Identity Threat Defense

Actionable Forensics for SOAR: An Illusive Networks Integration with Cortex XSOAR

Share with your network!

Arguably, defenders have more data and intelligence than ever about impending threats and attacks. According to a recent Ponemon Institute study, the average organization deploys 47 separate security solutions, each providing a dizzying array of alerts and reporting. If an intruder gets in, it should be easy to identify and stop them, right? Surely an alert has gone off somewhere in the system. Of course, it’s not so simple.

The problem is that any given alert is accompanied by dozens if not hundreds of others in a typical day. Many of those alerts go off because they are dependent on anomalous activity taking place, but don’t actually reveal if an attacker is present or causing mischief. A recent CriticalStart survey found that half of enterprise security operations center (SOC) teams are reporting false positive rates of 50% or higher across their total alert volume, which leads to those teams spending more time chasing shadows than stopping genuine threats.

Threat detection is further complicated by the recent post-pandemic shift to working from home, which has destroyed the baselines that activity-based anomaly detection tools like UEBA (User and Entity Behavioral Analytics) took years to effectively calibrate. Our own internal surveys at Illusive Networks are showing a 300% uptick in false positives since the pandemic and the subsequent massive switch to working from home. Clearly there’s plenty of big data being thrown at cybersecurity problems, but how do you throw the right data so you know which alerts require an immediate response?

Deception and attack surface management provide a solution for cutting through the alert noise to find the real incidents that must be prioritized for remediation. They do this by choking off the lateral movement that allows attackers to move from wherever they make a beachhead to the crown jewels they are looking to steal.

Through attack surface management, organizations can find and remove unnecessary and leftover credentials and connections that attackers use to jump from machine to machine before they can be utilized in a breach. Then, deception replaces those credentials and connections with illusory versions of the data attackers would expect to find and exploit. Once attackers attempt to use that deceptive data to move laterally, they are caught in the act, with full forensic evidence provided.

Since deceptions are hidden on the network where only attackers would find them, the alert deception provides is high fidelity, and the forensic reporting helps analysts to speed up investigations and quickly confirm that either an attack is underway and needs to be stopped or that an alert fired from another solution is another false positive that can be safely disregarded.

Efficient detection enhances an effective response

This week, Illusive Networks became the first deception platform available on Palo Alto Networks’ recently opened Cortex XSOAR marketplace. The marketplace will feature an integration of the Illusive Platform with Palo Alto Networks Cortex XSOAR, a leading security, orchestration, automation and response (SOAR) solution. Through this integration, two playbooks leveraging Illusive Networks technology will be available to Palo Alto Networks customers, allowing their SOCs to enrich the incident data they can collect with exhaustive forensics and automate prioritization of the most concerning threats for instant response. The playbooks help solve the two dilemmas confronting SOCs in a time of exploding alert volumes: determining which incidents require urgent attention and making sure they are prioritized for remediation.

Source-based forensics to determine which alerts truly matter

Whenever an alert goes off about suspicious network activity, analysts at every tier have a very narrow time window to collect and correlate the necessary data to decide what needs to be done in response. The first Illusive Networks playbook available to Cortex XSOAR customers aims to make the most out of that short time by enriching the data collected for any given security incident. Through a set of commands, Cortex XSOAR customers will receive comprehensive, source-based forensics about the machine where the attacker is located, including a timeline of all attacker actions associated with the incident, screenshots of the incident as it was taking place, and data about which credentials and endpoints are being used in the attack.

Forensic information can be triggered automatically for any given security event, allowing Illusive’s unique data and forensics to complement other security tools as part of the SOC’s routine. Such a strategy exponentially increases the amount and power of the forensic information at the SOC’s disposal, empowering it to see which alerts need to be triaged more quickly and accelerate a prompt response. This also allows the SOC to quickly see which alerts are false positives so they can be discarded and not distract agents from the incidents that truly matter.

Learn more about the Data Enrichment playbook on the Cortex XSOAR marketplace here.

Risk threshold score for automated incident escalation

Once the information in the incident data enrichment playbook has been collected and analyzed, another Illusive Networks playbook can then spring into action from within Cortex XSOAR to prioritize the alert based on its risk level. The playbook combines the forensic abilities of the Illusive Platform with the correlation rules from Cortex XSOAR to automate the workflows that underpin event remediation processes.

Incidents analyzed with Illusive forensics are given a risk score, and when certain thresholds are reached individual events can be automatically escalated to the correct tier for proper redress depending on the imminence of the threat putting critical data in jeopardy. For example, SOC analysts can quickly determine crucial response intelligence such as how far a compromised host is located from crown jewels, or if a compromised host needs to be quarantined immediately, and get the incident to the correct analyst tier right away.

Learn more about the Incident Escalation playbook on the Cortex XSOAR marketplace here.

Make Deception SOAR

At this moment, when false positives are on the rise, and attackers are taking advantage of current events to hide their attacks among the alert noise, identifying and prioritizing the attacks that truly need to be stopped is more necessary than ever. The integration between the Illusive Platform and Cortex XSOAR gives SOCs high-fidelity threat notification and complete incident forensics to make the SOAR’s reaction that much more effective and powerful. Ultimately this integration helps reduce attack response time and helps create the conditions for a SOC that can finally make the alert hamster wheel slow down without compromising on security.

Read the integration brief now and contact us at to learn more about how to start leveraging this integration today.