“Saving the Security Operations Center…” with CyFIR Enterprise
An excellent article in InformationWeek’s Dark Reading entitled “Saving the Security Operations Center With Endpoint Detection and Response” cogently lays out the ways in which Endpoint Detection and Response (EDR) can bring tremendous benefit to your organization’s digital security posture.
Far beyond traditional virus scanning, EDR encompasses a new category of tools that not only look at running processes, but also give security professionals greater visibility into a computer and its users. The article offers a short test for your security team’s capabilities, and CyFIR Enterprise shows itself to be well-positioned to meet the challenge.
Dark Reading asks, and CyFIR responds:
When an inbound exploit is identified targeting a random IP address, can you rapidly validate whether the exploit is targeting the right OS and application?
CyFIR Enterprise offers full visibility within seconds into any of its connected endpoints, including the rapid identification of a computer’s operating system and its installed programs.
When a successful network exploit is identified, can you identify the detailed next steps taken by the attacker?
CyFIR’s advanced monitoring functions can track every process launched on a system and observe file accesses and modifications. Unlike competing tools that might stop there, CyFIR has the power of a forensic-grade analysis engine behind it that allows security personnel to do a “deep dive” forensic analysis—immediately, live, and in real-time.
If an outbound connection is identified with a known command and control (C2), can you identify the process that initiated the connection and trace the action back to its source?
With CyFIR’s concept of Total Dynamic Visibility™, security personnel can quickly identify the process that initiated the connection and identify the source. CyFIR has the unique ability to see every socket opened by every running program (for both malware and legitimate applications, to guard against insider threat) and to provide metrics on the data flowing between your organization’s computer and an external endpoint, identified by IP address. This data rich content is available to our clients to feed and interact with their other tools (e.g. Splunk) to rapidly produce a Cyber360 approach to detection, investigation, isolation, and remediation of threats in our clients’ environments and to maximize the Speed to Resolution (S2R)™ of a given situation.
When an encrypted inbound communication is identified with a known C2, can you identify what was in the communication or payload?
CyFIR provides security personnel with the tools to identify running processes on any connected CyFIR endpoint within seconds, and identifying a process’s open files, accessed files, or child processes takes only a single click. Many tools take hours to complete this process—engage local IT resources or prepare for “boots on the ground” travel, forensically image the target computer’s RAM, load the (now outdated) RAM dump into a third-party analysis tool, verify the results, and only then begin analysis—but CyFIR handles this all for you live, and it usually does it in less than ten seconds for any of your connected computers, worldwide. Capability is useless without the speed necessary to make intelligence actionable; it’s precisely that moment when a tool either helps you get back to normal or becomes an exercise in futility.
When malware is found, can you identify the dwell time, how the file arrived, and the endpoints or servers that are infected or impacted?
Through CyFIR’s advanced, truly forensic-grade capabilities, you can not only identify when and how a piece of malware hit your network, you can track it down across all of your CyFIR connected endpoints—usually in less than a minute. CyFIR’s parallel processing engine allows each endpoint to investigate itself in real time without “concurrent connection” licensing restrictions or complicated scripting. CyFIR returns search results to the security practitioner as they are found so that remediation can begin immediately.
What actions took place when an end user opened an email attachment?
CyFIR’s advanced process and file monitoring present a full list of activities for a security operator following activation of an illicit program. Because of CyFIR’s truly enterprise-wide visibility, those activities can be followed even if they jump to other computers in your network, move across user accounts, and escalate privileges. CyFIR’s rich historical data can be used to locate, trace, and remediate malware infections throughout your network, worldwide, all from a single point of presence.
What actions took place when an end user clicked on a URL within their email?
CyFIR’s process monitoring functions, combined with its ability to record and log events, provide a wealth of information to a security professional when tracking down a potential infection. Within a few clicks, the security operations team can review processes executed on a local box or network-wide, quickly exposing unapproved utilities. Not only can CyFIR accomplish this mission, but it can fully investigate non-malware related security incidents before they become full-blown data breaches. CyFIR is a force-multiplier in today’s digital warfare theater.
What were the step-by-step actions of an identified attack, from start to finish?
Because of CyFIR’s full forensic investigation capability, attacks can be investigated from initial breach, through discovery, to remediation in a fraction of the time that a cobbled-together collection of competing tools can support. With CyFIR’s tremendous level of analytical capability on the endpoint—in both active RAM and at the file system level—attacks can be identified, and often resolved, before they’ve had a chance to take hold or expand their reach inside your organization. CyFIR truly represents the next generation of EDR by offering multiple capabilities under one pane of glass.
In addition to these questions, security personnel realize that endpoint processing power is limited, and ten different agents running from ten different tools can slow your network, reduce productivity, and cause conflicts. When faced with today’s vendor challenges, it is wise to consider packages that offer multiple benefits, including incident response, insider threat detection and mitigation, eDiscovery collection, an internal investigations. An incident response can quickly pivot into an internal investigation, and security professionals need a tool that pivots just as quickly with them. CyFIR Enterprise is the platform that organizations can use daily to perform active incident response, hunt malcode, gain visibility into all of the processes running on connected endpoints, rapidly identify unknown processes, respond to legal discovery requests, and more—with one agent, utilizing one person, for one price.
As the author states, “EDR is the beginning of our return to control in the fight against cybercrime,” and CyFIR Enterprise is the comprehensive capability that a security team needs to effectively work in today’s large scale infrastructures.