SlideShare a Scribd company logo

OODA Loop Incident Response with AlienVault USM

J
Jermund Ottermo

The document discusses tools and strategies for effective incident response using the OODA (Observe, Orient, Decide, Act) loop model. It summarizes how the AlienVault security platform helps with each stage of the OODA loop: - Observe: It provides unified security monitoring and threat intelligence to detect incidents from all angles. - Orient: It helps determine the scope and impact of attacks using threat intelligence and establishes a timeline of events. - Decide: It provides guidance on immediate response steps and helps prioritize response by reviewing asset details. - Act: It is not discussed in the summary.

Software
1 of 17
Download to read offline
When it comes to data breaches, most agree that it’s not a matter of if, but when. In CyberEdge Group’s 2017 Cyberthreat Defense Report, an astounding 79% of surveyed organizations admitted being victims of cyber attacks, up from 76 percent in 2016 and 70 percent in 2015.1 Given that intrusions are inevitable, it’s important to have the right tools in place to spot an event quickly and to minimize its impact on your organization with an effective response plan. We believe the best way to approach Incident Response is to deploy the OODA Loop method, developed by US Air Force military strategist John Boyd. The OODA Loop focuses on the key essential tactics for responding to any crisis: Observe, Orient, Decide, and Act. In this paper, you’ll read about a few specific use cases where AlienVault technologies and services help you Observe, Orient, Decide, and Act for effective incident response. When observing for potential risks and impending threats, there are three essential success factors that should guide your activity as an incident responder. −− Observe from all angles. −− Apply prioritization based on the latest threat intelligence. −− Continuously fine-tune security monitoring tools. W H I T E P A P E R The AlienVault® Incident Response Toolkit: Putting the OODA Loop to Work in the Real World 1 http://cyber-edge.com/2016-cdr/
W H I T E P A P E R 2 Observe from all angles with AlienVault’s Unified Security Managementtm (USMtm ) For your incident response plan to be effective, you need to consider your organization’s security from a holistic perspective. For example, it’s impossible to detect threats effectively if your security plan doesn’t account for the entirety of your organization’s critical infrastructure. Similarly, a plan that doesn’t include threat intelligence updates leaves your organization vulnerable to emerging threats. AlienVault USM provides the 360-degree security visibility that you need for full situational awareness across your cloud, hybrid cloud, and on-premises environments. USM’s unified approach combines the essential capabilities your organization needs into a single solution, including asset discovery, vulnerability scanning, intrusion detection, behavioral monitoring, SIEM, log management, and threat intelligence. Prioritize Effectively with Threat Intelligence from the AlienVault Labs Security Research Team Threat detection starts with an awareness of the constantly-evolving threat landscape, which is a challenge for any organization without its own dedicated research team. With USM, the latest threat intelligence is built into the platform itself through continuous updates from the AlienVault Labs Security Research Team in the form of correlation rules, vulnerability signatures, and response templates. As a result, your security plan is always up-to-date to detect emerging threats. To help you effectively prioritize each security event, USM automatically classifies each event that occurs within your environments according to the AlienVault Cyber Kill Chain- an interactive representation of the sequence of steps that any attacker needs to take to compromise a system and steal data. It enables you to focus your attention on the most important threats by breaking attacks out into five threat categories, from highest to lowest. This shows you attack intent and threat severity, and provides you with the detailed contextual threat information you need to help you understand how they’re interacting with your network.
W H I T E P A P E R 3 The AlienVault Cyber Kill Chain is modeled after the Lockheed Martin Cyber Kill Chain taxonomy2, which we have simplified from seven steps to a five-step process based upon the Security Research Team’s research into emerging attacker tools, techniques, and tactics. When your goal is to hunt down attacks quickly, minimize damage, and rapidly recover, quick prioritization is the key to your success. By automating event analysis and classification with the AlienVault Cyber Kill Chain, USM arms your security team with automated prioritization for effective incident response. Continuously update security monitoring tools. Malicious actors are constantly coming up with new threats. To keep up with them, your security plan needs to evolve as well. Between researching new threats, applying that information to threat detection efforts, prioritizing intrusions, and figuring out how to respond, most organizations are ill- equipped to stay up-to-date on their own. To address that challenge, the AlienVault Labs Security Research Team delivers continuous threat intelligence updates to the USM platform itself so that your team is always equipped to detect, prioritize, and respond to the latest threats affecting your critical infrastructure. Here’s an example of what it looks like to address a new threat within AlienVault USM. What happened? A new SSL vulnerability has been announced publically. What do you do? First, ensure that your USM environment is up-to-date with the most recent threat intelligence from the AlienVault Labs Security Research Team. Next, schedule an automated vulnerability scan. You can analyze the scan results to detect the presence of the SSL vulnerability and view guidance on how to respond. 2 http://cyber.lockheedmartin.com/solutions/cyber-kill-chain
W H I T E P A P E R 4 Observe: Summary Key Takeaway #1: Observe from all angles. How does AlienVault help? AlienVault USM unifies the following distinct layers of security monitoring telemetry to provide a full 360-degree view of your assets: ›› Emerging threat detection – The AlienVault Security Research Team combines proprietary research with insights from AlienVault Open Threat Exchange® (OTX®)3 to craft actionable threat intelligence updates for the USM platform, continuously updating your security capabilities to help you detect and respond to new threats. ›› Behavioral monitoring – Correlation rules enable you to spot suspicious activity and act quickly when potential threats are identified. ›› Vulnerability assessment – Vulnerability scans and continuous vulnerability monitoring help you identify risks and prioritize remediation fast. ›› Event log analysis / SIEM – Unifies and analyzes observational details across your entire infrastructure. This includes your firewalls, servers, routers, domain controllers, cloud workloads, public cloud services, and more to fuel your incident response program. Key Takeaway #2: Apply prioritization with emerging AlienVault Labs Threat Intelligence How does AlienVault help? AlienVault USM maps each security alarm against the AlienVault Cyber Kill Chain so that security analysts understand the intent of the malicious behavior and know which incidents to investigate first. The AlienVault Labs Security Research Team powers this prioritization by monitoring and analyzing the latest attacker techniques, tools, and tactics and by applying this analysis to the USM platform’s rules engine. Key Takeaway #3: Continuously update security monitoring tools How does AlienVault help? USM receives continuous threat intelligence updates from the Security Research Team so that your security plan always takes the latest threats into account. USM also allows you to adjust the alarms you receive to better reflect your organization’s specific observational requirements. 3 OTX is the world’s first truly open threat intelligence community that enables collaborative defense with open access, collaborative research, and ability to export IoCs to almost any security product. OTX enables everyone in the OTX community to actively collaborate, strengthening their own defenses while helping others do the same. To learn more, go to https://otx. alienvault.com
W H I T E P A P E R 5 All the information you’ve collected during the observation phase is essential for detecting a security event that requires your investigation. But information without context is not sufficient for closed-loop incident response. That’s where the Orient phase comes in. Contextual information is essential for orientation. All the data in the world is useless without having the necessary context to understand the significance of that data. For example, a system outage in your data center could either be an innocuous event (unexpected power failure) or something more serious (denial of service attack). Without the necessary context to orient you—for example, an email announcement from your ISP about the outage—you can’t implement an effective response. Your incident response goals during the Orient phase include: −−Determine scope and impact of attack based on the latest threat intelligence. −−Review event in the context of other activity on network to establish a timeline. −−Investigate source of attack to determine attribution (if possible) and any additional intelligence that can assist decision-making. Determine scope and impact of attack based on the latest threat intelligence. The AlienVault Labs Security Research Team draws on threat data from the global AlienVault Open Threat Exchange (OTX) community as they research, monitor, and analyze the latest attacker tools and tactics. They convert this intelligence into automated actions (e.g. correlated rules, alarms, and response templates) within AlienVault USM so that you can effectively respond. These tools enable you to quickly determine which assets are affected and the severity of the activity or attack.
