Automated Contexualization of Indicators of Compromise: Actionable Intelligence
Today every security department struggles with how to rapidly and effectively address security alerts. With limited resources and constant time pressure, quick decisions must be made, as many other potentially business-impacting priorities await attention.
While traditional security products (including firewalls, anti-X appliances, and intrusion prevention systems) can be set to block on simple signature matches, modern threat detection is often about detecting and alerting on indicators of compromise. The risk of a false positive with automated blocking is unacceptable.
- What happens if you block traffic to a blacklist IP address which was blacklisted on incorrect reputation data, and it prevented a time-sensitive financial transaction?
- What happens if you disallow an encrypted tunnel out of an application to a client in a partner network that was actually legitimate?
- What happens if you block an employee from using a critical resource, simply because his active directory credentials were incorrectly configured?
In order to prevent these mishaps, a human must be brought into the loop. A qualified analyst can perform a series of identification, containment, and eradication/recovery steps to close the decision loop. This is necessary, as indicators of compromise based upon anomalous file, control channel, or application behavior may be benign. But, until a reasonable situational analysis has been built, one cannot know what level of action should be taken, or perhaps whether an action should be taken at all.
Unfortunately, making the right decision associated with each significant security alert is time consuming and laborious. This is where Click Security’s constantly updated cyber threat intelligence and big data security analytics can help.
Convert Security Alerts into Actionable Intelligence
Click’s real-time security analytics can rapidly convert a security alert from an advanced malware, next-generation firewall or IPS into actionable intelligence. For example, an advanced malware product may surface an alert associated with a file that has an unknown executable within. Click’s system can tie the alert into its actor core and automatically provide key contextual information including actor identity, actor physical location, actor connections into key applications and servers, and a list of any other security events associated with the actor. If gathered manually by the analyst, this rich context information could take hours or longer to build. Click provides this, as well as the ability to follow chains of interactivity within seconds—saving the analyst valuable time and energy, and potentially reducing or eliminating the impact of an exposure that could harm the business.