Published on February 8th, 2017 | by Tony Thompson
Visualizing the Kill Chain without Forensics Expertise
Two things we should all know by now: attacks continue to hit our networks despite preventative defenses, and there’s a shortage of resources available to hunt them down.
That changes today with the latest release of BreachDetect, our time machine for breach detection, which makes advanced threat detection and investigation capabilities easily accessible to enterprise security and IT administrators.
If you know anything about SS8, it’s that we’ve drawn on years of experience working with top intelligence and law enforcement organizations, as well as many of the world’s largest service providers, to develop a simplified, severity-ranked workflow for detecting and investigating breaches.
We don’t want security analysts hypnotized by a user interface, we want them finding what matters most and moving on with their day.
We’ve built on this methodology and foundation with our latest BreachDetect release (code named Sabre), where we’ve introduced a new timeline view of the cyber kill chain and included easy-to-understand threat descriptions to make the effort of breach detection even faster and easier for users without forensic investigation expertise.
In every organization that we’ve conducted a risk assessment we have uncovered some form of anomalous activity taking place on the network. In our recent 2016 Threat Rewind Report, we recounted evidence of traffic tunneling, DNS-related exfiltration and malformed protocols in outbound traffic, among other unwanted behaviors. And none of the organizations sampled were aware that their networks had been breached.
This latest release of BreachDetect tilts the balance in favor of enterprises with an intelligence-agency grade solution for detecting the most advanced threats, without the need for security analyst training. You can learn more about SS8 BreachDetect and our model for network retrospection here, but let’s explore some of these new capabilities:
Streamlined Workflow Delivers Faster Answers
From within SS8 BreachDetect, security analysts can access an easy-to-use dashboard with color-coded Kanban-style threat tiles, which eliminates manual hunting by exposing activity that requires investigation. Each tile represents a device-of-interest with a “High,” “Medium,” or “Low” risk designation. User and threat behavior information is displayed in each tile to qualify the severity of the threat.
Why is this important? No more sifting through massive amounts of log data and threat intelligence to identify a device-of-interest.
Global Timeline Exposes Kill Chain
By clicking on a threat tile within SS8 BreachDetect, users gain an end-to-end, timeline-based view of the entire cyber kill chain for each device-of-interest. Activity is displayed on the timeline according to the stage of the cyber kill chain, including reconnaissance, delivery, exploitation, command and control, actions, and any other activity associated with the threat.
Why is this important? With the average breach going undetected for more than 200 days, it has become essential to understand the full lifecycle of an attack when investigating a threat – from reconnaissance to exfiltration.
Natural Language turns Admins into Analysts
SS8 has further simplified security investigations by presenting, in simplified terms, how an attack took place, what subsequent exfiltration activity has occurred, and where to look to find the source and remediate the threat. From each event on the timeline, easy-to-understand explanations enable users that are not cyber security experts to chase down and mitigate breaches like a forensic investigator would.
Why is this important? Many of today’s organizations lack the security expertise needed to hunt down and investigate today’s advanced threats.
Are you headed to the RSA Conference in San Francisco? We’ll be there demonstrating BreachDetect in both the North (N4705) and South (S423) halls. Or, if you’re ready to kick the tires, we offer a two-week Risk Assessment process and report using the product, which identifies network anomalies and potential breaches.