Getting Ahead of a Breach with a Predict and Respond solution
In one of my earlier blogs, “Predicting Attacks: Lessons from the Game of Thrones”, I talk about the importance of getting ahead of the breach.
“The only way to close the gap between the current state of IT security and the capabilities of the enemy is to outflank them; to beat them at their own game; to rip a page from the hacker’s playbook and out-innovate them. If we can better “predict attacks” and prioritize the right things to do, we can stay a step ahead.”
As outlined in Gartner’s Adaptive Security Architecture report, “predict” technologies like breach simulations must work with other components of the adaptive security architecture -- “prevent”, “detect” and “respond”. For example, when a breach is simulated, and is successful, SafeBreach users have a variety of options to appropriately address this—from recommendations, trouble ticket creation, or alerting via security information and event management (SIEM) systems.
Today, we’re excited to offer a complete predict and respond solution with Phantom. For those of you not familiar with Phantom, they automate and orchestrate key stages of security operations from prevention to triage and resolution. When SafeBreach “plays a hacker” and finds an issue, the value is the ability to respond immediately and with precision across the enterprise before a real attack takes place.
When an analyst identifies a breach method in SafeBreach, the remediation information associated with the breach instance can be published to the Phantom platform through the click of a button within the SafeBreach interface, as shown below:
When publishing the breach information, a container is ingested into the Phantom platform with details of the breach remediation being stored in artifacts. Details can include artifacts such as open ports on an endpoint, unnecessary processes running, IP addresses of targeted endpoints or adversaries, application types, URLs, and other data describing a potential breach. Upon ingestion of the container, a playbook can be initiated manually by an analyst or automated through the Phantom automation engine. The playbook executes the remediation steps suggested from the breach platform by connecting to each of the point technologies within the environment and executing actions that reflect the remediation steps. Example actions include deploying a block IP rule, filtering a URL, blocking a file based on hash, disabling a user, and several others. Over 150 actions are available through more than 65 App integrations on the Phantom platform.