The Respond Analyst App for Cortex by Palo Alto Networks Available Now

Recently, Respond Software announced the Respond Analyst app for Cortex by Palo Alto Networks. Cortex is the industry’s only open and integrated AI-based continuous security platform. It delivers radical simplicity and significantly improves security outcomes through automation and unprecedented accuracy.

In other words, Cortex allows Palo Alto Networks customers to aggregate and normalize massive amounts of data from various sources including their next-generation firewalls (NGFW) and Traps (endpoint data) into a single data lake in the cloud. Once the data is collected, customers are able to analyze it, as well as to apply artificial intelligence and machine learning to find threats and orchestrate responses quickly. The Respond Analyst app on Cortex, using Robotic Decision Automation (RDA), is one of the first apps to deliver automated monitoring and triage for the entire Cortex Data Lake dataset.

The Challenge

Under normal operating conditions firewalls and endpoints collect a massive amount of security event data. The Cortex platform reduces the siloed event data being collected from these sources, however security teams need to be selective about which data they use.  To increase manageability of the data, organizations often filter or apply rules tuning their security infrastructure to reduce the event volume to be analyzed.  Tuning down systems means the probability of an attack will increase since not all data is being exposed to the security team.  Still, a vast number of false positives are surfaced, frustrating security teams as they weed through them looking for real incidents.

The Respond Analyst App

The Respond Analyst app for Cortex addresses this problem head-on. The Respond Analyst app is trained to perform consistent, thorough security analysis at scale — without having to tune down firewall or endpoint data collection. The Respond Analyst eliminates the need for security teams to spend their days, nights and weekends manually analyzing alerts to determine if they are true positives that require actionable responses.  Instead, security teams are empowered to do what they like best – hunt for real events that threaten their business.

Like a frontline security analyst, the Respond Analyst app escalates triaged and scoped incidents based on data collected by Cortex, including but not limited to alerts on malware beaconing, malware outbreaks, lateral movement through exploitation, and unauthorized scanning and reconnaissance.

The Respond Analyst app for Cortex optimizes total cost of ownership of Palo Alto Networks next-generation firewalls and Traps customers by removing the human analyst’s task of reviewing and analyzing alerts in addition to automating analyst decision-making.

Respond Software at Ignite’19

Does the Respond Analyst app seem too good to be true?  Join us at the Palo Alto Networks Ignite event in Austin, TX from June 3rd to 6th in the Innovation Sandbox where you will be able to sign up for the Respond Analyst app right from the show floor! See for yourself how companies from different industries are using the Respond Analyst to reduce the time it takes to weed through mountains of false positives, while vastly reducing their security risk.

If you are not able to make it to Ignite, you can download the app from the Palo Alto Networks app page.

Press Release


Managing Security Events: Not as Difficult as Finding Magic Stones

These days finding a qualified and available Security Analyst seems more difficult than locating an Infinity Stone in the Marvel Universe.  Like Thanos, I’m sure many CISOs are wishing they could snap their fingers, but instead of destroying half the population, creating an army of security professionals to manage the complex threat landscape.

Due to the massive gap in available security skill sets and qualified people, many organizations are outsourcing at least a portion of their operations to Managed Security Service Providers (MSSP).  This seems to be a reasonable alternative, but just like in-house security operations, MSSPs have their share of challenges. In this blog, we will discuss those challenges to help you determine if an MSSP is the right security operations model for your organization.  Then if you decide to keep security operations in-house, we’ll share a better alternative that doesn’t involve voyaging through the galaxy hunting for magical stones.  


6 considerations when working with or hiring an MSSP  


  1. Get ready for a long ramp: According to Gartner, onboarding time for an MSSP is 1 to 4 months.*  This elongated time means organizations that are thinking about hiring an MSSP must be patient.  Just remember those bad actors are not so tolerant and will not wait for you to get on board and set up with your MSSP before they attack.

  2. Typical outsourcing issues:  MSSPs have many customers, therefore they lack intimate knowledge of a single customer’s network or infrastructure. This makes it extremely difficult to perform effective analysis of that customer’s unique security configuration and requirements.

  3. Take a number:  Like any organization, MSSP’s have resource constraints. MSSPs will typically devote resources to larger customers who tend to pay the most when the largest incidents hit or volumes peak.

  4. We’ve got you covered—not so much:  Due to the high volume of alerts they are trying to manage, MSSPs will usually tune down sensors.  That means the MSSP’s ability to identify an attack will degrade.

