Agenda

Investigations• What are they?• What questions can they answer?• Is the number 42 always relevant?

Investigation Walk-Throughs• This won’t be all slides…we promise..

Recap

What is an Investigation?

An Investigation is the act of ascertaining factsA careful examinationOr simply it answers: “What do I do?”And there is a result……..sometimes

What Initiates an Investigation?

Someone asks you• Hey I think PlayStation network is down?

You see something unusual• Ever get that feeling someone is watching you?• Certain patterns of logs• New Assets

Alarms!• More..

..but what does it all mean?

What is an Alarm?

An alarm is a pattern of activity that should be investigated• The logic that creates an alarm is customizable

Inside a SIEM an alarm could be• A single event• A series of events• Event quantity• ..and more

Process of an Investigation

Gather InformationFollow the trailLook for CluesDetermine severity

Am I Finished?

Do you know what to do?What does the IRP say? Hint: no you aren’t

Document it!

If it’s not in a Ticket– it didn’t happen!

Why is Documentation Important?

Avoid RepetitionAvoid Repetition (yes we repeated this)Share InformationLiabilityFind patternsFind anomalies or outliersFind misconfigurations or unapproved changes

Demo Time

Show me the packets!

ASSET DISCOVERY• Active Network Scanning• Passive Network Scanning• Asset Inventory

VULNERABILITY ASSESSMENT• Continuous

Vulnerability Monitoring• Authenticated /

Unauthenticated Active Scanning

BEHAVIORAL MONITORING• Log Collection• Netflow Analysis• Service Availability

Monitoring

SECURITY INTELLIGENCE/SIEM• SIEM Event Correlation• Incident Response

THREAT DETECTION• Network IDS• Host IDS• File Integrity Monitoring

USM Platform

Integrated, Essential Security Controls

Unified Security Management PlatformA single platform for simplified, accelerated threat detection, incident response & policy compliance

AlienVault Labs Threat IntelligenceCorrelation rules and directives written by ourAlienVault Labs team and displayed throughthe USM interface

Open Threat Exchange The world’s largest repository ofcrowd-sourced threat data providing acontinuous view of real time threats that mayhave penetrated the company’s defenses.

Unified Security Management

Demo Time

Show me the packets!

Recap

It’s important to know what the alarm isUse search filters to help you prioritize investigationsUse policy to filter alarms you don’t need to re-investigateEven though it’s familiar you still need to investigateHave a plan for what you could find (IRP)Write stuff down….

888.613.6023

ALIENVAULT.COM

CONTACT US

HELLO@ALIENVAULT.COM

Now for some Questions..

Questions? Hello@AlienVault.comTwitter : @alienvault

Test Drive AlienVault USM Download a Free 30-Day Trialhttp://www.alienvault.com/free-trial

Check out our 15-Day Trial of USM for AWShttps://www.alienvault.com/free-trial/usm-for-aws

Try our Interactive Demo Sitehttp://www.alienvault.com/live-demo-site