W H I T E P A P E R 6 Here’s a specific example. In your AlienVault USM environment4, you see an alarm for an exploitation and installation event. In investigating further, you see that this involves an asset that’s running a vulnerable version of Java, and it may not be the only asset that’s vulnerable. With AlienVault USM, you quickly review all events across all your assets to see what other systems have this type of activity and vulnerable configuration. In addition, you’ve automatically created an asset group based on these characteristics5 so that you can remediate all of these vulnerabilities as a group and continue to monitor them to validate these fixes. This “dynamic watch list” gives you context needed for effective closed-loop incident response. Review event in the context of other activity on network to establish a timeline AlienVault USM provides a unified timeline for all events to easily make connections between and among disparate-but-related events. 4 You can experiment with the USM platform on your own within the live demo environment on our website. Simply point your browser to: https://www.alienvault.com/live-demo-site for hands-on AlienVault USM action. 5 This example uses vulnerability or CVE data to automatically create an Asset Group, but you can use any characteristic or variable that exists in the AlienVault taxonomy to create an Asset Group. Examples include: • Asset Value • Network • Software running on assets • Sensor that monitors assets • Device type of asset • Open port or services running on assets • Location of assets
W H I T E P A P E R 7 By viewing all events across a visual timeline, you can easily scan all the security events and activity across your network—without having to consult multiple consoles, apps, or databases. The simplified data visualization approach makes it easy to make quick conclusions about which events require further investigation. In order to provide enough context yet not to overwhelm your team, AlienVault chose to use a simplified design for USM’s event timeline. Investigate source of attack to determine attribution (if possible) and any additional intelligence that can assist decision-making According to cyber security expert Bruce Schneier6, strong attribution can lead to deterrence. It can also provide the essential context to help detect and prevent future attacks and attackers that may share those same motivations, tools, and techniques. The AlienVault Security Research Team’s use of AlienVault OTX threat data from around the world to inform the threat intelligence updates to AlienVault USM enables our customers to use this intelligence for more reliable incident response. Here’s an example from the trenches. In the AlienVault USM demo environment, we don’t mind a bit of poking and prodding from the ne’er-do-wells in cyber space. In fact, it helps us capture interesting events that we can share with our customers and partners. As you can see in this screenshot, AlienVault USM shows that the source of this brute force authentication attack7 has an IP address associated with a known bad actor. By clicking on the “Yes” above, you can review additional information about this particular attacker. 6 https://www.schneier.com/blog/archives/2015/03/attack 7 Brute force authentication attacks are one of the most commonly used delivery & attack tactics. And since the SSH protocol has a history of vulnerabilities, it’s a common target.
W H I T E P A P E R 8 Additionally, you can search for this particular IP address across all of your events to find any additional activity that may have impacted additional assets. ORIENT: Summary Key takeaway #1: Determine scope and impact of attack using the latest threat intelligence. How does AlienVault help? The AlienVault Labs Security Research Team orients USM customers by identifying the latest threats, resulting in the broadest view of threat vectors, attacker techniques, and effective defenses. The insights the team draws from AlienVault OTX widen the threat context by using crowd-sourced and community-verified threat intelligence on the latest attacks. Through continuous threat intelligence updates in the form of correlation rules, vulnerability signatures, and remediation templates, the Security Research Team helps you convert intelligence into action within USM.
W H I T E P A P E R 9 Key takeway #2: Review event in the context of other activity on network to establish a timeline. How does AlienVault help? AlienVault USM provides a unified view of all events to easily make connections between and among disparate-but-related events. The simplified design and user- friendly dashboard makes it easy to see events within a contextual timeline to assist in effective decision-making. Key takeaway #3: Investigate source of attack to determine attribution (if possible) and any additional intelligence that can assist decision-making. How does AlienVault help? Working with other cyber security industry leaders like Kaspersky on projects like Operation Blockbuster8, the AlienVault Labs Security Research Team works tirelessly to uncover and analyze details on attack campaigns for reliable attribution. Community- driven resources, like AlienVault OTX and OTX pulses (collections of IoCs generated by the OTX community) enable defenders to describe and submit any type of online threat including malware, fraud campaigns, and even state-sponsored hacking. These discoveries are tightly integrated into AlienVault USM in the form of correlated directives for automated event analysis and more informed incident response. The first two stages in the OODA loop—Observe and Orient—are all about security monitoring essentials. Gathering as much data as possible and then placing it in the context of local and global risk so that you can make the best decision possible. 8 For more information on Operation BlockBuster, take a look at AlienVault Labs Security Research Team’s Jaime Blasco’s blog article: Operation BlockBuster unveils the actors behind the Sony attacks. .
W H I T E P A P E R 10 These first two phases benefit from using automated tools for data collection and analysis, but deciding what to do based on this intelligence unfortunately can’t be outsourced to non-humans. At least not yet. That said, the AlienVault Labs Security Research Team, AlienVault USM, and the AlienVault OTX community provide as much guidance as possible for the best possible decisions and outcome. The key incident response goals for the Decide phase include the following: −−Determine the immediate next steps in responding to the incident. −−Review asset details and prioritize your response. −−Document all remediation tactics planned for the affected assets. Determine the immediate next steps in responding to the incident. One of the biggest decisions that incident responders have is how to navigate the balancing act between the need to preserve evidence vs. the need to recover quickly. This decision is best handled well in advance of your first incident. In fact, the standard operating procedure about handling incidents should come directly from senior management and the board of directors, with guidance from your legal team. Whether or not to preserve evidence vs. simply recover is not an easy decision to make, but one that you’ll need to work out as soon as possible. And please note, which way to go will often vary based on the industry you’re in, the governing local law and state laws, the type of data in question, the method in which it was obtained, and whether this was an inside job vs. an outside one. As you can see, this is not a decision to take lightly, and we urge you to ask for guidance on this question. In the meantime, AlienVault is here to make your life easier, especially when it comes to the security events we’re analyzing and detecting throughout your critical infrastructure. For each alarm within AlienVault USM, incident responders are provided specific guidance in how to interpret each threat and how to respond.
W H I T E P A P E R 11 Review asset details and prioritize your response When you’re an incident responder, the more you know about the assets on your network, the better you’ll be at investigating incidents that involve them. This is true especially of the servers in your environments. It’s often not clear how an asset is configured or what software is installed, despite checking a variety of management tools, spreadsheets, and other docs. With AlienVault USM, you can view details about each asset within the platform, as well as rich data on the vulnerabilities that exist, the software and services installed, and any active threats being executed against them.