  5. Law of diminishing returns:  Just like any organization, MSSPs face high analyst turnover and resource shortages.  When an analyst leaves the MSSP, customers suffer, as they are paying the same price for lower quality results.  Additionally, the MSSP must re-focus their attention to hire new talent from an already dwindling pool of candidates adversely impacting the current level of service that the customer receives.  This problem can often become worse over time.
  6. Cookie cutter solutions: MSSPs have an uncustomizable delivery model.  In other words, the MSSP model is optimized for their business, not for the requirements of the customer.   


These challenges are merely a sampling of a much larger set of difficulties that service providers face demonstrating that the MSSP alternative may not be the best for every organization.  When moving to an MSSP or using one, carefully think through all of the challenges listed above, as these will impact the amount of time you need to investigate false positives and may cause you to miss important attacks or threats.  Of course, you might decide to keep your security operations in-house, but you will likely face many of the same challenges as the MSSP.

And finally, remember there is a third alternative that doesn’t require you to search the galaxy for that illusive security expert.  Robotic Decision Automation software for security operations will automate event analysis, management, and triage.  The Respond Analyst delivers these capabilities, performing just like an expert analyst, but at machine speed and with 100% consistency.

If addressing the skills gap shortage with software seems like an alternative for you, please visit the following pages for more information:

*Gartner, “How to Work with an MSSP to Improve Security,” January 30, 2018

Robots Have a Better Memory Than You

Can you remember what happened at 3:45pm last Tuesday?  How about what you had for dinner three nights ago? What if you had to somehow correlate those two pieces of information together to make a life-changing decision in just a few seconds?  The answer is, unless you are Data from Star Trek the Next Generation, you would likely not be able to do it at all, let alone in a timely fashion.

This is Data.  He has a really good memory…

But that is exactly what we ask security analysts to do multiple times per day.  It’s one of the toughest challenges they face – the capability to store and recall bits of information that may be relevant to an event, and then make a decision about what is happening to rectify the problem.  Hmm, perhaps that is why so many companies are having difficulties finding and hiring security analysts these days.¹ But I digress…

In reality, many threats reveal themselves over time, lurking in the background until perhaps it’s too late. That’s exactly how ransomware works. Once a system is penetrated, the ransomware will exist there for days, weeks or months before it is activated. This makes it very difficult for human beings to detect, correlate and remediate the effects of ransomware. So, how can human beings remember events that may seem insignificant or normal when they occur and then correlate that information to new data to realize a security breach is happening?

One way to tackle this problem is by pairing humans with technology.  Just like when Data from Star Trek helps Captain Piccard work through calculations at machine speed to make the right decision, Dynamic Scoping a feature of Robotic Decision Automation (RDA) does the same thing.  It enables security teams to process massive quantities of information leveraging probability to determine the correct path to remediation.

Because RDA is by definition a robot, it is able to correlate seemingly insignificant events that occurred in the past to new data that is collected.  Then, it applies logic and intelligence to re-scope the probability if an attack or threat really exists. While RDA is far from Data from Star Trek, implementing it into an environment is like adding an expert security analyst that never forgets.

Learn more about how the Respond Analyst scopes and re-prioritizes at this link.

¹ Slight Dip in Clicks on US Cybersecurity Job Listings, Kelly Jackson Higgins, Dark Reading


Plays Well With Others: The Respond Analyst Integrates with Palo Alto Networks for 24×7 Continuous Monitoring and Analysis

We talk a lot about coverage here at Respond Software. It’s a fact: the more visibility you have into your environment, the better you’re able to contain and manage the cybersecurity risks you face. The relationship between security sensor data and risk is simple and linear. The more useful sensor data you can collect and effectively monitor in real time, the lower your risk.

This is why we partner with industry leaders like Palo Alto Networks. Palo Alto Networks Next-Generation Firewall solutions enhance visibility across today’s complex networks. You can build truly comprehensive coverage into your network security monitoring program with Palo Alto Networks integrated solutions, including Threat Prevention Services with Network Intrusion Detection and Prevention System (NIDPS) tools, advanced URL filtering, and the Traps endpoint protection and response platform.

Boost Your Ability to Analyze Data from Your Palo Alto Security Sensors

With more than 60,000 customers worldwide, Palo Alto Networks offers tightly integrated network security monitoring solutions that simplify the process of gathering data from billions of these customers’ devices and platforms. By implementing multiple modules from Palo Alto Networks security stack, you can collect detailed information from a wide range of sources, including network traffic logs and URL and endpoint event records.

