Threat Response

Seamless Orchestration and Workflow

Threat Response orchestrates several key phases of the incident response process.

It ingests security alerts from multiple security tools. It collects context, target histories and intelligence from internal and external sources. And it collects and analyses endpoint forensics.

Using all of this information, it automates workflows and response actions. It builds lists and objects for enforcement and activates quarantine and containment actions. Measure the effectiveness of your incident response with auto-generated reports detailing key performance indicators at every stage.

All orchestration is performed through an integrated central console that connects to security alert sources, as well as built-in enforcement and quarantine tools. The integrated design provides at-a-glance views of the incident response process for real-time visibility.

All collection, comparisons, and analysis by the platform are performed automatically. That means increased efficiency, enabling incident responders to quickly review key details, make a decision, and take action. Quarantine and containment actions operate at the automation level you choose. You might set workflows to automatically trigger firewall updates in some cases while building a simple block list for change control in other cases.

Forensic Collection and IOC Verification

No matter how elusive the malware, infections often leave behind telltale signs on endpoints. These are known as indicators of compromise (IOC). Threat Response automatically confirms malware infections with built-in IOC verification.

These IOCs can include:

• Processes
• Mutexes
• File system changes
• Registry changes
• Web page history

When a security alert reports a system has been targeted with malware, Threat Response automatically deploys an endpoint collector to pull forensics from the targeted system. This data is compared to a database of known IOCs to quickly confirm whether a system is infected with IOCs related to the current attack. Teams can also gain visibility into IOCs from previous attacks that were not cleaned up. This built-in infection verification can save hours per incident. And it dramatically reduces the number of time-wasting false positives that lead to needless reimaging and backup-restoration cycles. The endpoint forensic collectors deploy to systems suspected of being infected on demand—no need to preinstall. The collector runs temporarily in memory and uninstalls itself when finished.

Context and Situational Awareness

Many security alerts lack critical information required to determine the context of a threat and next steps. Threat Response automatically enriches security alerts by collecting important internal and external context, intelligence, and data to create an actionable view of each alert. Armed with this insight, security teams can quickly understand, prioritise, and respond to security threats. 

With Threat Response, security teams can quickly answers questions such as:

• Which users are under attack?
• Have the affected users been infected before?
• To what department or group do the affected users report?
• Do any of affected systems contain indicators of a successful attack?
• Has this attack been seen before in our environment or elsewhere?
• Where is the attack coming from, and where are the command-and-control (C&C) nodes located?
• Does the browser or connection history contain anything unusual, such as visits to a suspect website, or open connections to C&C servers?

Easy Quarantine and Containment

Threat Response integrates with your current security infrastructure tools to block verified threats, quarantine infected users, and protect other users by stopping the infection's spread. 

For example, Threat Response can update targeted users’ Active Directory group memberships to:

• Restrict access to file-sharing websites
• Control VPN access
• Update network access control (NAC) and application control systems

The ability to update block lists on enforcement tools protects you by restricting access to web pages and URL using web filters.You can allow or deny network connections to compromised "watering-hole" sites and criminal domains and hosts.

Emails that have malicious attachments can be moved to a safe area at any time—even after they've been delivered. This stops the risk of your people clicking the attachments again.