Modern attacks are a complex and often automated series of processes, steps and interrelated events that penetrate the cybersecurity perimeter. They combine automated attacks at scale with more targeted attacks both simultaneously and continuously. Additionally, the toolsets for achieving enterprise-persistence and to lateral movement (all the things you do during the dwell-time) have evolved quite rapidly. This is a leading cause of noise and anxiety in the enterprise. The inability to automatically see, detect and respond to modern, complex attacks hampers the effectiveness and efficiency of security operations teams. Less efficient and less effective security operations teams lead to higher costs and more breaches. Secondarily, security operations teams simply loaded down with more systems and screens leads to increased alert fatigue, greater intrusion dwell time, slower investigation and response time putting more data and cost at risk.
What is ADR and can it help?
ADR stands for Automated Detection and Response. It is the new way to think about Security operations. Security operations primarily focus on technology, data, and action. So how do the current approach and the ADR approach differ?
- Current approach – Designed for computers, it creates operational fatigue. Teams are required to manage multiple tasks across multiple systems. This means more information to look at and manually integrate
- The ADR approach – Designed with humans in mind, focused around efficiency. Helps automate tasks that take up time – validate and investigate threats, correlate data, and automate response. Boosts Operational Efficiency.
- Current Approach – Engineered for lists, this buries valuable insight in noise. Having disparate systems that do not speak to each other means mountains of data to wade through to come to a valid, valuable conclusion.
- The ADR approach – Designed for intelligence and effectiveness. An ADR system gathers information across multiple sensors, nodes, and agents and delivers valuable intelligence and insight to a single screen. Boosts Operational Effectiveness.
- Current Approach – Requires intervention before action, slows down response. Having multiple teams to manage different facets of the security engine means hoping someone else will initiate the necessary steps to validate alerts and begin investigation. Unnecessarily creates delays and creates more risk than reward.
- The ADR Approach – Purpose built for response, accelerates action. Delivers tools for guided and automated response to isolate or completely eradicate the threat. Reduces level of effort required and time to respond.
Key Characteristics of an ADR Platform
- Provide native visibility across networks, endpoints, and in the cloud in both real-time and retrospectively
- Use multiple techniques to detect threats at any stage of the attack lifecycle
- Validate whether threats that traversed the network to Endpoints have impacted targets and highlight/prioritize those threats that have
- Automatically provide the scope of a threat by identifying other affected hosts in the enterprise, including those that did not previously generate an event
- Built-in intelligent threat identification filters that do the job of an analyst hunting by consolidating events from multiple sources into a single intuitive context rich conclusive alert
- Give security operations the information, context, guidance, and tools they need to investigate, contain, and remediate attacks from a single management console
- Customizable automatic threat remediation responses to eliminate analyst time finding and then responding to a threat
What is Fidelis Elevate?
Fidelis Elevate is the world’s first Automated Detection and Response platform, designed to improve SOC operations’ effectiveness and efficiency. It delivers comprehensive visibility, alert validation, and increased speed to response by applying our industry leading threat intelligence (Fidelis Insight) to real time and historical data. The resulting automation allows your security operations team to quickly respond to cyber-attacks that impact your enterprise.
Fidelis Elevate covers the entire threat lifecycle - from initial intrusion to exploitation to data theft. Fidelis Elevate customers can choose to deploy and activate the entire Elevate platform comprising of the Fidelis Endpoint™ and the Fidelis Network™modules, or individual modules based on their enterprise needs. Fidelis recommends the combined platform to receive the maximum benefit of a highly efficient and effective automated threat detection and response solution. Fidelis Insight, which powers Fidelis Elevate, provides a malware execution environment and a threat intelligence feed that is constantly updated by the Fidelis Threat Research Team.
Threat analysis is performed by network sensors, endpoint agents, and analytics run within Endpoint and Network Collectors. Threat analysis is automatically correlated and triangulated across the separate analysis engines and presented to the analyst in a single user interface known as K2 (formerly CommandPost).
Advantages of Fidelis Elevate –
Fidelis Elevate combines network, endpoint, and Insight into a single automated detection and response solution. Detected threats are presented as a Conclusion that was determined by validation, contextual enrichment, and correlated threat activity to enable the analyst to take rapid responsive action rather than spending time to gather evidence from a variety of security systems and sources. Conclusions are presented in the K2 interface – a single pane of glass to view and analyze all threat activity in your enterprises.
- Alert Validation - When an alert is detected on the network, an analyst needs to perform incident response against the endpoint to confirm if the attack warrants a response. Fidelis Elevate automatically validates network alerts against the potentially affected endpoints to determine if the threat has reached its target and whether threat activity happened at that endpoint.
- Identify the scope of an attack - Provided with a validated alert, an experienced analyst would want to understand if this was a targeted attack or a campaign against many people or hosts in the environment. By combining data from every endpoint, Fidelis Elevate can easily provide these answers.
- Response - When a threat is validated an analyst can quickly run tasks against the endpoint directly from the K2 interface. Endpoint tasks include:
- Isolate the host from the network.
- Delete a file.
- Obtain more information such as a memory dump or a vulnerability scan of the host.
- Run one of the one hundred scripts included with Fidelis Endpoint.
- Run a custom script tailored to your organization.
- Alert prioritization - Security analysts can be overwhelmed with information and not know where to start. The Fidelis Elevate provides prioritization in the form of Conclusions, validated alerts, and threat scores. The score is based on a machine-learning algorithm that considers local analyst ratings, alert severities, and community scoring. The result is an easy to use prioritization scheme.
- Unified alert view - The K2 interface provides a view of all alerts a single view. The list may include detections from network sensors, endpoint agents, and Collectors.
- Conclusions - Alerts represent a single event that raises the concern of a threat. Many alerts should be combined to understand the full scope of the problem. Fidelis automatically provides a grouping of related alerts represented as a conclusion. Conclusions indicate alerts that occur on the same victim (a host or email address) over time. Conclusions are “living” items, which means that future detections may be added to a current conclusion. This improves the efficiency of response by eliminating the need to repeat the same investigation every time a new alert is triggered. Conclusions include a threat score, endpoint validation, endpoint enrichment, sandbox reports, and track the responsive actions taken by analysis in the associated workflow.
- Threat Intelligence - The intelligence provided by Fidelis Insight is enriched with feedback from every detection from Fidelis customers. Submissions to the sandbox (automated or manual) provide an immediate source of IOCs which can be reflected toward sensors, agents, and collectors as threat feeds to provide robust coverage for any new detection.
The Fidelis Elevate platform is THE FIRST –
- Automated detection and response solution
- Complete and combined network and endpoint platform
- That covers sessions + packets + content
The Fidelis Elevate Solution is Engineered to –
- Dramatically decrease response time
- Massively increase efficiency
- Provide complete enterprise visibility
- Kaustubh Jagtap
Product Marketing Manager, Network