Palo Alto Networks tools and solutions provide your security team with a wealth of data. Pair them with the Respond Analyst to be sure that you’re able to extract maximum value from that data, even with limited time and employee resources.

Better Together: With The Respond Analyst, More Data= Better Decisions = Effective Security Operations

By nature, Palo Alto Network IDPS and endpoint protection tools generate a high volume of events. It can be challenging for security teams to sort through all – or even just a few – of them.

For each security event that your PAN solution generates, you must ask yourself the following questions:

  • Why was this event generated?
  • Which assets are involved, and how critical are they?
  • What stage has this attack reached? Are the attackers just gaining a foothold, or has it progressed further?
  • Were any vulnerabilities targeted?
  • Where are the external systems or sites involved located? Do we have intelligence to suggest they are suspicious?

Building context like this for every alert you receive is neither simple nor effortless. But without it, you’re not going to be able to make the best decision every time. The standard way of dealing with this problem is to turn off or ignore security controls that are too noisy. Until recently, this was the only workable solution. Its unfortunate result was that significant amounts of relevant security data was disregarded, limiting security teams’ ability to see potentially important events, and increasing time to detection.

With autonomous security monitoring software like the Respond Analyst on board, you can rest assured that you’re not overlooking threats by filtering out valuable information. The Respond Analyst is security analysis software that can take over the task of monitoring the feeds from your Palo Alto Networks solutions, enriching every alert with deep contextual information that’s easy to interpret. The Respond Analyst performs consistent and logical analysis, and it has all the skill of an experienced human security analyst built into it. But it operates at the speed and scale of a machine.

From a technical perspective, the Respond Analyst and Palo Alto Networks tools simply work well together. The Respond Analyst can consume the logs that these tools generate without significant onboarding time or “training.” It’s ready to begin adding value to your implementation right out of the box. All you need to do is forward the feed, and the Respond Analyst takes over from there.

The Respond Analyst Helps Security Teams Defend Against Attacks They’d Otherwise Miss

Let’s take a look at a real incident that the Respond Analyst handled in a real customer environment last year. All identifying information, including names and IP addresses, have been anonymized to protect confidentiality..

In this incident, the Respond Analyst alerted our customer’s security team to a man-in-the-middle (MITM) attack that affected an employee’s iPhone. The employee, “Jim,” had downloaded a third-party app to his iOS device, and the app exploited a known vulnerability in Apple’s FairPlay digital rights management technology to install additional malware on the iPhone.

With access to event data generated by the NIDPS tools included in the Threat Prevention service component of Palo Alto Networks Next-Generation Firewall, the Respond Analyst was able to detect the anomalous network traffic patterns the attack was generating right away. 19 different events were detected by the NIDPS, and because our customer also had the Palo Alto Networks URL filtering module deployed, their security team was able to see that an additional 14 web filter events were correlated to the attack.

The Respond Analyst gave the incident response team a wealth of detail about the attack—including an assessment of its severity, the reasons that assessment was made, the assets involved, the times that the suspicious communications occurred, and details for the external IP addresses involved. With so much detail provided on a dashboard display that’s easy to understand and interpret, security team members are much better positioned to remediate the incident with speed and confidence.

Working together with Palo Alto Networks IDPS and advanced endpoint protection modules, the Respond Analyst helps security teams monitor their environments with greater effectiveness and efficiency. With the Respond Analyst’s help, they’re able to detect and contain threats quickly—successfully preventing attackers from reaching their targets.

To learn more about integrating the Respond Analyst with the existing security solutions within your organization’s infrastructure to build a stronger security monitoring program, contact us to schedule a consultation with a member of our team of experts.

Core Telemetries: Focus on the Right Data Sources to Achieve An Enterprise-Grade Security Monitoring Program

According to the most recent Verizon Data Breach Investigations Report, 73% of cyberattacks can be attributed to outsiders. This means that, generally speaking, the attacker will have to compromise an endpoint device and cross the enterprise threshold to accomplish their goals. Imagine a drive-by download that compromises a remote user’s laptop: the endpoint may run the malicious code, but the attackers still need to use the network to move laterally and access your data.

