Time is not on your side when managing security for a global enterprise and facing down a relentless barrage of cyber attacks. So when confronted with multiple suspect alerts flagged by your SIEM solution, you need a way to easily sift through and identify the attacks that will most likely impact key business processes and quickly take action – before they impact your business and its reputation.
Tie Incident Response to Business Processes, Prioritize and Automate Remediation
Through a seamless integration with the leading SIEM solutions, the AlgoSec Security Policy Management solution ties security incidents directly to the actual business processes that are or potentially will be impacted, including the applications, servers, network and traffic flows, and security devices. Once identified, AlgoSec can neutralize the attack by automatically isolating any compromised or vulnerable servers from the network.
With AlgoSec you can:
- Automatically associate security incidents with applications, servers and network connectivity flows
- Highlight the criticality of business applications impacted by the threat
- Automatically isolate compromised servers from the network
- Identify network connectivity to/from a compromised server on a visual, interactive map
- Plot the lateral movement of the threat across the network
- Notify stakeholders to coordinate threat remediation efforts
- Get a full audit trail to assist with cyber threat forensics and compliance reporting
The Business Impact:
- Augment threat analysis with critical business context to assess the severity, risk and potential business impact of an attack
- Prioritize incident remediation efforts based on business risk
- Immediately neutralize impacted systems through zero-touch automation
- Limit the lateral movement of an attacker in, out and across your network
- Reduce the time and cost of mitigating a threat by orders or magnitude
- Keep all stakeholders involved in the remediation process to reduce disruption to the business
Bringing reachability analysis into incident response
In this lesson Professor Wool discusses the need for reachability analysis in order to assess the severity of the threat and potential impact of an incident. Professor Wool explains how to use traffic simulations to map connectivity paths to/from compromised servers and to/from the internet. By mapping the potential lateral movement paths of an attacker across the network, the SOC team can, for example, proactively take action to prevent data exfiltration or block incoming communications with Command and Control servers.
How to bring business context into incident response
SIEM solutions collect and analyze logs generated by the technology infrastructure, security systems and business applications. The Security Operations Center (SOC) team uses this information to identify and flag suspicious activity for further investigation. In this lesson, Professor Wool explains why it’s important to connect the information collected by the SIEM with other databases that provide information on application connectivity, in order to make informed decisions on the level of risk to the business, and the steps the SOC needs to take to neutralize the attack.
AlgoSec Splunk App for Incident Response
Splunk can detect and analyze potential breaches while AlgoSec manages security policies and augments them with business context. The new AlgoSec Splunk App enhances and automates incident response by highlighting the potential impact on business applications and business processes; adding information regarding the infected server's exposure to the internet, or access to sensitive internal networks; and automating the action needed to contain the incident.