Until few years ago, incident response tools were much like police investigations – complex, time consuming, and requiring high expertise. While tools facilitated investigation and response activities, processes remained to a large degree manual. However, in recent years, a new generation of tools has emerged that significantly simplifies the life of security incident response teams.
This article looks at five prominent next-generation solutions that collect endpoint data to facilitate incident response and accelerate investigation.
Secdo provides an extensive IR platform and a unique promise of performing the investigation process automatically. Secdo continuously records endpoint activity such as file operations, network traffic, memory activity and registry changes, sending data in real time to a centralized server (either on premise or in the cloud). Data is stored for months or years (depending on configuration), which enables running deep investigations, regardless of whether an endpoint is available on the network. Per Secdo, endpoint data is collected at the thread level rather than process level, as commonly done, which is significant since many modern attacks inject code rather than spawn a process.
Secdo’s real forte, however, lies with its investigation capabilities. A ‘Causality Engine’ uses behavior analytics to run automated investigations of data collected from endpoints, which can optionally be combined with data from SIEM systems and third party systems. Investigators are provided with a graphical forensic timeline of the complete attack chain, as well as a clear view of an event’s root cause, damage assessment, malicious entities, compromised devices, and a remediation plan.
On the response and remediation side, Secdo provides the ability to freeze processes, quarantine files and clean hosts of threats. Security teams can remotely access any host and use remote CMD, PowerShell or Python commands to perform cleanup activities with minimal disruption to users.
All in all, Secdo’s offer significantly simplifies and accelerates incident response, with both the manual and the automated investigation and response options reducing the skills and technical expertise required from security investigators.
One of the major players in the endpoint security market is Carbon Black, which offers Cb Response, an incident Response solution that is focused on the continuous recording of endpoint data, which it combines with live remediation facilities.
The Cb Response centralized management server can be deployed on premise or on the cloud, where it collects endpoint data including memory events, file and registry modifications, network connections, etc. The server later uses the cache of event data to perform analysis tasks on demand.
Carbon Black offers a visual analyzer of the attack kill chain, which makes analysis relatively fast. However, since analysis is performed at the process level, it can fall short when it comes to analyzing advanced threats and compromises. Cb Response does not provide automated investigation capabilities, but rather presents analysts with raw data, allowing them to run queries and perform investigation.
To respond to threats, Carbon Black provides a command line terminal for remediation and containment purposes, which can be used to perform executable banning, network isolation, process termination and software updating.
Carbon Black deserves merit for its continuous recording of threat activity on endpoints and servers and making data available for investigation by “rolling back the tape.” However, analysis features leave a bit to desire since a lot of the burden remains on the operator and it requires considerable expertise and experience on the part of the user.
Tanium’s incident response is offered as a module packed into its Endpoint Platform, an endpoint security and management solution that also offers other functionalities such as threat detection, vulnerability assessment and patch management.
One of Tanium’s promises is “15-second visibility,” which enables administrators to find out what’s happening across all managed endpoints within 15 seconds. The system’s natural language processing features enable it to parse and process queries such as “How many unmanaged machines are on my network?” However, knowing which queries to run is a bit tricky and will require a considerably high level of security expertise.
Unlike other incident response tools, Tanium stores event data on the endpoints themselves rather than on a centralized server. To perform analysis, the analysis server queries individual endpoints. This approach requires endpoints to be available, which can become problematic if a host is turned off or no longer available after being compromised.
As a system management tool, Tanium offers a rich array of remote response features such as quarantining machines, killing processes, changing registry data, uninstalling applications and shutting down systems. All in all, Tanium is a strong endpoint management tool with somewhat limited security analysis and response capabilities.
EnCase is an Incident Response tool manufactured by Guidance Software, a company that’s services and tools have been used to provide forensic files and evidence in court.
EnCase works by analyzing endpoint data and establishing a baseline behavior for each endpoint, which it later uses to make ongoing comparisons in order to pinpoint and flag potentially anomalous behavior. The same scheme is used for historic intelligence when recreating the path to data breaches after they are discovered.
EnCase has a server component that continuously polls kernel-level agents installed on endpoints, which harvest data on processes, files, DLLs, users and network activity. Its investigation capabilities are enhanced by a live triage feature which helps determe the relevance and priority of potential evidence. The solution also features timeline analysis and a visualizer-aided threat hunting tool.
At the containment and response level, EnCase will enable you to kill processes, delete malicious files and edit registry entries remotely.
Google (News - Alert) Rapid Response (GRR)
The big G also provides an incident response tool with an open-source platform focused on live forensics. The components of the system include an endpoint agent and a Python-based server that communicates with the endpoints.
The system doesn’t collect data, but rather carries out investigations through on-demand actions. For instance, the server will command an endpoint to return the list of files within a directory or read a buffer from a file. Security experts manage the system by defining flows—server-side code that order a single client or set of clients to perform a specific action. The system can be programmed to make further decisions based on the results of previous actions.The advantage of GRR is that it is quite flexible in its capabilities to collect forensic data from endpoints such as browser histories and deleted files. However, the collection is made after a threat has taken affect, not allowing incident responders the full visibility into what exactly happened at the endpoint and what’s the damage assessment. The top drawback is probably the fact that deployment and implementation are quite difficult and require high technical skills.