In this case, as in most attacks, the attack might have been detected on the endpoint as well as from any one of many other points within your environment. If your security monitoring system is able to collect sensor data from at least one of these points and if you’re able to monitor that data effectively, you’ll discover the attack and prevent a breach.

Each additional source of security data provides an extra layer of defense against cyberattacks. The deeper your defenses, and the more redundancy that’s built into them, the stronger your security monitoring program.

But even the most diligent SecOps teams are challenged by data overload.  Teams report that less than 10 percent of the data they collect is analyzed.

Many organizations with limited resources find it challenging to prioritize security projects. Which data sources are most important? What solutions should be deployed first?

Build the Foundation with Endpoint Protection and Network Security Monitoring

If you haven’t already implemented it, setting up a basic endpoint protection platform (EPP) is a critical first step towards securing your network. EPP solutions allow you to collect, monitor, and analyze data from endpoint devices, reporting on known threats, preventing malware from executing, and in some cases quarantining unknown files until they can be investigated. Endpoint protection is relatively simple to deploy, and provides a valuable first layer of defense.

To improve visibility into your environment, consider adding a Network Intrusion Detection and Prevention Solution (NIDPS). Most NIDPS solutions rely on signatures to detect a broad range of threats, and are able to provide comprehensive network threat detection for your network, as well as from connected mobile and remote devices and cloud-based resources. NIDPS modules can be enabled within many Unified Threat Management (UTM) solutions as well, so you might actually already have a solution in place that you simply need to start monitoring.

Go Deeper With Advanced Solutions

If you’d like to improve upon the basic coverage offered by EPP and NIDPS, you can add one of today’s more advanced solutions, such as web proxy filtering and monitoring, URL filtering, email filtering (or anti-phishing solutions) or endpoint detection and response (EDR). These solutions can provide additional coverage of commonly exploited attack vectors (such as web browsers or email), or a more detailed record of the actions taken by the operating system. This can add up to deeper and more comprehensive coverage, but only if you are able to effectively monitor the larger amounts of log and event data they supply.

Boost Your Security Data Monitoring Capabilities With Security Analysis Software

Adding telemetries to your security stack can mitigate your risks and improve your security posture, but only if you are able to monitor those additional data sources continuously and effectively. Incorporating advanced solutions that you don’t have the time or ability to monitor doesn’t help.

And effectiveness in security monitoring is defined not by the number of data sources you monitor, but rather by how continuous and thorough your analysis of that data is.

This is where automated solutions can add the most value. The Respond Analyst can monitor sensor data from both foundational and advanced solutions. It’s able to work 24/7/365, and is capable of handling more events per hour than 14 human security analysts. The Respond Analyst is quick to deploy, and seamlessly integrates with a broad range of third-party security solutions, enabling it to ingest and monitor their data feeds without significant onboarding time, data tagging, or “training.”

The Respond Analyst enables smaller teams to monitor telemetries across their infrastructure—something they could not hope to accomplish manually. It makes it possible for smaller organizations to collect, monitor, and analyze security alerts and relevant contextual information on a scale that was previously available only to the largest enterprises. Along the way, the Respond Analyst brings advanced security capabilities within reach for businesses large and small, in numerous industries and verticals.

To learn more about how the Respond Analyst can work together with your existing security solutions, or with those you’re currently considering, contact us to schedule a demo.

Fight Fire with Fire:
How Security Automation Can Close the Vulnerability Gap Facing Industrial Operations

“Be stirring as the time; be fire with fire; threaten the threatener and outface the brow of bragging horror.”
William Shakespeare 1592

…or as Metallica once sang in 1982, Fight Fire with Fire!

There is a fire alight in our cyber world.  Threats are pervasive, the tech landscape is constantly changing, and now industrial companies are increasingly vulnerable with the advent of automation within their operations.  Last week a ransomware attack halted operations at Norsk Hydro ASA in both the U.S. and Europe, and just days later two U.S. chemical companies were also affected by a network security incident.


As manufacturing processes become increasingly complex and spread out around the world,
more companies will have to navigate the risk of disruption from cyber attacks. 

Bloomberg Cybersecurity


Industrial control systems (ICS), in particular, were not designed with cybersecurity in mind. Historically, they weren’t even connected to the internet or the IT network, but this is no longer the case. Automation and connectivity are essential for today’s industrial companies to thrive but this has also made them more vulnerable to attacks.


