Introducing “Inferred Context” or
How to Enjoy a Spring Day
Moving at a brisk pace across the campus of your company, laptop stowed under your arm, you hardly have a moment to admire the beauty of an early spring day. During the short trip and perhaps unbeknownst to you, your computer has changed IP addresses multiple times. This common practice helps IT organizations centrally and automatically manage IP addresses resulting in improved reliability and reduced network administration.
However, constant IP address changes can create havoc for Security Analysts because each address will appear as an independent system when a security alert occurs. For instance, an Analyst may start investigating an event based on an IP address and an attack name. The next step is to identify what has happened in association with that IP address, as well as what other systems may be involved in the attack. Depending on the information returned, the Analyst can make a completely inaccurate decision in terms of resolving the event. If you cannot determine the location or owner of the target machine, you can't fix the problem.
The decision-making process is further impacted by incomplete, outdated or inaccurate critical asset lists. This is an all too common occurrence that contributes to high numbers of false positives and even worse, false negatives.
Inferred Context – Advanced decision-making skills
The latest release of the Respond Analyst comes equipped with a new set of features called Inferred Context. Inferred Context improves the Respond Analyst’s ability to make informed, accurate decisions that lead to faster incident response times.
Two examples of how applying Inferred Context will result in better security decisions:
Dynamic Host Configuration (DHCP)
The first component of Inferred Context automatically and intelligently maintains an up to date mapping of an IP address to hostname through ingestion of Dynamic Host Configuration Protocol (DHCP) information. This enhances the accuracy of the Respond Analyst’s findings by attributing all relevant events to the infected/targeted asset (and only that asset!) and enabling reasoning across data sources where one source includes IP addresses (such as network IDS/IPS events). The result is fewer false positives, more accurate prioritization of events and faster time to resolution.
Critical Assets – Shades of Gray
Many customers are challenged in keeping up-to-date lists of systems and their level of criticality. To address this, the second component of Inferred Context collects vulnerability scan data in the Respond Analyst that includes information about the host such as operating system, as well as which ports are open. Because applications communicate over open ports, the Respond Analyst infers that an application is running there. For example, a Simple Mail Transfer Protocol (SMTP) server runs on port 25, so if that port is open, the Respond Analyst will infer that is a mail server, which is considered a critical asset.
Inferred Context is supported on all of the models listed on the Respond Software Integrations page. Additionally, this release is expanding support to give security teams more visibility into their existing alerting telemetries for the following systems:
● Endpoint Protection Platforms: Trend Micro Deep Security, Trend Micro OfficeScan, Palo Alto TRAPs
● Web proxy/URL filtering: McAfee Secure Web Gateway
● Network IDS/IPS: Checkpoint
Inferred Context is helping the Respond Analyst quickly find the target of the attack, so security teams can resolve them quickly. Analysts will no longer have to investigate a multitude of false positives or try to manually search for the affected system, system owner and/or the system name. Instead of staring at a screen filled with endless events, let the Respond Analyst automate the process so you can get out there and enjoy a spring day.
The Respond Analyst’s decision-making skills are continuously expanding. To learn more about what the Respond Analyst can do for your organization or to gain access to Future Early Access programs, [email protected]