Mandiant Automated Defense
Investigation Power at Machine Speed
45% of alerts end up being false positives, making the analyst’s job less efficient and slowing workflow processes.
Finds real incidents in your security data fast
35% of respondents ignore alerts when the queue gets too full!
45%
35%
of security professionals believe
that increasing workload is
causing burnout
of Security Managers suffer from the Fear of Missing Incidents
of Analysts have already turned to machine learning and AI to investigate alerts
43%
77%
80%
Analysts look at thousands of alerts every day
Mandiant Automated Defense
Mandiant Automated Defense adds exponential scale to your SOC
Automatically triages alerts to diagnose incidents in real time using data science and machine learning
Delivers consistent and accurate alert investigation 24/7
Investigate and triage potential incidents automatically from data where it resides
Simplify your SOC with SaaS delivered, pre-built data science models that eliminate rules & playbooks
Unify previously siloed alerts and data from the widest variety of security control categories and vendors
Explore The Dashboard
“Mandiant Automated Defense can take playbook-based actions
to cover Level 1 and 2 alerts. Specific alerts are escalated to our
experts, who determine whether they are valid or false positives.
Their findings help improve the intelligence behind Automated
Defense. This automated process helps reduce alert fatigue and
frees analysts to work on other tasks.”
Eric Adams
CISO at Kyriba
Ready to learn more?
Schedule a demonstration and see Mandiant Automated Defense in action
SCHEDULE A DEMO
Dashboard
ATT&CK Tactics
Automated Defense shows you the Attack Tactics, providing a summary of the high-level tactics that have been observed in the investigations that are currently open. You can see one investigation that shows signs of “Initial Access.” There are six investigations that involve “Lateral Movement.” That depends on your processes and procedures, but without a large volume of false positives to deal with, Automated Defense makes it much easier.
Open Investigations
One of the key challenges in the SOC is knowing what to investigate. Automated Defense ranks the highest priority investigations to help you understand what is most important. In this case, you have a total of 12 open investigations and Automated Defense is showing the top 3 ranked by priority.
Analyst Actions
Automated Defense operationalizes your Threat Intelligence through constant monitoring of the feed, whether it is from Mandiant Threat Intelligence or third party sources via STIX/TAXII. In any case, threat intelligence is factored into every decision that Automated Defense makes to understand if there is any valid and relevant information. You can see that there were over 600K intelligence searches made in the four-hour period.
Summary
Automated Defense shows you details about investigations happening in your environment. The summary at the top of the screen, indicates that Automated Defense has found evidence of “Virus Infections, Suspicious Repeated Connections and Internal - External Network IPS Activity.” The first action you want to take in any investigation is to understand the impact to the business and continued operations.
Timeline
Checking the timeline at the bottom of the screen, shows 121 total events, the start time and the duration of the Investigation.
Confidence Level
The other item that helps to assess the impact of the investigation is the number and classification of the assets involved.
Automated Defense shows a “Confidence Level” in terms of how certain it is that this activity is malicious. This value may change over time depending on monitored activity.
In this investigation, Automated Defense has a high confidence level that this activity is malicious. It also provides a “Priority Rating” of 1 that is displayed in the top left corner of the screen. Automated Defense ranks investigations from 1 being the highest or most critical to 4 being the lowest priority.
Supporting Evidence
In the middle of the screen is the Supporting Evidence for this investigation. The supporting evidence allows you to rationalize the investigation by helping you answer such questions as:
• Why does Automated Defense believe this activity is malicious and actionable?
• What is the primary evidence that supports the need for further analysis?
• Do I need to do further analysis to determine if remediation is necessary?
Recently Registered Domain
Clicking on “Recently Registered Domain,” shows that this domain was registered in the last 90 days which is a known adversary tactic that can enable attackers to avoid classification by threat intel and web filtering.
This evidence seems to indicate malicious activity.
Internal Assets
“Internal Assets with Repeated Malware Infections” shows that two assets, in this case workstations, are infected with malware.
Workstations
The “Endpoint” view, shows two highlighted workstations. At the bottom of the screen eight events are listed, so this malware infection has triggered at least eight times on these systems. Under the supporting evidence, other information including a description shows repeated signs of infection, the systems and devices involved.
Endpoint Overview
The overall endpoint view shows a graphical representation of what has happened. What is concerning is the file hash on the threat intel list.
Evidence
By clicking on the file hash, you see the evidence that states there is one file named. Below, the file details are listed, such as file name, the binary hash, threat intelligence details, file paths and affected accounts.
IPS Signatures
Going back to the evidence view, the expected evidence associated with malware shows up, but also that there were “Multiple Network IPS Signatures Triggered by Same Internal Asset.” Clicking on the workstation – smiller.acme.com shows that this is one of the assets that is triggering multiple IPS signatures.
Network View
Moving to the “Network” view, there are a couple of items that stand out. Looking at the sources, the very first one is the smiller.acme.com workstation, but there are two others that are using multiple signatures – mperterson.acme.com and eholmes.acme.com. And eholmes.acme.com is a high value asset.
Suspected Cobalt Strike
Clicking eholmes.acme.com shows what the signatures is. The IPS permitted the traffic and there is one IPS signature that was used shown on the left hand side of the screen.
Destination Ports
The outbound traffic is on port 80 and it is talking to an external IP. This is starting to become more concerning because as part of the alert triage in stitching multiple disparate silos together, there are two systems that are infected with malware and three additional systems – mperterson.acme.com, kwiltis.acme.com and eholmes.acme.com that are using IPS signatures associated with malware.
Infected Systems
These hosts are behaving in the same way as the two systems that are currently infected with malware.
The scope of this investigation has expanded drastically from two systems initially into five. Due to the traffic on Port 80, the expectation is that there is activity on the web filter.
Accounts
The Web Filter view shows there are user accounts associated with those sources generating this web traffic. It’s probable that they were not using a web browser to browse these sites and didn’t realize it was happening.
Uncategorized URL
Traffic is permitted to the domain cbq.subupdata.com, which appears to be an Uncategorized URL and that can be concerning. In this case, a newly registered domain that hasn’t been widely used can indicate that the domain is hosted by hackers instead of a credible business.
Domain
Clicking on the recently registered domain highlights it in the middle of the screen and shows the description that this domain was registered within the past 90 days.
Creating a domain is an adversary tactic to avoid detection by threat Intel and web filtering solutions.
Network traffic
Automated Defense shows the network traffic path for each host to the domain, the IP addresses associated with the domain, adding to the certainty that these hosts are infected with active malware.
Close the Investigation
For investigations that you agree Automated Defense’s escalation was appropriate, your feedback will reinforce its models when given similar evidence. There are other options to improve outcomes that include more detailed feedback about why the Investigation was Non-Actionable or your analysis was Inconclusive.
INVESTIGATIONS
IDC, Christina Richmond, Craig Robinson, Martha Vazquez, The Voice of the Analysts, Improving Security Operations Center Processes Through Advanced Technologies, January 2021, Doc. #US47227621
1) Ponemon Institute LLC (January 2021). Second Annual Study on the Economics of Security Operations Centres: What is the True Cost for Effective Results?
2) IDC (January 2021). The Voice of the Analysts: Improving Security Operations Centre Processes Through Advanced Technologies.
1
2
2
False Positives Suppressed
In the last 24 hours, Automated Defense has analyzed over 8.2 million events, suppressing over 8 million of them as false positives and only escalating 5 potential investigations scoped from roughly 200K events and alerts. This means your team is enabled to review investigations that matter saving you valuable time and lowering your costs.
