The second and third most common inhibitors to better cyber defense, according to the 2017 Cyberthreat Defense Report are “the shortage of skilled personnel and too much data for IT security teams to analyze.” The two are undoubtedly related.
Ovum reports that many organizations face more than 200,000 security alerts per day. There can’t possibly be enough skilled people to sift through all those alerts; inevitably, some important ones will slip through.
While technology alone can’t solve the talent gap, better technology can certainly go a long way toward reducing false positives, steering focus toward the important alerts, and providing quality information that speeds incident analysis and decision-making. The high-fidelity nature of illusive’s alerts have always helped incident responders determine where to focus, but now illusive customers have a new tool in their back pocket: our External Incident API.
illusive collects rich forensic data from compromised hosts, provides a visualization of the possible paths between endpoints and high-risk assets in the environment, and quantifies how far a detected attacker is from those assets – all good stuff, previously pertaining only to the incidents triggered by illusive deceptions. But through the API, these capabilities are now available to alerts generated by any tool in the security stack.
What’s the value? Some examples:
1. A DLP technology detects a policy violation. Someone in the company has tried to send application source code to a personal email account. If the incident has been pushed to illusive, forensic data from the user’s endpoint complements information available through DLP to paint a more comprehensive picture of what the user was trying to do.
2. A firewall detects an attempted connection between a critical corporate system and a command-and-control server. In this case, immediately quarantining the system would cause significant business disruption; instead, analysts can rapidly investigate the endpoint to determine whether some other remedial action can be taken.
The systems associated with these incidents would also light up in Attacker View™, illusive’s enterprise-wide map showing their relationship to “Crown Jewel” assets, shedding light on possible relationships between incidents, and helping SOC teams prioritize their efforts. Certainly it will take many automation advances to make up for the human talent gap, but illusive is doing its part.