Protecting our sensitive networks and data is a critical aspect of our day to day lives as security professionals. We deploy tools, create processes, and hire talented personnel to protect the organization the best we can – proactively detecting threats and breach attempts, and mitigating or reacting to them as quickly as possible. Protecting the business.
One of the aspects of this work is managing security incidents. The analysts in the SOC receive hundreds (or even thousands) of alerts and reports per day, proactively seek suspicious activities, etc., to detect and stop the next breach.
Increasing in popularity, one of the ways to do this effectively is using a SOAR solution – a system that facilitates the efficient handling of security incidents, leveraging multiple sources of information and automation. IBM Resilient is a leading solution in that space, widely used by enterprises worldwide.
When we, at AlgoSec, looked at the typical flow of a security incident, we found that there were several ways in which we could significantly help, making sure incidents are properly prioritized and handled.
First and foremost – the most important part in this game is understanding the business impact. The urgency and nature of handling an incident may greatly vary if the same attack is launched on our sensitive credit card database in the PCI zone, or on some demo lab server in the DMZ. Not only would we want to address it much faster if the incident may have significant business impact, but we may also need to report it to different people, decide whether we can shut down or isolate the compromised server, and more.
Understanding the network context is also important. Let’s say a server was compromised. Is this server connected to the internet? Can data be exfiltrated out of it, or alternatively can attackers connect to it for command and control? And does it have access to our sensitive internal networks, and can serve as a stepping stone? This information is crucial for deciding on the urgency, as well as the potential remediation plan (e.g. isolate from that sensitive network).
Last, but not least, time is of the essence. If we decide to act – it should be easy, quick, and error-free. If we can have the SOC analysts click on a single button to isolate compromised servers from the network, as opposed to calling the firewall guys or opening change requests in yet another system – that would be ideal.
The AlgoSec extension for IBM Resilient does just that. Once deployed, it connects to the AlgoSec server and automatically starts enriching new incidents with business and network context, to make sure that the analysts know everything about the suspected incident immediately, from their familiar Resilient interface. It’s just there.
And if server isolation is required – it’s a single click away – and AlgoSec will automatically find the best way to block the traffic to or from that compromised server, minimizing the incident’s business impact while still allowing forensics to be done.
The extension itself can be downloaded, free of charge, from the IBM Security App Exchange.
Check out a short demo video showing what it can do!
Receive notifications of new posts by email.