Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Incident response live demo slides final


Published on

So, you've got an alarm - or 400 alarms maybe, now what? Security incident investigations can take many paths leading to incident response, a false positive or something else entirely. Join this webcast to see security experts from AlienVault and Castra Consulting work on real security events (well, real at one point), and perform real investigations, using AlienVault USM as the investigative tool. Process or art form? Yes.
You'll learn:
Tips for assessing context for the investigation
How to spend your time doing the right things
How to to classify alarms, rule out false positives and improve tuning
The value of documentation for effective incident response and security controls
How to speed security incident investigation and response with AlienVault USM

Published in: Technology
  • Be the first to comment

Incident response live demo slides final

  1. 1. Agenda Investigations • What are they? • What questions can they answer? • Is the number 42 always relevant? Investigation Walk-Throughs • This won’t be all slides…we promise.. Recap
  2. 2. What is an Investigation? An Investigation is the act of ascertaining facts A careful examination Or simply it answers: “What do I do?” And there is a result……..sometimes
  3. 3. What Initiates an Investigation? Someone asks you • Hey I think PlayStation network is down? You see something unusual • Ever get that feeling someone is watching you? • Certain patterns of logs • New Assets Alarms! • More..
  4. 4. ..but what does it all mean?
  5. 5. What is an Alarm? An alarm is a pattern of activity that should be investigated • The logic that creates an alarm is customizable Inside a SIEM an alarm could be • A single event • A series of events • Event quantity • ..and more
  6. 6. Process of an Investigation Gather Information Follow the trail Look for Clues Determine severity
  7. 7. Am I Finished? Do you know what to do? What does the IRP say? Hint: no you aren’t
  8. 8. Document it! If it’s not in a Ticket– it didn’t happen!
  9. 9. Why is Documentation Important? Avoid Repetition Avoid Repetition (yes we repeated this) Share Information Liability Find patterns Find anomalies or outliers Find misconfigurations or unapproved changes
  10. 10. Demo Time Show me the packets!
  11. 11. ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring SECURITY INTELLIGENCE/SIEM • SIEM Event Correlation • Incident Response THREAT DETECTION • Network IDS • Host IDS • File Integrity Monitoring USM Platform Integrated, Essential Security Controls
  12. 12. Unified Security Management Platform A single platform for simplified, accelerated threat detection, incident response & policy compliance AlienVault Labs Threat Intelligence Correlation rules and directives written by our AlienVault Labs team and displayed through the USM interface Open Threat Exchange The world’s largest repository of crowd-sourced threat data providing a continuous view of real time threats that may have penetrated the company’s defenses. Unified Security Management
  13. 13. Demo Time Show me the packets!
  14. 14. Recap It’s important to know what the alarm is Use search filters to help you prioritize investigations Use policy to filter alarms you don’t need to re-investigate Even though it’s familiar you still need to investigate Have a plan for what you could find (IRP) Write stuff down….
  15. 15. 888.613.6023 ALIENVAULT.COM CONTACT US HELLO@ALIENVAULT.COM Now for some Questions.. Questions? Twitter : @alienvault Test Drive AlienVault USM Download a Free 30-Day Trial Check out our 15-Day Trial of USM for AWS Try our Interactive Demo Site