November 29, 2016
As cyber criminals become more and more evolved and skilled, their constantly developing methods of attacks are more of a threat than ever before. Security experts realize that breaches are inevitable and that new technologies are needed to investigate and respond to threats as quickly as possible.
SECDO can be included in this list of innovative technologies. With its incident response platform, they promise to accelerate incident response by automating deep endpoint forensic collection, investigation and remediation.
These processes are typically done manually by security teams, consuming a lot of time and requiring high-level expertise. SECDO’s argument, which is accepted by security experts, is that once an attack succeeds passing perimeter security, an organization has no visibility into what happened next. To be able to track a full attack chain and perform live forensics, you must have endpoint data available.
Capture Endpoint Activity
With this in mind, SECDO continuously records endpoint forensic activity, which includes file operations, network traffic, memory activity, registry changes, and other security-related actions.
Data is sent in real time to a centralized server, which stores it for any duration of time. The long storage time is important because it enables running deep investigations at any point, regardless of whether an endpoint is available or was already removed from the network.
Another interesting point is that SECDO records thread-level events, unlike the more common practice of recording at the process level. Just like atoms and molecules, threads are the basic building blocks that make up computer processes.
Automated Forensic Investigation
Using the forensic endpoint data collected, SECDO runs automated forensic analysis. SECDO’s causality engine runs an analysis that lets you understand the flow, sequence, and hierarchy of events. Building a visual forensic timeline, it lets you view the chain of events and the root cause of an alert, as well as every process, endpoint, and behavior with which it is associated.
This automated process can help overburdened teams that spend hours or days investigating an individual alert and typically only succeed in investigating a small fraction of the alert flood from multiple security systems.
Rapid and Surgical Response
Once a threat is detected, SECDO provides a wide set of real-time response tools to contain, remediate, and eradicate threats with minimal end-user impact. You can freeze processes (rather than kill them), leaving the rest of the endpoint intact and allowing the end user to continue working. This is particularly important for business-critical servers.
Endpoints can also be isolated from the network, while leaving them accessible to SECDO for continued investigation and remediation. You can also quarantine and remove threats from the registry, file system, memory, and so on. You’ll even be able to remotely access any endpoint using Python scripts, command line or PowerShell to perform cleanup activities or retrieve files, screenshots and memory dumps.
Photo: Flickr / Blue Coat Photos
Did you like this article?
Get more delivered to your inbox just like it!