automating validation and investigation of SIEM alerts. The SECDO platform enriches alerts from other systems with detailed endpoint and server data to provide the full context. Using a patented Causality Engine, SECDO elicits the connections between alerts and endpoint OS-level events and automatically determines whether it is a suspicious behavior or a false positive. For example, consider the Suspicious Query alerts in the illustration below. They involve the same suspicious query to a CC table and appear to be identical. In each case, SECDO enriched the alert with OS-level events from the affected endpoints and performed causality analysis to determine the cause and effect timeline. In the first example, SECDO detected human use of a computer and both the SAP Web GUI and standard DB Query Module, so this alert is a false positive. Physical Activity SAP Application DB Query Module Database Suspicious query from CC Table Visible GUI In the second example, SECDO determined that there was no human using the endpoint, which immediately suggests malware. That suspicion is confirmed by additional events: the SAP Application isn’t invoked, the query does not come through the standard module, and an external connection is invoked without a human user. So this alert is automatically flagged as a suspicious behavior. No Physical Activity Explorer.EXE Unknown Module Database Suspicious query from CC Table No GUI External Connection The SECDO platform is integrated with several leading SIEM platforms and accepts any third-party alert as a lead and for automatic validation. www.sec.do 2 Deep Endpoint and Server Visibility Today it’s clear that despite the massive amount of log information that IT systems are generating, Security Operations teams simply do not have enough information about endpoint and server activity. The only way to understand the full context of an alert like the suspicious query above is to see the chain of events that both preceded and followed it. The challenge is increased by several orders of magnitude when a breach is verified and it’s time for forensic analysis and cleanup. SECDO’s OS Mirroring™ technology proactively records all endpoint events necessary to recreate the attack chain, down to thread-level (sub-process) resolution and over time. More than 70% of advanced malware injects code multiple times, so this resolution is essential. For example, if malware injects code into Internet Explorer, OS Mirroring will capture all of the threads and all of the actions they execute, over time. Using this detailed breakdown the Causality Engine can then determine which threads and actions are malicious, and which ones are not. www.sec.do 3 OS Mirroring is optimized for performance with a very lightweight agent/driver and data harvesting technology that processes, transfers and stores the information efficiently for up to 100 days. The technology is architected to scale up to tens of thousands of agents. Some of the many events that SECDO collects include: File system activity Registry activity Network activity Memory activity Thread (sub-process) resolution Hardware activity User activity www.sec.do 4 3-Dimensional Incident Investigation Investigation has become the bottleneck in the incident response lifecycle. While focusing on detection, security vendors have neglected the process that is taking up the lion’s share of analysts’ time. SECDO has developed several unique technologies to automate and accelerate the investigation process while improving overall accuracy. SECDO synthesizes SIEM alerts with thread-level endpoint events to provide a 3-dimensional forensic timeline of any suspicious behavior. Analysts can drill down on 100-days of endpoint and server data and use visual query tools to pivot on any piece of data in order to understand the true scope of the incident. For example, in this case, the SIEM is showing a group of alerts from Check Point about a suspicious IP address for a site in China. www.sec.do 5 When we click on the alert in the SIEM, SECDO's alert history opens and shows the chain of events that that were involved in making this connection. The alert history on the left shows that Michelle simply opened a browser and accessed the Chinese news site. It's a false positive. The alert history on the right shows that the incident started with John. He opened an email attachment that infected the computer with malware that contacted the Chinese server. Over 100MB of data was exfiltrated. SECDO gave the alert a risk score of 100 since it is clearly a threat. False Positive www.sec.do Real Threat 6 Accurate Remediation Based on Proactive Forensics Gathering information for forensic analysis is so time-consuming and labor intensive that it inevitably delays the remediation of a breach. Because the SECDO platform continuously collects detailed endpoint and server activity and typically saves it for 100 days (the actual number is configurable), all of the information that is usually needed is already on hand and easily navigated with the 3-dimensional visualization and query tools. During the investigation process, the SECDO platform automatically derives the forensic timeline of any suspicious behavior or cross-enterprise incident, and uses that intelligence to create a very specific remediation plan which removes the traces of the breach on affected endpoints and servers and closes potential attacks vectors with as little user impact as possible. The plan can be submitted to a ticketing system or launched automatically from the SECDO platform. SECDO’s IceBlock remediation capabilities can suspend processes in memory, quarantine files and revert OS changes. www.sec.do 7 The SECDO Advantage The SECDO platform combines alert validation, interactive visual investigation, and automated remediation to transform the way security operations centers work. With SECDO, SOC teams at both enterprises and service providers can finally visualize the attack chain timeline and drill down to immediately understand the “who, what, where, when and how” behind the incident. Based on an analysis of exactly how endpoints were compromised, SECDO slashes the time spent on forensic analysis and enables surgical remediation with minimum user impact. See for yourself Contact us to schedule a demo of the SECDO Platform. www.sec.do/get-a-demo +972 9 894 4904 | support@sec.do | +1 917 338 227 www.sec.do © 2016 Cyber Secdo Ltd. All rights reserved. SECDO is a trademark of Cyber Secdo Ltd. www.sec.do 8