The more automation you introduce into your systems, the more you need to protect them. Along with other industries, you may potentially start to see a much stronger emphasis on cybersecurity.
Bloomberg Cybersecurity


Adding to the problem is a shortage of trained security staff to monitor the large volumes of data generated across the network that inevitably makes a plant’s operation even more vulnerable.

Fight the vulnerabilities that ICS automation causes with security automation

To close the vulnerability gap, industrial companies can fight fire with fire by embracing security automation. Extending automation tools beyond the industrial operations and into a plant’s security operations center can reduce the risk of a cyber attack. Security automation arms security teams with information to quickly identify threats so human analysts can act before a potential threat causes undue harm.

At Respond Software, we’re helping companies realize the power of automation with a new category of software called Robotic Decision Automation (RDA) for security operations. By augmenting teams with a ‘virtual analyst’, called the Respond Analyst, security teams can quickly automate frontline security operations (monitoring and triage).  Only the incidents with the highest probability of being malicious and actionable are escalated to human analysts for further investigation and response.

We believe that by combining human expertise with decision automation, industrial organizations can reduce their vulnerability risk profile.  The Respond Analyst can do the heavy lifting to cover the deluge of data generated each day and human analysts can elevate to focus on creative endeavors to remediate and contain threats faster.

It’s no question that industrial companies will continue to be targeted by bad actors. But now with front-line security automation, these organizations can also proactively safeguard operations against threats.

Be fire with fire.

Read more:
3 Trends That Make Automation a Must for Securing Industrial Control Systems

Introducing “Inferred Context” or
How to Enjoy a Spring Day

Moving at a brisk pace across the campus of your company, laptop stowed under your arm, you hardly have a moment to admire the beauty of an early spring day. During the short trip and perhaps unbeknownst to you, your computer has changed IP addresses multiple times. This common practice helps IT organizations centrally and automatically manage IP addresses resulting in improved reliability and reduced network administration.

However, constant IP address changes can create havoc for Security Analysts because each address will appear as an independent system when a security alert occurs. For instance, an Analyst may start investigating an event based on an IP address and an attack name. The next step is to identify what has happened in association with that IP address, as well as what other systems may be involved in the attack. Depending on the information returned, the Analyst can make a completely inaccurate decision in terms of resolving the event.  If you cannot determine the location or owner of the target machine, you can’t fix the problem.

The decision-making process is further impacted by incomplete, outdated or inaccurate critical asset lists. This is an all too common occurrence that contributes to high numbers of false positives and even worse, false negatives.

Inferred Context – Advanced decision-making skills

Watch video on Inferred Context

The latest release of the Respond Analyst comes equipped with a new set of features called Inferred Context. Inferred Context improves the Respond Analyst’s ability to make informed, accurate decisions that lead to faster incident response times.

Two examples of how applying Inferred Context will result in better security decisions:

Dynamic Host Configuration (DHCP)

The first component of Inferred Context automatically and intelligently maintains an up to date mapping of an IP address to hostname through ingestion of Dynamic Host Configuration Protocol (DHCP) information. This enhances the accuracy of the Respond Analyst’s findings by attributing all relevant events to the infected/targeted asset (and only that asset!) and enabling reasoning across data sources where one source includes IP addresses (such as network IDS/IPS events). The result is fewer false positives, more accurate prioritization of events and faster time to resolution.

Critical Assets – Shades of Gray

Many customers are challenged in keeping up-to-date lists of systems and their level of criticality. To address this, the second component of Inferred Context collects vulnerability scan data in the Respond Analyst that includes information about the host such as operating system, as well as which ports are open. Because applications communicate over open ports, the Respond Analyst infers that an application is running there. For example, a Simple Mail Transfer Protocol (SMTP) server runs on port 25, so if that port is open, the Respond Analyst will infer that is a mail server, which is considered a critical asset.

Inferred Context is supported on all of the models listed on the Respond Software Integrations page.  Additionally, this release is expanding support to give security teams more visibility into their existing alerting telemetries for the following systems:

● Endpoint Protection Platforms: Trend Micro Deep Security, Trend Micro OfficeScan, Palo Alto TRAPs
● Web proxy/URL filtering: McAfee Secure Web Gateway
● Network IDS/IPS: Checkpoint

Inferred Context is helping the Respond Analyst quickly find the target of the attack, so security teams can resolve them quickly. Analysts will no longer have to investigate a multitude of false positives or try to manually search for the affected system, system owner and/or the system name. Instead of staring at a screen filled with endless events, let the Respond Analyst automate the process so you can get out there and enjoy a spring day.

