Incident response live demo slides final
Download as PPTX, PDF•2 likes•1,547 views
The document provides an overview of investigations in cybersecurity, including what they are, how to initiate them, and the importance of documentation. It covers processes such as gathering information, alarm patterns, and various monitoring techniques, emphasizing the use of a unified security management platform for threat detection and incident response. Additionally, it highlights the need for preparation in investigations and available tools for threat intelligence.
Incident response live demo slides final
- 2. Agenda Investigations • What are they? • What questions can they answer? • Is the number 42 always relevant? Investigation Walk-Throughs • This won’t be all slides…we promise.. Recap
- 3. What is an Investigation? An Investigation is the act of ascertaining facts A careful examination Or simply it answers: “What do I do?” And there is a result……..sometimes
- 4. What Initiates an Investigation? Someone asks you • Hey I think PlayStation network is down? You see something unusual • Ever get that feeling someone is watching you? • Certain patterns of logs • New Assets Alarms! • More..
- 5. ..but what does it all mean?
- 6. What is an Alarm? An alarm is a pattern of activity that should be investigated • The logic that creates an alarm is customizable Inside a SIEM an alarm could be • A single event • A series of events • Event quantity • ..and more
- 7. Process of an Investigation Gather Information Follow the trail Look for Clues Determine severity
- 8. Am I Finished? Do you know what to do? What does the IRP say? Hint: no you aren’t
- 9. Document it! If it’s not in a Ticket– it didn’t happen!
- 10. Why is Documentation Important? Avoid Repetition Avoid Repetition (yes we repeated this) Share Information Liability Find patterns Find anomalies or outliers Find misconfigurations or unapproved changes
- 11. Demo Time Show me the packets!
- 12. ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring SECURITY INTELLIGENCE/SIEM • SIEM Event Correlation • Incident Response THREAT DETECTION • Network IDS • Host IDS • File Integrity Monitoring USM Platform Integrated, Essential Security Controls
- 13. Unified Security Management Platform A single platform for simplified, accelerated threat detection, incident response & policy compliance AlienVault Labs Threat Intelligence Correlation rules and directives written by our AlienVault Labs team and displayed through the USM interface Open Threat Exchange The world’s largest repository of crowd-sourced threat data providing a continuous view of real time threats that may have penetrated the company’s defenses. Unified Security Management
- 14. Demo Time Show me the packets!
- 15. Recap It’s important to know what the alarm is Use search filters to help you prioritize investigations Use policy to filter alarms you don’t need to re-investigate Even though it’s familiar you still need to investigate Have a plan for what you could find (IRP) Write stuff down….
- 16. 888.613.6023 ALIENVAULT.COM CONTACT US [email protected] Now for some Questions.. Questions? [email protected] Twitter : @alienvault Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Check out our 15-Day Trial of USM for AWS https://www.alienvault.com/free-trial/usm-for-aws Try our Interactive Demo Site http://www.alienvault.com/live-demo-site