ExtraHop’s Post

Transcript

Hello and thank you for joining our Lightning Talk. My name is Arielle Smirnov and I'm the Technical Marketing Manager at Axle Hub. In the next 5 minutes, I will explain and demonstrate our brand new feature called Smart Investigation and how it can help companies operating socks to reduce fatigue among their security analyst. Before we delve into the specifics of our new feature, let's take a moment to focus on the current challenges that sock analysts and college are on a daily basis. The 1st and I would say the most significant challenge that security team face nowadays is alert fatigue. Each day they're flooded with an enormous number of alerts and detections, leaving them struggling to figure out which ones to prioritize for investigation. Based on IDC research, companies report that up to 30% of these alerts are investigated or completely ignored. Context like an incident analysis. Let's say analysts see concerning detection and they understand it's not a false positive. Often they will have difficulty identifying and confirming a security incident based on a single event due to lack of proper context. Even though expert analyst must struggle less with this, it's usually still not enough. Because modern attacks are very sophisticated. We can describe it at the skill gap. Finally, once an incident is identified, manual building an investigation correlating related detection is stack consuming and arduous. This process not only requires meticulous attention to detail, but also demands a significant amount of time from our analyst who must sift through W amounts of data to connect the dots. So we took all this into consideration and said what if instead of having an enormous amount of alerts that only increases with each incident, we had a system that could recommend and create investigation matching high risk attack behaviors? What if instead of distant incidents that analysts are struggling to correlate into one meaningful picture, it could be automatically aggregate and interrelated detections, providing key context so analysts could see the full attack story? And finally, what if instead of manually searching up for detection and adding them for an investigation flow, the system called automatically create an investigation workflow with the ability to export investigation to their team or serve for rapid response? And so we developed these ideas into what we call SMART investigations. This tool quickly identifies and addresses high risk cyber threats, significantly easing the burden of alert fatigue through automated response prioritization. It fits seamlessly into existing workflows, boosting your efficiency. Smart investigation automatically creates detailed investigation that you reduce cyber risk and hand separating resilience and expose high risk attacks with real time insights and precise detection. So let's get into the demo. First you have to understand that the capability to correlate the detection and create manual instigations to see a single timeline and map of the attack already exist in our product for quite a while. Whatever reducing in this release is a smart part that does it ultimately. As you can see on our overview page, where our product showed the most important information like frequent offenders, detection sorted by attack category and detection that are recommended for triage and threat briefings. On the top, you would notice the investigation block which edited this version to simplify the navigation for those who are using our product. So by simple click. Were you redirected straight through the investigation tab where we see the list of all create, create, investigation that user has? In my case there are three, one that I created by myself and two that the system created for me. How do I know how the different? How to differentiate between them? Simply by the name? You will see that all all the smart investigation created under the name Extrahop. Here. So on this page you can see the basic information of each incident like name, assignee, who is leading or responsible for this investigation, status assessment, when it was created and when it was updated the last time, and notes. Of course, if you have a lot of ongoing investigation, you can sort and filter it with this the help of our search bar. When we open investigation. With this, the incidence title and the reason why this particular information was created in our example is because device in the network was the offender in a combination of lateral movement and exfiltration techniques. The way it works is that basically we have an algorithm that looks for attack patterns and matches it to the templates we created for most common scenarios like command and control communication and weakening in combination with data exfiltration by directional attack involving lateral movement or frequent offender like in our example. On the right top corner we have authority and information that include the name of the of the creator, when it was created and the last updated and and and investigation ID. Moving forward we'll see post compromise chain and how many detections were involved in each stage thus helping us to better understand that tax structure. If we are talking about some advanced persistent threat attack in our example, we can see that there is in one particular that is involved in each stage of the cyber kill chain. The main part of the infestation has two parts, Summary page and Attack Map page. The summary page includes information about the detection and participants involved in the incident and final tracking status and response actions of the investigation. The detection part is basically a timeline of incidents that occurred on the bottom the first one and the top the most recent one. This detection work big about our system, but we still can't add and remove particular detection to the investigation based on our understanding of the incident. And the second panel will see the aggregated list of participants which grew by external endpoints, high value devices that provide authentication, application and essential services and other participants. When we leaked on the net tack map. We see the interaction map of the offender and victims. So let's dive into some of the dedications so to see what information we can find there. Let's big data expectation to add 3 back end first. First of all, we can spot on the this particular detection was recommended for triage because it involved a high value asset type, offender device and the rare detection type and thus added to this system investigation. With these short description of this detection, what exactly happened in a nutshell? The information and IP addresses of the offender and the victim and other valuable metrics. Records and packets where we can navigate for more details by clicking this buttons. If we pick the commanding control beaconing detection. I want to show that we have a logger here that says it's crowd strike. It means that this particular detection was enriched. From from the crowd Strike Falcon and this is a good example of how we have a seamless integration with our Dr. partner. Finally. I want to show you that how we can edit this investigation. So here we can see the name, name that is a frequent offender. We can we can assign a status, let's say in progress assignee who is going to be responsible for this investigation assessment. Let's say it's malicious through positive because we saw that this isn't involved some malicious activity on the endpoint and would say crowd. Strike. TI. Enrichment. Finally, if we we we from here, we can remove our detections. This is everything that I once wanted to demonstrate to you. I hope you enjoyed this demo and this in presentation and thank you.