For more on Inferred Context, please read our recent press release or better yet, check out our YouTube channel.

The Respond Analyst’s decision-making skills are continuously expanding. To learn more about what the Respond Analyst can do for your organization or to gain access to Future Early Access programs,

Keeping NCAA football fans safe from cyber threats on game day

Did you happen to catch the Clemson vs Alabama NCAA Championship game Monday night? While the Clemson upset was thrilling to watch, I bet most fans had no idea there was another team behind the scenes, hard at work, keeping attendees and the stadium safe from cyber threats.

Yep, our diligent Respond Analyst™ was working away in a state-of-the-art Security Situation Room live during the entire game day experience. We had the privilege to partner with students from Norwich University in this onsite cyber-offensive in one of the newer football stadiums.

Cybersecurity is becoming more critical than ever before at these big events. Keeping close to 100,000 fans streaming video, playing social streams on the jumbotrons, and communication on the field has turned sporting events into a serious technical infrastructure. The potential for malicious malware attacks or other security breaches during these live events keep IT leaders on edge, the entire time they are online.

Really, every event should be monitored and analyzed for security implications during live events to help ease the risk. The problem is there are never enough people to handle it. That is until now…

For the first time in my 18-year career, I witnessed 243,000 events analyzed, 431 events diagnosed as malicious, and 13 scoped incidents escalated—without one false-positive through the entire event! The Respond Analyst’s Decision Automation technology performed without any disagreements from the onsite security team. Bottomline, the Respond Analyst learned its environment in less than a few hours!

To put that into perspective, a traditional security team would need more than 125 trained analysts to cover this volume in the same timeframe. The Respond Analyst covered all of this, freeing up the 6 onsite Norwich students to focus on threat hunting and more strategic security concerns.

This was a humbling experience for all of us at Respond Software who work so hard to deliver solid results for our customers. For those who know my style, I’m not one to brag or fluff the numbers just to give marketing a win, and this time, even I had to sit back and feel good about our capability and results.

One of the best parts was how fast everything was up and running. We built a server loaded with the Respond Analyst and sent it into the Norwich University students to set up. Everything was handled remotely by the Respond Software team and the Respond Analyst was operational within 6-7 hours from start to finish. Immediately after the first escalation, the students realized the event was a real threat (not junk data)—right away it generated more interest with the students and security personnel.

This is why I love helping customers. Knowing that the Norwich team could go to bed knowing that their networks were safe. They could identify and address cyber threats quickly—covering more with a smaller security team, meant they could focus on higher priority tasks. I look forward to working on more events like this in the future.

For more information, check out the Respond Software and Norwich University Press Releases.

3 Trends That Make Automation a Must for Securing Industrial Control Systems

Every time I flip a light switch or run water for my daily shower, I’m not thinking of the potential security risks within our power plants or water suppliers. I just take it for granted that the computers working behind the scenes keep things running smoothly.

These computers, also known as Industrial Control Systems (ICS), control the physical world of our most critical infrastructure. They monitor and control the processes responsible for machinery used in power generation and distribution, manufacturing, water treatment plants, HVAC, and many other industries.

The reality is that some of these systems were not designed with security in mind. Historically, these systems were not connected to the Internet or an IT network. They existed in an air-gapped environments, disconnected from all other networks.

The disconnected nature of ICS is quickly becoming outdated. Systems are more connected than ever before and can be accessed remotely by operators. Three trends are increasing the vulnerability of our ICS environments.

Trend 1: Connected IT and Operating Technology (OT) environments are growing.

While these blended environments provide increased efficiency and reduced costs for operators, they also increase the potential for security threats. Threats that occur in OT environments generally originate in the IT environment and then traverse the boundary.

This is complicated by the fact that Industrial Control Systems were not built with security event logging in mind, they receive software updates infrequently, and they often exist within flat networks (where all systems exist in the same network).

Bottom line—if one system is infected, it’s easy to spread the infection to multiple systems.

IT has traditionally focused on securing the confidentiality and integrity of data or services while ICS security has focused on maintaining operational availability and ensuring safety. Given the changing nature of the environments, these responsibilities need to evolve.

Trend 2: Attacks are becoming more sophisticated in critical environments.

