One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 378520 |
| Date de publication | 2017-06-26 13:00:00 (vue: 2017-06-26 13:00:00) |
| Titre | Automated Incident Response in Action: 7 Killer Use Cases |
| Texte |
Picture this: It’s 2AM on Saturday and you’re startled awake by an alert on your phone. Indicators of a new variant of WannaCry ransomware have been detected in your network. But your home network provider is having an outage (again!) and you can’t remote in. You get dressed and race to office, maybe breezing through a few stop lights on the way, all while new alerts arrive on your phone indicating more systems have been compromised. As you arrive and start investigating the alarms and logs, the attack continues to spread rapidly . Desperate to stop it, you run to the server room and rip all the cables out of the routers and servers. In the stillness of your dead network, you sigh. You head to the break room to brew a pot of coffee and settle in for a long weekend.
Now imagine how vastly different that experience would be with automated incident response capabilities. As soon as the ransomware is detected and an alarm is raised, your system automatically responds by isolating the infected machines, and you hit the snooze button.
With the right automated incident response tools, IT security teams can stay in control of their incident response (IR) activities and respond to threats and intrusions swiftly and effectively, with less manual work—no wire-ripping required.
This is Part Two of a three-part blog series that examines how incident response automation and orchestration can make life easier for security teams. The blog series covers the following topics:
Part 1: Incident Response Orchestration: What Is It and How Can It Help?
Part 2: Automated Incident Response in Action: 7 Killer Use Cases
Part 3: Incident Response Automation and Orchestration in USM Anywhere
In Part One, we looked at what incident response orchestration is and how the right automation tools can help security teams respond to intrusions more quickly. While automation can’t replace human security analysts, it can help analysts conserve time for higher priorities and make the incident response processes run as swiftly as possible.
In this installment, we’ll take a look at examples of incident response automation in action, comparing them to what it would take to handle them manually. As you read through these examples, consider what kinds of automated IR capabilities would have the greatest impact on your own organization’s incident response processes and timelines.
1. One of your users interacts with a malicious IP address. You need to update your firewall to block the IP.
Firewalls help protect you from bad actors by filtering network traffic. Still, they have limits. Most firewalls aren’t connected to your other security tools and their rules are infrequently updated, meaning they may not be current to address the latest threats. Addressing this situation might entail detecting the problem using other security software, prioritizing the event, and manually updating a firewall with a new rule to block the malicious IP. At some organizations, you might even need to open a ticket to have another team or team member take action, further slowing down the response process.
With automated incident response, you can automatically update your firewall to block malicious IPs as they are detected. For example, USM Anywhere detects traffic to and from an external IP address that, through its integrated threat intelligence, it knows is malicious. USM Anywhere can instruct your Palo Alto Networks next-generation firewalls to block or isolate the IP address, using an automatic or manual incident response action.
2. One of your systems has been infected with malware. You need to limit the damage and find out how many systems are vulnerable before it spreads.
Relying on |
| Notes | |
| Envoyé | Oui |
| Condensat | 2am about above accelerate access across action action: actionable actions activities activity actors additional address addressing administration affects afford again aggregates alarm alarms alert alerts all allow allowing also alto analyst analysts another another—or any anywhere anywhere’s app appears apply are aren’t arrive assessment asset assets attack attacker automate automated automatic automatically automating automation awake aware away bad based been before behavioral belatedly black block blocked blocking blog bombards box breach break breaking breezing brew builds built business but button cables can can’t capabilities carbon case cases cause cell certain challenge challenges chance cisco clicks closed coffee combing command common communicate communication communications comparing compliance compromised confident connected conserve consider consolidating contain contained continually continues contrast control copy corrupted could covers criteria critical current customer customers cybersecurity damage data date dead delivers demo desperate detailed detect detected detecting detection detects different directly disable disabling discovering discovery disrupt disruptive domain don’t down dressed each easier easy effectively efficient efficiently effort efforts eight either email emerge emerged employees enables engaging ensure entail entire entries environments essential even event events every evidence examine examines example examples experience exploits exploring exposed exposure external faced false faster feel fetching filtering find finding firewall firewalls fits focus following forensic forensics from further gathering generate generation get getting given glass going greatest group handle handling hands happened has hats have having head headaches hear help higher hit home host hours how however human identify identifying ids imagine immediate immediately impact importantly impractical incident include including indicating indicators infected inflict information infrastructure infrequently inside inspire installment instead instruct integrated intelligence interacts interface intervals intrusion intrusions investigate investigating investigation involve ips isolate isolating issue it’s its jot just keep key killer kind kinds know known knows label latest learning leaving less level life lights like limit limits list locations log logs long look looked lose lot luckily machines make makes making malicious malware manage management manual manually many matter may maybe meaning means member members middle might mind minutes monitoring more morning most move name need needing needs network networking networks new news news: next night noisy not note notification now occurs office often one ones online only open operating operations or… orchestration orchestration: organization organization’s organizations original other otherwise out outage own packet palo pane panic part particular past patch payloads people person person’s phone picture piece place plan plate point popped poses positive possible post pot potential potentially powerful prevent priorities prioritizing problem process processes product products professionals progressed protect provider provides purposes put quickly race raised range ransomware rapidly rat read realize reassure reduce reducing regular relevant relies relying remote repeating repetitive replace required research researching resource respond responds response responses rest retain review right rip ripping risk room routers rule rules run running same saturday saving scanning scans scheduled scope search secure security seen send sensitive series server servers servicenow set setting settle setup shorten shut siem sigh significant situation situations size slowing sms snooze software solution solutions some something soon source specific spread spreads stakeholders start starting startled state stay stays stillness stop storing strapped such supports sure swiftly system systems tailor take taking task tasks tasks: team |
| Tags | |
| Stories | Wannacry |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.