W H I T E P A P E R 12 Document all remediation tactics planned for the affected assets. Once you’ve confirmed the impact and scope of the incident, you’ll need to remediate as quickly as possible to contain the damage and recover. It’s a good idea to document these remediation steps with information on the specific assets as well as what was done, by whom, and when. An audit trail like this is very helpful, especially since at this point you don’t know what kind of questions you’ll get from your boss or his/her boss in the future. from your boss or his/her boss in the future. Because USM provides response templates to help IT professionals address each incident, it’s easy to take action right away and keep track of steps you’ve taken, rather than getting sidetracked with research to figure out what to do next. Determine which alarms to respond to according to your organization’s policies. Sometimes the unique needs of your organization require customized alarms. Based on your organization’s specific needs, you can fine-tune controls within USM to increase or limit the alarms you receive. For example, you can: ›› Create an alarm for all events with a certain destination IP ›› Suppress alerts about the use of Dropbox on employees’ PCs because your organization has approved the application for business use
W H I T E P A P E R 13 DECIDE: Summary Key takeaway #1: Determine the immediate next steps in responding to the incident How does AlienVault help? AlienVault USM integrates emerging threat intelligence with operational guidance written by AlienVault Labs security researchers that are customized for each alarm, so you can make better decisions in the heat of the moment. Key takeaway #2: Review asset details and prioritize your response How does AlienVault help? AlienVault USM’s rich asset inventory capability allows IT admins to view details about each asset to guide responders about what to do in case of an incident. Key takeaway #3: Document all remediation tactics planned for the affected assets How does AlienVault help? AlienVault USM provides actionable response templates for alarms within the platform, enabling IT admins to focus on implementing their remediation efforts rather than hunting down answers. Key takeaway #4: Determine which alarms to respond to according to your organization’s policies How does AlienVault help? AlienVault USM allows you to adjust the alarms you receive within the platform based on your organization’s specific needs.
W H I T E P A P E R 14 By now, we’ve walked you through each of the first three phases of an effective incident response plan. We’ve shown how AlienVault USM, the AlienVault Labs Security Research Team, and the AlienVault OTX community provide the foundation you need to OBSERVE, ORIENT, and DECIDE how to respond to incidents. Now it’s time to ACT. But first… In the previous section, we talked about the need to decide whether your IR team should focus on preserving evidence (in order to prosecute a data breach) vs. recovering quickly (and potentially lose transient forensic artifacts). This decision is far beyond the scope of this paper, and it’s an important one. In the meantime, if you’re interested in preserving data for further investigation, SIFT (SANS Investigative Forensics Toolkit) is a collection of various open source tools that can assist you in performing forensics analysis tasks.9 For the purposes of this paper, we focus on recovery and remediation as well as the specific ways that AlienVault helps you achieve these essential incident response goals within the Act phase:: −− Quickly implement remediation on all affected assets and verify that remediation has been implemented properly. −− Review and update security awareness training programs or security policies as appropriate. −− Review (and potentially reconfigure) security monitoring controls based on lessons learned from the incident. 9 An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Incident Forensic Toolkit (SIFT) Workstation for incident response and digital forensics use and made it available to the whole community as a public service. Check it out at: http://digital-forensics.sans.org/community/downloads#overview
W H I T E P A P E R 15 It’s difficult to cover all the possible remediation activities that you may need to implement, since it will largely depend on the specific threat, impact, targeted assets, and scope. That said, chances are that this will likely include activities such as: ›› Patching systems (OS, applications, firmware, etc.) ›› Removing unnecessary or unauthorized software ›› Reconfiguring system files (e.g. removing DLLs, registry settings, etc.) ›› Applying new ACLs on routers or adding firewall rules ›› Enabling or installing personal firewall rules ›› Revoking access privileges ›› Resetting passwords ›› Terminating unused or unnecessary accounts ›› … and more AlienVault USM helps you to verify that remediation has been implemented properly in a variety of ways. First, our vulnerability assessment can be used to scan remediated hosts immediately after they’ve been patched to verify fixes have worked and haven’t introduced additional risks. Additionally, the asset inventory capability captures and collects all asset data including installed software and services. These two capabilities combined help you confirm—at a glance—if a patch has been applied or a personal firewall installed or enabled. . Review and update security awareness training programs or security policies as appropriate. Every security incident investigation provides you with the opportunity to assess how well your security program is working (in terms of security awareness, policies, procedures, and technology effectiveness). Users are to be blamed for every security incident, but the more vigilant your users can be about cyber security, the more likely the risk of incidents will decrease, both in terms of frequency and overall impact. A good first step is to investigate user activity to gain an understanding of how users at your organization typically behave. AlienVault USM provides visibility into user activity on the assets in your environment so that you can verify that security policies are being followed and any violations are documented and investigated. See the screenshot below for an example of how USM can help.
W H I T E P A P E R 16 Review (and potentially reconfigure) security monitoring controls based on lessons learned from the incident. Once you’ve completed and verified all necessary remediation steps (and this goes for patching systems as well as tweaking security policies), it’s now time to do a critical analysis of the entire incident for essential lessons learned. Ask yourself and your team: ›› What went well? ›› What did we miss? ›› What could we have done better? During this analysis, you may discover the need to increase monitoring on certain assets or asset groups. With AlienVault USM, you can enable host-based IDS on specific on-premises assets and asset groups to monitor system performance as well as changes to critical system files. Additionally, you may decide to do weekly vs. monthly vulnerability scans. AlienVault USM allows you to schedule vulnerability scans at any frequency, and offers a lot of options for how to execute these scans.
W H I T E P A P E R © 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners. ACT: Summary Key takeaway #1: Quickly implement remediation on all affected assets and verify that remediation has been done properly. How does AlienVault help? AlienVault USM’s integrated vulnerability assessment checks for software weaknesses or misconfigurations that could expose systems to increased risk. AlienVault USM’s asset inventory capability gives you granular data about your assets, so you can verify that the necessary patches have been installed or that specific services have been disabled. Key takeaway #2: Review and update security awareness training programs or security policies as appropriate. How does AlienVault help? AlienVault USM provides a big-picture overview of your security posture, making it easy for you to see the results of your security awareness and policy compliance training over time. Key takeaway #3: Review (and potentially reconfigure) security monitoring controls based on lessons learned from the incident. How does AlienVault help? The AlienVault USM platform makes it easy to fine-tune security monitoring capabilities based specifically on what you glean from a post-mortem analysis Summary AlienVault USM, the AlienVault Labs Security Research Team, and AlienVault OTX provide the foundation you need for effective incident response. From Observing and Orienting to Deciding and Acting, AlienVault is your partner in detecting and responding to the latest threats against your on- premises and cloud environments. Thanks to our all-in-one approach to security monitoring, you and your fellow incident responders will have more time to spend on active threat hunting and less time on managing individual point products. Learn more about the AlienVault Unified Security Management (USM) Platform See the 90-second personalized demo explore the online demo environment start detecting threats with a free trial of alienvault usm

