By now, security incident response is a mature process that most, if not all, SOC (Security Operation Center) teams will have established inside their organizations. The approach will inevitably vary from one team to another, but the stages are broadly the same typically:
Non-Corvil users may be surprised at how network analytics has an impact on every stage of incident reporting, reducing the mean time from identifying an incident to remediation. Let’s look at each stage and see what Corvil brings to it.
At the Preparation stage (1), when drawing up plans for your incident response strategy, it becomes clear very quickly that network visibility fills a lot of gaps. Whatever form the cyber attack takes – malware, ransomware, phishing – it’s going to come at you over the network, so being better prepared means having packet-level visibility of all network traffic.
A sweet spot for Corvil is in Detection and Reporting (2). Traditional monitoring tools send their logs or events to a SIEM solution that will identify suspicious activity. An Intrusion Detection System, for example, might find a connection between Workstation A and an IP address of a known-to-be suspect website.
Correlate this with Corvil-sourced network data and you add context by identifying the user accessing the site. It’s likely that a high score on our Suspicious Entities dashboard will have already drawn attention to the person, providing a vital new component to the detection phase. In large organizations with thousands of desktops it’s quicker to find a person than a machine, so you have already begun to reduce the time to incident resolution.
Corvil’s added context means you will have already started the Triage and analysis (3) stage. Analyzing threats on endpoints will also benefit from our network approach. Some standard process at this stage is to shut down the machine, take a forensic image and capture the RAM. All valid steps for gathering evidence, but the machine was communicating over the network the whole time before you shut it down. This gives you the ability to obtain some valuable information about the incident while waiting for your forensic image to complete.
Corvil can show how far the scope of the compromise has gone by tracking the activity of Workstation A – if data was sent off to FTP sites, for example, or personal data was offloaded to a Dropbox account. All such activity will have gone over the network and show up in packets collected and analyzed by Corvil.
Using our Host Connectivity dashboard you can click into an interactive mapping of all Workstation A’s connections. In a matter of seconds, you can identify what the endpoint has been doing. The result is a big picture view of the incident in a lot less time than it will take to capture a forensic image and gather artifacts from the machine.
In the Contain and Neutralize (4) phase it’s not uncommon for multiple machines to be shut down and rebuilt. There may be no choice and business productivity takes a big hit. But sometimes, with Corvil, a more targeted response may be possible. We integrate with a number of security vendors and facilitate timely action to mitigate threats.
Once a malicious IP address or suspicious file is identified, we can automatically notify Palo Alto Networks firewalls, a Splunk SIEM, or a Carbon Black endpoint solution (to name a few). Bad IP addresses and files are immediately blocked. If you don’t have the integrated product suite you can just take our data and do it yourself; you can start containment steps earlier and possibly avoid having to allocate time and resources to shut downs and rebuilds.
With Corvil helping decrease incident response times from hours to minutes, the Post-incident follow-up (5) will hopefully be less complex and onerous. Earlier detection and containment will reduce the cleanup that’s required. Additionally, Corvil’s archive of packet data will provide an invaluable record of precisely what occurred and when, so you can better assess the impact of the attack as well as make sure it never happens again.
I’ve talked here about exposing a particular type of attack on a workstation, but the good news is that there’s a Corvil playbook for every kind of incident and the same principles apply – we provide visibility and context to identify and resolve threats more quickly. Best of all, security analysts can do it all seamlessly within their existing troubleshooting process.