Incident response live demo slides final
-
Upload
alienvault -
Category
Technology
-
view
274 -
download
0
Transcript of Incident response live demo slides final
![Page 1: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/1.jpg)
![Page 2: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/2.jpg)
Agenda
Investigations• What are they?• What questions can they answer?• Is the number 42 always relevant?
Investigation Walk-Throughs• This won’t be all slides…we promise..
Recap
![Page 3: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/3.jpg)
What is an Investigation?
An Investigation is the act of ascertaining factsA careful examinationOr simply it answers: “What do I do?”And there is a result……..sometimes
![Page 4: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/4.jpg)
What Initiates an Investigation?
Someone asks you• Hey I think PlayStation network is down?
You see something unusual• Ever get that feeling someone is watching you?• Certain patterns of logs• New Assets
Alarms!• More..
![Page 5: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/5.jpg)
..but what does it all mean?
![Page 6: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/6.jpg)
What is an Alarm?
An alarm is a pattern of activity that should be investigated• The logic that creates an alarm is customizable
Inside a SIEM an alarm could be• A single event• A series of events• Event quantity• ..and more
![Page 7: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/7.jpg)
Process of an Investigation
Gather InformationFollow the trailLook for CluesDetermine severity
![Page 8: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/8.jpg)
Am I Finished?
Do you know what to do?What does the IRP say? Hint: no you aren’t
![Page 9: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/9.jpg)
Document it!
If it’s not in a Ticket– it didn’t happen!
![Page 10: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/10.jpg)
Why is Documentation Important?
Avoid RepetitionAvoid Repetition (yes we repeated this)Share InformationLiabilityFind patternsFind anomalies or outliersFind misconfigurations or unapproved changes
![Page 11: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/11.jpg)
Demo Time
Show me the packets!
![Page 12: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/12.jpg)
ASSET DISCOVERY• Active Network Scanning• Passive Network Scanning• Asset Inventory
VULNERABILITY ASSESSMENT• Continuous
Vulnerability Monitoring• Authenticated /
Unauthenticated Active Scanning
BEHAVIORAL MONITORING• Log Collection• Netflow Analysis• Service Availability
Monitoring
SECURITY INTELLIGENCE/SIEM• SIEM Event Correlation• Incident Response
THREAT DETECTION• Network IDS• Host IDS• File Integrity Monitoring
USM Platform
Integrated, Essential Security Controls
![Page 13: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/13.jpg)
Unified Security Management PlatformA single platform for simplified, accelerated threat detection, incident response & policy compliance
AlienVault Labs Threat IntelligenceCorrelation rules and directives written by ourAlienVault Labs team and displayed throughthe USM interface
Open Threat Exchange The world’s largest repository ofcrowd-sourced threat data providing acontinuous view of real time threats that mayhave penetrated the company’s defenses.
Unified Security Management
![Page 14: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/14.jpg)
Demo Time
Show me the packets!
![Page 15: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/15.jpg)
Recap
It’s important to know what the alarm isUse search filters to help you prioritize investigationsUse policy to filter alarms you don’t need to re-investigateEven though it’s familiar you still need to investigateHave a plan for what you could find (IRP)Write stuff down….
![Page 16: Incident response live demo slides final](https://reader031.fdocuments.in/reader031/viewer/2022020106/55c9ab53bb61eba0398b47e3/html5/thumbnails/16.jpg)
888.613.6023
ALIENVAULT.COM
CONTACT US
Now for some Questions..
Questions? [email protected] : @alienvault
Test Drive AlienVault USM Download a Free 30-Day Trialhttp://www.alienvault.com/free-trial
Check out our 15-Day Trial of USM for AWShttps://www.alienvault.com/free-trial/usm-for-aws
Try our Interactive Demo Sitehttp://www.alienvault.com/live-demo-site