Recommended

A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers GuideExclusive Networks ME
 
CIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneCIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneSean Roth
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsPivotPointSecurity
 
what is security
what is securitywhat is security
what is securityDedi Dwianto
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformTieu Luu
 

Recommended

A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers GuideExclusive Networks ME
 
CIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneCIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneSean Roth
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsPivotPointSecurity
 
what is security
what is securitywhat is security
what is securityDedi Dwianto
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformTieu Luu
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Aoa report trap_x_medjack.2
Aoa report trap_x_medjack.2Aoa report trap_x_medjack.2
Aoa report trap_x_medjack.2Andrey Apuhtin
 
sophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfsophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfDennis Reyes
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsMichael Kaishar, MSIA | CISSP
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Software safety in embedded systems & software safety why, what, and how
Software safety in embedded systems & software safety why, what, and how Software safety in embedded systems & software safety why, what, and how
Software safety in embedded systems & software safety why, what, and how bdemchak
 
brochure 2016-September (1)
brochure 2016-September (1)brochure 2016-September (1)
brochure 2016-September (1)Dan Kunkel
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoEMC
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
A Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemA Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemCSCJournals
 
Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Asep Syihabuddin
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
 

More Related Content

What's hot

Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Aoa report trap_x_medjack.2
Aoa report trap_x_medjack.2Aoa report trap_x_medjack.2
Aoa report trap_x_medjack.2Andrey Apuhtin
 
sophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfsophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfDennis Reyes
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsMichael Kaishar, MSIA | CISSP
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Software safety in embedded systems & software safety why, what, and how
Software safety in embedded systems & software safety why, what, and how Software safety in embedded systems & software safety why, what, and how
Software safety in embedded systems & software safety why, what, and how bdemchak
 
brochure 2016-September (1)
brochure 2016-September (1)brochure 2016-September (1)
brochure 2016-September (1)Dan Kunkel
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoEMC
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
A Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemA Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemCSCJournals
 

What's hot (19)

Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Aoa report trap_x_medjack.2
Aoa report trap_x_medjack.2Aoa report trap_x_medjack.2
Aoa report trap_x_medjack.2
 
sophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfsophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdf
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security Recommendations
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Software safety in embedded systems & software safety why, what, and how
Software safety in embedded systems & software safety why, what, and how Software safety in embedded systems & software safety why, what, and how
Software safety in embedded systems & software safety why, what, and how
 
brochure 2016-September (1)
brochure 2016-September (1)brochure 2016-September (1)
brochure 2016-September (1)
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
A Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemA Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert System
 

Similar to OODA Loop Incident Response with AlienVault USM

Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Asep Syihabuddin
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)Vijilan IT Security solutions
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
 
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...infosecTrain
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecCheapSSLsecurity
 
OpenText Cyber Resilience Fastrak
OpenText Cyber Resilience FastrakOpenText Cyber Resilience Fastrak
OpenText Cyber Resilience FastrakMarc St-Pierre
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docxOutsmarting the Attackers A Deep Dive into Threat Intelligence.docx
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docxmanas23pgdm157
 
Threat Detection and Response Solutions
Threat Detection and Response SolutionsThreat Detection and Response Solutions
Threat Detection and Response SolutionsThe TNS Group
 
The Ultimate Security Operations Center Career Guide
The Ultimate Security Operations Center Career GuideThe Ultimate Security Operations Center Career Guide
The Ultimate Security Operations Center Career Guidepriyanshamadhwal2
 
Best SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdfBest SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdfinfosec train
 
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!Infosec train
 
Unlock Your Ultimate SOC Career Guide - Infosectrain
Unlock Your Ultimate SOC Career Guide - InfosectrainUnlock Your Ultimate SOC Career Guide - Infosectrain
Unlock Your Ultimate SOC Career Guide - InfosectraininfosecTrain
 
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdfUnlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdfInfosecTrain Education
 
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...infosecTrain
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 

Similar to OODA Loop Incident Response with AlienVault USM (20)

Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
 
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - Symantec
 
OpenText Cyber Resilience Fastrak
OpenText Cyber Resilience FastrakOpenText Cyber Resilience Fastrak
OpenText Cyber Resilience Fastrak
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docxOutsmarting the Attackers A Deep Dive into Threat Intelligence.docx
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
 
Threat Detection and Response Solutions
Threat Detection and Response SolutionsThreat Detection and Response Solutions
Threat Detection and Response Solutions
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
The Ultimate Security Operations Center Career Guide
The Ultimate Security Operations Center Career GuideThe Ultimate Security Operations Center Career Guide
The Ultimate Security Operations Center Career Guide
 
Best SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdfBest SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdf
 
