Prevent, detect, respond: The three-legged stool to protecting your organization effectively.
Optimizing prevention, minimizing time to detect and respond is the Sophos approach to endpoint security. Ultimately it enables organizations to stop more threats, faster, reducing the impact of cyber threats on your organization. Previously we looked at how Sophos optimizes prevention by identifying and eliminating threats before they can get onto your systems. In this post, we’ll look at minimizing the time to detect and remediate incidents. Minimizing the time to detect and respond to an attack translates directly to limiting the potential losses. Be it passive such as email-based malware or ransomware or a social engineering attack, or an aggressive breach caused by an attacker attempting a DDOS or brute force attack.
The average cost to rectify the effects of a ransomware attack in 2021 was US$1.85 million, according to the Sophos The State of Ransomware 2021 report. The longer a ransomware actor can dwell in your environment, the greater their opportunity to encrypt or steal more data, likely increasing the overall cost of remediation significantly. Therefore the sooner you can neutralize and eject the adversary, the better. So how does Sophos minimize the time to detect and respond? It is a combination of several factors working in tandem.
In the blog post on optimizing prevention, we discussed how Sophos endpoint protection already eliminates 99.98% of threats by reducing the attack surface and comprehensive run-time prevention capabilities. In doing so, we enable defenders to focus on fewer, more accurate detections, and streamline the investigation and response process. In tandem, machine learning and threat intelligence accelerate investigations, while automation and analyst-led actions speed up time to resolution.
Minimize The Time To Detect
How does this all work in the real world? Let’s imagine the scenario where an attacker managed to infiltrate your organization through an unprotected device. Now that they have a foothold, every second counts. In a ransomware attack, the goal is to encrypt everything and then make overt demands for payment. We will assume this is a stealthy attack designed to drain your intellectual property over time. In that case, the adversary aims to run silently and remain unnoticed for as long as possible. But as they attempt to raise their privileges or move laterally across your network to other machines, they leave a trail. The breadcrumbs include indicators collected in various event logs and detections logged by a protected device or firewall. Our goal is to shine a spotlight on these detections in the most effective manner.
We do this by using multi-vector machine learning and threat intelligence to provide an artificial intelligence (AI)-prioritized risk score for each detection. The scores range from 0 to 10. With 0 being not determined, 1 to 3 representing a low risk, 4 to 7 representing a medium risk, 8 to 9 representing a high risk, and 10 as the highest risk. These scores are then color-coded for severity and mapped against the MITRE ATT@CK framework, enabling an analyst to quickly identify where they should focus.
If an analyst wants to investigate a detection, Sophos gives them contextual information at their fingertips. Operators can access valuable insights, such as the first and last time a detection was seen, a description of the detection, device geo-location, living-off-the-land binaries (LOL-bin) use that includes command lines, parent/child relationships, process name, hash, and other data points.
Analysts can pivot on any of the data points to explore further. For example, the analyst could request a threat graph to see a visual step-by-step recreation of the detection, including processes, files, the registry keys that were touched, and more. Contextual information is not limited to the device; analysts can look up a hash on VirusTotal with a single click or look at failed/successful login attempts for a specific user across your entire estate. These insights provide valuable context to the analyst.
Detections can come from all over your environment: endpoint, server, firewall, email, cloud, mobile, and more with all the data flowing into the Sophos Data Lake for easy, cross-estate correlation. The latest addition to the Sophos Data Lake is the ability to import events from Microsoft 365, enabling you to see events from Exchange, SharePoint, OneDrive, Azure Active Directory, PowerBI, Teams, and more. Analysts can correlate between the detections from Sophos products and what is being logged in the Office 365 audit logs. The greater your net, the greater your chance of catching a malicious signal before the damage is done.
Investigating And Responding
Armed with this detailed understanding of a detection, analysts can then dive deeper, create a case and perform a full investigation. The analyst is the detective, piecing together the clues (detections) from across their environment, taking notes, and chasing down each lead, improving their understanding, until they unmask the root cause and resolve the case.
If a detection is severe enough, the system automatically will correlate and include pertinent signal and detections into a case ready for the analyst’s review. Additionally, pivots and enrichments that are contextual to the detections in the case will be presented. This provides the full picture of what was happening in the environment and saves valuable time for the analyst. From the Case Investigation Dashboard, an analyst has an overview of every case. Information such as priority, a title, status, assigned analyst(s), who created it, age of the case, number of impacted devices and detections, last modified time, first and last detection times, and a summary.
Once an analyst is working on a case they have a wealth of information at their fingertips, allowing them to focus. Detections can be added or removed from a case. The analyst can look at the details of a device, and even establish a Live Response session to take direct action and perform tasks on the impacted device. Could it be that one of the users listed in the case recently had 20 failed login attempts, followed by a successful login? If the analyst wants to look at a specific detection and follow the breadcrumbs, they simply expand the detection, examine the details, or pivot to any other information that may prove valuable to the case.
During their investigation, an analyst can make notes. This could be information of their discoveries or advising other analysts of what tasks they’ve already completed. Case notes are free format and come pre-populated with an investigation template. This template can be used to prompt an analyst on what to investigate. Were there any internal/external IPs, domains, or URLs connected to from the device? Any external RDP/SSH login attempts around the time of the detection? Did the detection identify any listening ports? Was the detection related to autorun or a service? It is an extensive template, built by experienced Sophos threat-hunters, that can coach and remind analysts of potential areas to investigate.
With the relevant information at their fingertips, the analyst can follow every lead, see the complete picture, understand the detections and solve the case! There are not enough analysts to do everything needed, and their specialist skills are often stretched thinly. By leveraging advancements in AI, Sophos can enable these security professionals to increase their capacity and work more efficiently to stop more threats faster.
Flexible Deployment Options
We understand you need security to work with your business, and that’s why we offer flexible deployment options. Sophos XDR (Extended Detection and Response) enables your team to detect, investigate and respond to incidents across endpoint, servers, firewall, cloud workloads, email, mobile, and more. You can start with just endpoint signals while also future-proofing with the ability to add additional signals for cross-estate threat hunting in the future.
Alternatively, Sophos MTR (Managed Threat Response), our Managed Detection and Response service, provides 24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service. Sophos MTR can run your entire security operations on your behalf or work alongside your team to augment your round-the-clock defenses.
In this real-life example, a new Sophos customer got in touch to say that one of its vendors had been hit by ransomware, and they were worried that they might also have been infected. The Sophos MTR team started investigating immediately, working with our experts in SophosLabs. They quickly realized there was no evidence of a ransomware attack. Rather than simply closing the case, the Sophos MTR team continued investigating and uncovered a historic banking trojan. Within two hours and six minutes, the whole incident had been investigated and cleaned up.