Page 120 - Cyber Defense eMagazine for September 2020
P. 120

assets,  the  account  criticality,  the  vulnerability  status  and  much  more,  it  gathered  the  information,
            regardless of whether or not it was escalated as an event.
            Two hours later, traffic was seen from both of these servers out on malicious domains and endpoints
            external to the company environment. So, the software investigated, gathered information, reasoned,
            scoped, prioritized and escalated this into an incident. This may have been missed by a human analyst
            because the data that came in said there was a low-severity infection that had been cleaned.
            But this is all part of the same big attack story, and the software understood that. It had the deep memory
            to remember a past incident and be able to tie it into additional data that was gathered and to create an
            incident.

            This is done without the need for rules and playbooks. A SIEM by itself, for instance, needs playbook
            programming for it to operate and function normally. It also doesn't have the consistent depth of analysis,
            speed and scale of a machine, scoping in all relevant malicious activity into instance, which may have
            disparate pieces that are not put together into the big-picture view.


            A hybrid security partnership

            The MITRE ATT&CK framework is a practical and useful knowledge base, and it underscores just how
            complex and vast the attack landscape has become. It’s not realistic to expect human security analysts
            to cover even a small number of attack methods, let alone all of them.
            As a result, decision automation is a modern necessity for organizations that want full coverage against
            all  attack  types.  It  makes  deeply  analytical  decisions  about  what’s  likely  to  be  worthy  of  further
            investigation, which then get passed on to the human analysts in a hybrid partnership that covers all the
            bases.


            About the Author

            Chris Calvert, vice president of product strategy and co-founder,
            Respond  Software .Chris  has  over  30  years  of  experience  in
            defensive  information  security; 14  years  in  the  defense  and
            intelligence community and 17 years in the commercial industry.
            He has worked on the Defense Department Joint Staff and held
            leadership positions in both large and small companies, including
            IBM  and  HPE.  He  has  designed,  built  and  managed  global
            security operations centers and incident response teams for six
            of the global Fortune-50. As he often says, if you have complaints
            about today’s security operations model, you can partially blame
            him. It’s from his firsthand experience in learning the limitations
            of  the  man  vs.  data  SecOps  model  that  Chris  leads  product
            design and strategy for Respond Software.


            Chris can be reached on twitter at @respondsoftware and at our company website

            https://respond-software.com/




            Cyber Defense eMagazine – September 2020 Edition                                                                                                                                                                                                         120
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   115   116   117   118   119   120   121   122   123   124   125