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
 
Unlock Your Ultimate SOC Career Guide - Infosectrain
Unlock Your Ultimate SOC Career Guide - InfosectrainUnlock Your Ultimate SOC Career Guide - Infosectrain
Unlock Your Ultimate SOC Career Guide - Infosectrain
 
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdfUnlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
 
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 

More from Jermund Ottermo

Adaptive Defense 360 - Er bedriften din klar for GDPR?
Adaptive Defense 360 - Er bedriften din klar for GDPR?Adaptive Defense 360 - Er bedriften din klar for GDPR?
Adaptive Defense 360 - Er bedriften din klar for GDPR?Jermund Ottermo
 
IKT-Hendelse Varsling NSM
IKT-Hendelse Varsling NSMIKT-Hendelse Varsling NSM
IKT-Hendelse Varsling NSMJermund Ottermo
 
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017Jermund Ottermo
 
Cybercrime Rapporten PwC 2017
Cybercrime Rapporten PwC 2017 Cybercrime Rapporten PwC 2017
Cybercrime Rapporten PwC 2017 Jermund Ottermo
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksJermund Ottermo
 
AV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software reviewAV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software reviewJermund Ottermo
 
Adaptive Defense Platform Services OnePager
Adaptive Defense Platform Services OnePagerAdaptive Defense Platform Services OnePager
Adaptive Defense Platform Services OnePagerJermund Ottermo
 
NorSIS etterspør sikkerhetsdugnad
NorSIS etterspør sikkerhetsdugnadNorSIS etterspør sikkerhetsdugnad
NorSIS etterspør sikkerhetsdugnadJermund Ottermo
 
MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017Jermund Ottermo
 
Kjøp IT-sikkerhet som en proff
Kjøp IT-sikkerhet som en proffKjøp IT-sikkerhet som en proff
Kjøp IT-sikkerhet som en proffJermund Ottermo
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
 
Mørketallsundersøkelsen 2016 -- Hva nå?
Mørketallsundersøkelsen 2016 -- Hva nå?Mørketallsundersøkelsen 2016 -- Hva nå?
Mørketallsundersøkelsen 2016 -- Hva nå?Jermund Ottermo
 
PANDA Security | Presentasjon [Norsk]
PANDA Security | Presentasjon [Norsk]PANDA Security | Presentasjon [Norsk]
PANDA Security | Presentasjon [Norsk]Jermund Ottermo
 
PANDA | Cloud Systems Management Presentasjon [Norsk]
PANDA | Cloud Systems Management Presentasjon [Norsk]PANDA | Cloud Systems Management Presentasjon [Norsk]
PANDA | Cloud Systems Management Presentasjon [Norsk]Jermund Ottermo
 

More from Jermund Ottermo (15)

Adaptive Defense 360 - Er bedriften din klar for GDPR?
Adaptive Defense 360 - Er bedriften din klar for GDPR?Adaptive Defense 360 - Er bedriften din klar for GDPR?
Adaptive Defense 360 - Er bedriften din klar for GDPR?
 
IKT-Hendelse Varsling NSM
IKT-Hendelse Varsling NSMIKT-Hendelse Varsling NSM
IKT-Hendelse Varsling NSM
 
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
 
Cybercrime Rapporten PwC 2017
Cybercrime Rapporten PwC 2017 Cybercrime Rapporten PwC 2017
Cybercrime Rapporten PwC 2017
 
NSM 2016 Auka Uvisse
NSM 2016 Auka UvisseNSM 2016 Auka Uvisse
NSM 2016 Auka Uvisse
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
AV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software reviewAV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software review
 
Adaptive Defense Platform Services OnePager
Adaptive Defense Platform Services OnePagerAdaptive Defense Platform Services OnePager
Adaptive Defense Platform Services OnePager
 
NorSIS etterspør sikkerhetsdugnad
NorSIS etterspør sikkerhetsdugnadNorSIS etterspør sikkerhetsdugnad
NorSIS etterspør sikkerhetsdugnad
 
MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017
 
Kjøp IT-sikkerhet som en proff
Kjøp IT-sikkerhet som en proffKjøp IT-sikkerhet som en proff
Kjøp IT-sikkerhet som en proff
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in Retrospect
 
Mørketallsundersøkelsen 2016 -- Hva nå?
Mørketallsundersøkelsen 2016 -- Hva nå?Mørketallsundersøkelsen 2016 -- Hva nå?
Mørketallsundersøkelsen 2016 -- Hva nå?
 
PANDA Security | Presentasjon [Norsk]
PANDA Security | Presentasjon [Norsk]PANDA Security | Presentasjon [Norsk]
PANDA Security | Presentasjon [Norsk]
 
PANDA | Cloud Systems Management Presentasjon [Norsk]
PANDA | Cloud Systems Management Presentasjon [Norsk]PANDA | Cloud Systems Management Presentasjon [Norsk]
PANDA | Cloud Systems Management Presentasjon [Norsk]
 

Recently uploaded

Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 

Recently uploaded (20)

Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 

OODA Loop Incident Response with AlienVault USM

  • 1. When it comes to data breaches, most agree that it’s not a matter of if, but when. In CyberEdge Group’s 2017 Cyberthreat Defense Report, an astounding 79% of surveyed organizations admitted being victims of cyber attacks, up from 76 percent in 2016 and 70 percent in 2015.1 Given that intrusions are inevitable, it’s important to have the right tools in place to spot an event quickly and to minimize its impact on your organization with an effective response plan. We believe the best way to approach Incident Response is to deploy the OODA Loop method, developed by US Air Force military strategist John Boyd. The OODA Loop focuses on the key essential tactics for responding to any crisis: Observe, Orient, Decide, and Act. In this paper, you’ll read about a few specific use cases where AlienVault technologies and services help you Observe, Orient, Decide, and Act for effective incident response. When observing for potential risks and impending threats, there are three essential success factors that should guide your activity as an incident responder. −− Observe from all angles. −− Apply prioritization based on the latest threat intelligence. −− Continuously fine-tune security monitoring tools. W H I T E P A P E R The AlienVault® Incident Response Toolkit: Putting the OODA Loop to Work in the Real World 1 http://cyber-edge.com/2016-cdr/
  • 2. W H I T E P A P E R 2 Observe from all angles with AlienVault’s Unified Security Managementtm (USMtm ) For your incident response plan to be effective, you need to consider your organization’s security from a holistic perspective. For example, it’s impossible to detect threats effectively if your security plan doesn’t account for the entirety of your organization’s critical infrastructure. Similarly, a plan that doesn’t include threat intelligence updates leaves your organization vulnerable to emerging threats. AlienVault USM provides the 360-degree security visibility that you need for full situational awareness across your cloud, hybrid cloud, and on-premises environments. USM’s unified approach combines the essential capabilities your organization needs into a single solution, including asset discovery, vulnerability scanning, intrusion detection, behavioral monitoring, SIEM, log management, and threat intelligence. Prioritize Effectively with Threat Intelligence from the AlienVault Labs Security Research Team Threat detection starts with an awareness of the constantly-evolving threat landscape, which is a challenge for any organization without its own dedicated research team. With USM, the latest threat intelligence is built into the platform itself through continuous updates from the AlienVault Labs Security Research Team in the form of correlation rules, vulnerability signatures, and response templates. As a result, your security plan is always up-to-date to detect emerging threats. To help you effectively prioritize each security event, USM automatically classifies each event that occurs within your environments according to the AlienVault Cyber Kill Chain- an interactive representation of the sequence of steps that any attacker needs to take to compromise a system and steal data. It enables you to focus your attention on the most important threats by breaking attacks out into five threat categories, from highest to lowest. This shows you attack intent and threat severity, and provides you with the detailed contextual threat information you need to help you understand how they’re interacting with your network.
  • 3. W H I T E P A P E R 3 The AlienVault Cyber Kill Chain is modeled after the Lockheed Martin Cyber Kill Chain taxonomy2, which we have simplified from seven steps to a five-step process based upon the Security Research Team’s research into emerging attacker tools, techniques, and tactics. When your goal is to hunt down attacks quickly, minimize damage, and rapidly recover, quick prioritization is the key to your success. By automating event analysis and classification with the AlienVault Cyber Kill Chain, USM arms your security team with automated prioritization for effective incident response. Continuously update security monitoring tools. Malicious actors are constantly coming up with new threats. To keep up with them, your security plan needs to evolve as well. Between researching new threats, applying that information to threat detection efforts, prioritizing intrusions, and figuring out how to respond, most organizations are ill- equipped to stay up-to-date on their own. To address that challenge, the AlienVault Labs Security Research Team delivers continuous threat intelligence updates to the USM platform itself so that your team is always equipped to detect, prioritize, and respond to the latest threats affecting your critical infrastructure. Here’s an example of what it looks like to address a new threat within AlienVault USM. What happened? A new SSL vulnerability has been announced publically. What do you do? First, ensure that your USM environment is up-to-date with the most recent threat intelligence from the AlienVault Labs Security Research Team. Next, schedule an automated vulnerability scan. You can analyze the scan results to detect the presence of the SSL vulnerability and view guidance on how to respond. 2 http://cyber.lockheedmartin.com/solutions/cyber-kill-chain
  • 4. W H I T E P A P E R 4 Observe: Summary Key Takeaway #1: Observe from all angles. How does AlienVault help? AlienVault USM unifies the following distinct layers of security monitoring telemetry to provide a full 360-degree view of your assets: ›› Emerging threat detection – The AlienVault Security Research Team combines proprietary research with insights from AlienVault Open Threat Exchange® (OTX®)3 to craft actionable threat intelligence updates for the USM platform, continuously updating your security capabilities to help you detect and respond to new threats. ›› Behavioral monitoring – Correlation rules enable you to spot suspicious activity and act quickly when potential threats are identified. ›› Vulnerability assessment – Vulnerability scans and continuous vulnerability monitoring help you identify risks and prioritize remediation fast. ›› Event log analysis / SIEM – Unifies and analyzes observational details across your entire infrastructure. This includes your firewalls, servers, routers, domain controllers, cloud workloads, public cloud services, and more to fuel your incident response program. Key Takeaway #2: Apply prioritization with emerging AlienVault Labs Threat Intelligence How does AlienVault help? AlienVault USM maps each security alarm against the AlienVault Cyber Kill Chain so that security analysts understand the intent of the malicious behavior and know which incidents to investigate first. The AlienVault Labs Security Research Team powers this prioritization by monitoring and analyzing the latest attacker techniques, tools, and tactics and by applying this analysis to the USM platform’s rules engine. Key Takeaway #3: Continuously update security monitoring tools How does AlienVault help? USM receives continuous threat intelligence updates from the Security Research Team so that your security plan always takes the latest threats into account. USM also allows you to adjust the alarms you receive to better reflect your organization’s specific observational requirements. 3 OTX is the world’s first truly open threat intelligence community that enables collaborative defense with open access, collaborative research, and ability to export IoCs to almost any security product. OTX enables everyone in the OTX community to actively collaborate, strengthening their own defenses while helping others do the same. To learn more, go to https://otx. alienvault.com
  • 5. W H I T E P A P E R 5 All the information you’ve collected during the observation phase is essential for detecting a security event that requires your investigation. But information without context is not sufficient for closed-loop incident response. That’s where the Orient phase comes in. Contextual information is essential for orientation. All the data in the world is useless without having the necessary context to understand the significance of that data. For example, a system outage in your data center could either be an innocuous event (unexpected power failure) or something more serious (denial of service attack). Without the necessary context to orient you—for example, an email announcement from your ISP about the outage—you can’t implement an effective response. Your incident response goals during the Orient phase include: −−Determine scope and impact of attack based on the latest threat intelligence. −−Review event in the context of other activity on network to establish a timeline. −−Investigate source of attack to determine attribution (if possible) and any additional intelligence that can assist decision-making. Determine scope and impact of attack based on the latest threat intelligence. The AlienVault Labs Security Research Team draws on threat data from the global AlienVault Open Threat Exchange (OTX) community as they research, monitor, and analyze the latest attacker tools and tactics. They convert this intelligence into automated actions (e.g. correlated rules, alarms, and response templates) within AlienVault USM so that you can effectively respond. These tools enable you to quickly determine which assets are affected and the severity of the activity or attack.
