incident response live demo slides final
TRANSCRIPT
Agenda
Investigations• What are they?• What questions can they answer?• Is the number 42 always relevant?
Investigation Walk-Throughs• This won’t be all slides…we promise..
Recap
What is an Investigation?
An Investigation is the act of ascertaining factsA careful examinationOr simply it answers: “What do I do?”And there is a result……..sometimes
What Initiates an Investigation?
Someone asks you• Hey I think PlayStation network is down?
You see something unusual• Ever get that feeling someone is watching you?• Certain patterns of logs• New Assets
Alarms!• More..
..but what does it all mean?
What is an Alarm?
An alarm is a pattern of activity that should be investigated• The logic that creates an alarm is customizable
Inside a SIEM an alarm could be• A single event• A series of events• Event quantity• ..and more
Process of an Investigation
Gather InformationFollow the trailLook for CluesDetermine severity
Am I Finished?
Do you know what to do?What does the IRP say? Hint: no you aren’t
Document it!
If it’s not in a Ticket– it didn’t happen!
Why is Documentation Important?
Avoid RepetitionAvoid Repetition (yes we repeated this)Share InformationLiabilityFind patternsFind anomalies or outliersFind misconfigurations or unapproved changes
Demo Time
Show me the packets!
ASSET DISCOVERY• Active Network Scanning• Passive Network Scanning• Asset Inventory
VULNERABILITY ASSESSMENT• Continuous
Vulnerability Monitoring• Authenticated /
Unauthenticated Active Scanning
BEHAVIORAL MONITORING• Log Collection• Netflow Analysis• Service Availability
Monitoring
SECURITY INTELLIGENCE/SIEM• SIEM Event Correlation• Incident Response
THREAT DETECTION• Network IDS• Host IDS• File Integrity Monitoring
USM Platform
Integrated, Essential Security Controls
Unified Security Management PlatformA single platform for simplified, accelerated threat detection, incident response & policy compliance
AlienVault Labs Threat IntelligenceCorrelation rules and directives written by ourAlienVault Labs team and displayed throughthe USM interface
Open Threat Exchange The world’s largest repository ofcrowd-sourced threat data providing acontinuous view of real time threats that mayhave penetrated the company’s defenses.
Unified Security Management
Demo Time
Show me the packets!
Recap
It’s important to know what the alarm isUse search filters to help you prioritize investigationsUse policy to filter alarms you don’t need to re-investigateEven though it’s familiar you still need to investigateHave a plan for what you could find (IRP)Write stuff down….
888.613.6023
ALIENVAULT.COM
CONTACT US
Now for some Questions..
Questions? [email protected] : @alienvault
Test Drive AlienVault USM Download a Free 30-Day Trialhttp://www.alienvault.com/free-trial
Check out our 15-Day Trial of USM for AWShttps://www.alienvault.com/free-trial/usm-for-aws
Try our Interactive Demo Sitehttp://www.alienvault.com/live-demo-site