Here at UWS we spend a lot of time talking about detecting compromise. But once you do that, "Now what?". It reminds me of the dogs in my old neighborhood that chased the garbage truck each week when it came through. (What can I say? It was South Carolina in the 70s) One day the truck broke down and stopped. They had no idea what to do now that they'd actually caught the truck.
Now I know we all have a better take than those lovable canines on what to do when we actually detect a compromised endpoint or user account, but how fast can we put it into operation? The speed at which attacks progress today makes that an important question.
When Maersk got hit by NotPetya, seconds made all the difference.
In this real training for free event, I will dive into using security automation and orchestration techniques to automatically contain threats as soon they are detected. We will look at the containment technology options available and compare the risks of allowing machines to make the decision to take a system or account off line as opposed to waiting on a human.
Once you detect a threat you (or your machine decision maker) needs to determine if it looks like the endpoint or user account or both are compromised.
If the endpoint appears to be under the control of the attacker then it needs to be quarantined. Quarantine can take the form of:
- vlan isolation
- system takeover by endpoint security agent
- alternative network isolation techniques
If the threat indicates the associated user account's credentials have been compromised, then it's time to consider:
- disabling the user account
- triggering step-up authentication
- terminating existing sessions
Communication with the user over a channel still accessible to the user is important, as well as providing a way to get the user back into business quickly.
And do you want to take this kind of automated containment for any and all endpoints and user accounts or do some systems and user roles deserve different handling because of how critical they are? We will discuss these tough decisions.
Please join me for this real training for free session, in which we will explore both the technology, planning requirements and policy matters that come into play if you are going to respond to detected threats in real time, while balancing and limiting the business risks of taking entities offline.
Spencer Engleson, security engineer and detection & response specialist from our sponsor Rapid7 spends a lot of time thinking about security automation and orchestration and will briefly show how customers use InsightIDR, their ATT&CK-focused SIEM, to detect and directly respond to phishing, malware, and credential-based attacks today.
Please join us for this real training for free session.