  • 6. W H I T E P A P E R 6 Here’s a specific example. In your AlienVault USM environment4, you see an alarm for an exploitation and installation event. In investigating further, you see that this involves an asset that’s running a vulnerable version of Java, and it may not be the only asset that’s vulnerable. With AlienVault USM, you quickly review all events across all your assets to see what other systems have this type of activity and vulnerable configuration. In addition, you’ve automatically created an asset group based on these characteristics5 so that you can remediate all of these vulnerabilities as a group and continue to monitor them to validate these fixes. This “dynamic watch list” gives you context needed for effective closed-loop incident response. Review event in the context of other activity on network to establish a timeline AlienVault USM provides a unified timeline for all events to easily make connections between and among disparate-but-related events. 4 You can experiment with the USM platform on your own within the live demo environment on our website. Simply point your browser to: https://www.alienvault.com/live-demo-site for hands-on AlienVault USM action. 5 This example uses vulnerability or CVE data to automatically create an Asset Group, but you can use any characteristic or variable that exists in the AlienVault taxonomy to create an Asset Group. Examples include: • Asset Value • Network • Software running on assets • Sensor that monitors assets • Device type of asset • Open port or services running on assets • Location of assets
  • 7. W H I T E P A P E R 7 By viewing all events across a visual timeline, you can easily scan all the security events and activity across your network—without having to consult multiple consoles, apps, or databases. The simplified data visualization approach makes it easy to make quick conclusions about which events require further investigation. In order to provide enough context yet not to overwhelm your team, AlienVault chose to use a simplified design for USM’s event timeline. Investigate source of attack to determine attribution (if possible) and any additional intelligence that can assist decision-making According to cyber security expert Bruce Schneier6, strong attribution can lead to deterrence. It can also provide the essential context to help detect and prevent future attacks and attackers that may share those same motivations, tools, and techniques. The AlienVault Security Research Team’s use of AlienVault OTX threat data from around the world to inform the threat intelligence updates to AlienVault USM enables our customers to use this intelligence for more reliable incident response. Here’s an example from the trenches. In the AlienVault USM demo environment, we don’t mind a bit of poking and prodding from the ne’er-do-wells in cyber space. In fact, it helps us capture interesting events that we can share with our customers and partners. As you can see in this screenshot, AlienVault USM shows that the source of this brute force authentication attack7 has an IP address associated with a known bad actor. By clicking on the “Yes” above, you can review additional information about this particular attacker. 6 https://www.schneier.com/blog/archives/2015/03/attack 7 Brute force authentication attacks are one of the most commonly used delivery & attack tactics. And since the SSH protocol has a history of vulnerabilities, it’s a common target.
  • 8. W H I T E P A P E R 8 Additionally, you can search for this particular IP address across all of your events to find any additional activity that may have impacted additional assets. ORIENT: Summary Key takeaway #1: Determine scope and impact of attack using the latest threat intelligence. How does AlienVault help? The AlienVault Labs Security Research Team orients USM customers by identifying the latest threats, resulting in the broadest view of threat vectors, attacker techniques, and effective defenses. The insights the team draws from AlienVault OTX widen the threat context by using crowd-sourced and community-verified threat intelligence on the latest attacks. Through continuous threat intelligence updates in the form of correlation rules, vulnerability signatures, and remediation templates, the Security Research Team helps you convert intelligence into action within USM.
  • 9. W H I T E P A P E R 9 Key takeway #2: Review event in the context of other activity on network to establish a timeline. How does AlienVault help? AlienVault USM provides a unified view of all events to easily make connections between and among disparate-but-related events. The simplified design and user- friendly dashboard makes it easy to see events within a contextual timeline to assist in effective decision-making. Key takeaway #3: Investigate source of attack to determine attribution (if possible) and any additional intelligence that can assist decision-making. How does AlienVault help? Working with other cyber security industry leaders like Kaspersky on projects like Operation Blockbuster8, the AlienVault Labs Security Research Team works tirelessly to uncover and analyze details on attack campaigns for reliable attribution. Community- driven resources, like AlienVault OTX and OTX pulses (collections of IoCs generated by the OTX community) enable defenders to describe and submit any type of online threat including malware, fraud campaigns, and even state-sponsored hacking. These discoveries are tightly integrated into AlienVault USM in the form of correlated directives for automated event analysis and more informed incident response. The first two stages in the OODA loop—Observe and Orient—are all about security monitoring essentials. Gathering as much data as possible and then placing it in the context of local and global risk so that you can make the best decision possible. 8 For more information on Operation BlockBuster, take a look at AlienVault Labs Security Research Team’s Jaime Blasco’s blog article: Operation BlockBuster unveils the actors behind the Sony attacks. .
  • 10. W H I T E P A P E R 10 These first two phases benefit from using automated tools for data collection and analysis, but deciding what to do based on this intelligence unfortunately can’t be outsourced to non-humans. At least not yet. That said, the AlienVault Labs Security Research Team, AlienVault USM, and the AlienVault OTX community provide as much guidance as possible for the best possible decisions and outcome. The key incident response goals for the Decide phase include the following: −−Determine the immediate next steps in responding to the incident. −−Review asset details and prioritize your response. −−Document all remediation tactics planned for the affected assets. Determine the immediate next steps in responding to the incident. One of the biggest decisions that incident responders have is how to navigate the balancing act between the need to preserve evidence vs. the need to recover quickly. This decision is best handled well in advance of your first incident. In fact, the standard operating procedure about handling incidents should come directly from senior management and the board of directors, with guidance from your legal team. Whether or not to preserve evidence vs. simply recover is not an easy decision to make, but one that you’ll need to work out as soon as possible. And please note, which way to go will often vary based on the industry you’re in, the governing local law and state laws, the type of data in question, the method in which it was obtained, and whether this was an inside job vs. an outside one. As you can see, this is not a decision to take lightly, and we urge you to ask for guidance on this question. In the meantime, AlienVault is here to make your life easier, especially when it comes to the security events we’re analyzing and detecting throughout your critical infrastructure. For each alarm within AlienVault USM, incident responders are provided specific guidance in how to interpret each threat and how to respond.
  • 11. W H I T E P A P E R 11 Review asset details and prioritize your response When you’re an incident responder, the more you know about the assets on your network, the better you’ll be at investigating incidents that involve them. This is true especially of the servers in your environments. It’s often not clear how an asset is configured or what software is installed, despite checking a variety of management tools, spreadsheets, and other docs. With AlienVault USM, you can view details about each asset within the platform, as well as rich data on the vulnerabilities that exist, the software and services installed, and any active threats being executed against them.