There have been numerous examples of nation-states disrupting Industrial Control Systems with cyber attacks. One particularly well-documented example (and worth the read from Wired!) is Russia’s repeated disruption of the Ukrainian power grid. Other examples include:

Trend 3: A shortage of trained security analysts.

There is already a limited population of security analysts, but there is an even smaller population who can triage the combination of cyber and operational threats.

IT security analysts cannot monitor an OT network without understanding how the ICS systems function normally and how they can be exploited. Also, ICS systems often communicate on proprietary network protocols not found in IT environments and therefore, require specialized detection technologies to alert an ICS related threat.

Stop these 3 trends from impacting your ICS environment

The increasing potential for threats, combined with the lack of specialized resources to detect these threats, leave us all vulnerable. The serious attacks on power and water supplies around the world demonstrate the urgency of staying ahead of the bad guys.

Help is on the way. Using Artificial Intelligence (AI) and Machine Learning, Respond Software has partnered with SecurityMatters (recently acquired by Forescout) to provide automated monitoring, decision making, and triage of network intrusions within ICS environments.

Respond Analyst provides 24×7 automated monitoring and triage, without requiring you to hire, train, and operate a team of security analysts. SecurityMatters provides in-depth visibility into ICS environments, classifying assets and detecting threats based on deep packet inspection of industrial protocols. By monitoring both your OT and IT environments, Respond Analyst is able to identify threats crossing that boundary, providing an earlier warning, and increased visibility into the earlier stages of the attack.

Security Matters and Respond Software partnership.

A new tool for defenders – Real-time analysis of Web Proxy data

When I got back into the office after taking a short break to recharge my batteries, I was really excited to be speaking with my colleagues at Respond Software about the upcoming release of our web filtering model for our Respond analyst. You see, over the last few months we’ve been working tirelessly to build a way to analyze web filtering event data in real-time. Now that I’m sitting down to write this blog, the fruit of all the hard work our team has put into making this a reality is really sinking in. We’ve done it! It’ s now available as part of the Respond Analyst!

This was no small feat, as most of you in the security operations world would know.

You may ask why we chose to take this challenge on.  The answer is quite simple, there is a ton of valuable information in web filtering data and it’s extremely difficult for security teams to analyze these events in real-time due to the sheer volume of data generated by enterprises. What a perfect opportunity for us to show off the Respond Analyst’s intelligence and capability.

Up until now, security operations and IR teams have pivoted to using web filtering data for investigations once they’ve already been alerted to an attack through threat hunting or some other form of detection.  Processing all of the web filtering data for an organization in a SIEM or similar has just been way too expensive to do. In fact, most organizations can’t even afford to store this data for a “reasonable” amount of time for investigators to dig through.

Think about it for a second, each web page visited can generate a number of new web requests to pull back content from different sources. Then picture each employee using the internet for most of day; navigating the web through their day-to-day tasks, a few personal items between meetings, all this amounts to hundreds of web page visits each day. If you have a few hundred employees, the volume of data generated by the web filtering solution quickly becomes unmanageable. Well now we’re able to process all of these events in real-time.

Consider the questions you are able to ask of the data without even taking the assigned web filtering category into account…

  • Analyze each component of the HTTP header
  • Perform user agent analysis
  • Take a look at how suspicious the requested domain is
  • Perform URL string comparisons to all other requests over an extended period of time
  • Compare each attribute to information you’ve gathered in your threat intel database

But why stop there…

  • What about looking at whether the pattern of behavior across a set of requests is indicative of exploit kit delivery?
  • Maybe you suspect that these requests are related to command-and-control activity
  • What about the upload of documents to a filesharing service, is that data exfiltration or simply everyday user activity?

Web filtering data can also leverage the power of integrated reasoning.  When web filtering data is combined with IDS/IPS sensors, Anti-malware technology and contextual sources like vulnerability data and critical asset lists, you are able to form an objective view of your enterprise’s threat landscape.  Beyond the analysis of each of these data sources, the Respond Analyst accurately scopes all events related to the same security incident together for a comprehensive incident overview.  The Respond Analyst then assigns an appropriate priority to that incident and documents all the details of the situation and presents this information to you.  This is, by far, the most efficient way to reduce attacker dwell time.

We have a long way to go and many more exciting Respond Analyst skills & capabilities on the way. I couldn’t be prouder of all the work we’ve achieved and the release of our Web Filtering model.

Way to go Respond team!

Join our growing community! Subscribe to our newsletter, the "First Responder Notebook," delivered straight to your inbox.