  • 12. W H I T E P A P E R 12 Document all remediation tactics planned for the affected assets. Once you’ve confirmed the impact and scope of the incident, you’ll need to remediate as quickly as possible to contain the damage and recover. It’s a good idea to document these remediation steps with information on the specific assets as well as what was done, by whom, and when. An audit trail like this is very helpful, especially since at this point you don’t know what kind of questions you’ll get from your boss or his/her boss in the future. from your boss or his/her boss in the future. Because USM provides response templates to help IT professionals address each incident, it’s easy to take action right away and keep track of steps you’ve taken, rather than getting sidetracked with research to figure out what to do next. Determine which alarms to respond to according to your organization’s policies. Sometimes the unique needs of your organization require customized alarms. Based on your organization’s specific needs, you can fine-tune controls within USM to increase or limit the alarms you receive. For example, you can: ›› Create an alarm for all events with a certain destination IP ›› Suppress alerts about the use of Dropbox on employees’ PCs because your organization has approved the application for business use
  • 13. W H I T E P A P E R 13 DECIDE: Summary Key takeaway #1: Determine the immediate next steps in responding to the incident How does AlienVault help? AlienVault USM integrates emerging threat intelligence with operational guidance written by AlienVault Labs security researchers that are customized for each alarm, so you can make better decisions in the heat of the moment. Key takeaway #2: Review asset details and prioritize your response How does AlienVault help? AlienVault USM’s rich asset inventory capability allows IT admins to view details about each asset to guide responders about what to do in case of an incident. Key takeaway #3: Document all remediation tactics planned for the affected assets How does AlienVault help? AlienVault USM provides actionable response templates for alarms within the platform, enabling IT admins to focus on implementing their remediation efforts rather than hunting down answers. Key takeaway #4: Determine which alarms to respond to according to your organization’s policies How does AlienVault help? AlienVault USM allows you to adjust the alarms you receive within the platform based on your organization’s specific needs.
  • 14. W H I T E P A P E R 14 By now, we’ve walked you through each of the first three phases of an effective incident response plan. We’ve shown how AlienVault USM, the AlienVault Labs Security Research Team, and the AlienVault OTX community provide the foundation you need to OBSERVE, ORIENT, and DECIDE how to respond to incidents. Now it’s time to ACT. But first… In the previous section, we talked about the need to decide whether your IR team should focus on preserving evidence (in order to prosecute a data breach) vs. recovering quickly (and potentially lose transient forensic artifacts). This decision is far beyond the scope of this paper, and it’s an important one. In the meantime, if you’re interested in preserving data for further investigation, SIFT (SANS Investigative Forensics Toolkit) is a collection of various open source tools that can assist you in performing forensics analysis tasks.9 For the purposes of this paper, we focus on recovery and remediation as well as the specific ways that AlienVault helps you achieve these essential incident response goals within the Act phase:: −− Quickly implement remediation on all affected assets and verify that remediation has been implemented properly. −− Review and update security awareness training programs or security policies as appropriate. −− Review (and potentially reconfigure) security monitoring controls based on lessons learned from the incident. 9 An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Incident Forensic Toolkit (SIFT) Workstation for incident response and digital forensics use and made it available to the whole community as a public service. Check it out at: http://digital-forensics.sans.org/community/downloads#overview
  • 15. W H I T E P A P E R 15 It’s difficult to cover all the possible remediation activities that you may need to implement, since it will largely depend on the specific threat, impact, targeted assets, and scope. That said, chances are that this will likely include activities such as: ›› Patching systems (OS, applications, firmware, etc.) ›› Removing unnecessary or unauthorized software ›› Reconfiguring system files (e.g. removing DLLs, registry settings, etc.) ›› Applying new ACLs on routers or adding firewall rules ›› Enabling or installing personal firewall rules ›› Revoking access privileges ›› Resetting passwords ›› Terminating unused or unnecessary accounts ›› … and more AlienVault USM helps you to verify that remediation has been implemented properly in a variety of ways. First, our vulnerability assessment can be used to scan remediated hosts immediately after they’ve been patched to verify fixes have worked and haven’t introduced additional risks. Additionally, the asset inventory capability captures and collects all asset data including installed software and services. These two capabilities combined help you confirm—at a glance—if a patch has been applied or a personal firewall installed or enabled. . Review and update security awareness training programs or security policies as appropriate. Every security incident investigation provides you with the opportunity to assess how well your security program is working (in terms of security awareness, policies, procedures, and technology effectiveness). Users are to be blamed for every security incident, but the more vigilant your users can be about cyber security, the more likely the risk of incidents will decrease, both in terms of frequency and overall impact. A good first step is to investigate user activity to gain an understanding of how users at your organization typically behave. AlienVault USM provides visibility into user activity on the assets in your environment so that you can verify that security policies are being followed and any violations are documented and investigated. See the screenshot below for an example of how USM can help.
  • 16. W H I T E P A P E R 16 Review (and potentially reconfigure) security monitoring controls based on lessons learned from the incident. Once you’ve completed and verified all necessary remediation steps (and this goes for patching systems as well as tweaking security policies), it’s now time to do a critical analysis of the entire incident for essential lessons learned. Ask yourself and your team: ›› What went well? ›› What did we miss? ›› What could we have done better? During this analysis, you may discover the need to increase monitoring on certain assets or asset groups. With AlienVault USM, you can enable host-based IDS on specific on-premises assets and asset groups to monitor system performance as well as changes to critical system files. Additionally, you may decide to do weekly vs. monthly vulnerability scans. AlienVault USM allows you to schedule vulnerability scans at any frequency, and offers a lot of options for how to execute these scans.
  • 17. W H I T E P A P E R © 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners. ACT: Summary Key takeaway #1: Quickly implement remediation on all affected assets and verify that remediation has been done properly. How does AlienVault help? AlienVault USM’s integrated vulnerability assessment checks for software weaknesses or misconfigurations that could expose systems to increased risk. AlienVault USM’s asset inventory capability gives you granular data about your assets, so you can verify that the necessary patches have been installed or that specific services have been disabled. Key takeaway #2: Review and update security awareness training programs or security policies as appropriate. How does AlienVault help? AlienVault USM provides a big-picture overview of your security posture, making it easy for you to see the results of your security awareness and policy compliance training over time. Key takeaway #3: Review (and potentially reconfigure) security monitoring controls based on lessons learned from the incident. How does AlienVault help? The AlienVault USM platform makes it easy to fine-tune security monitoring capabilities based specifically on what you glean from a post-mortem analysis Summary AlienVault USM, the AlienVault Labs Security Research Team, and AlienVault OTX provide the foundation you need for effective incident response. From Observing and Orienting to Deciding and Acting, AlienVault is your partner in detecting and responding to the latest threats against your on- premises and cloud environments. Thanks to our all-in-one approach to security monitoring, you and your fellow incident responders will have more time to spend on active threat hunting and less time on managing individual point products. Learn more about the AlienVault Unified Security Management (USM) Platform See the 90-second personalized demo explore the online demo environment start detecting threats with a free trial of alienvault usm