I recently wrote an article, published in Solutions Review, on the benefits of approaching security orchestration and management through the lens of entities, rather than events. My argument in the article, as well as in a webinar on this topic, was that, like effective approaches to fighting Coronvirus which focus on quickly identifying and isolating the virus carriers, fighting cyber-attacks through a focus on entities can achieve similarly effective benefits of mitigation.
SIEM solutions today present analysts with an event-based workflow. A security analyst may get an alert from a security tool saying a computer has been infected. The information he or she receives may include different entities, such as host, users, email addresses, and the like (could be victims, could be perpetrators). The analyst then needs to understand which other entities are connected to this entity, triage the information, sort out which other events took place, and build an overall story of the attack. This whole process is very time consuming and cumbersome.
An alternative approach to SIEM, empow’s i-SIEM conducts investigation, triage and mitigation through the lens of the entity. When i-SIEM shows an alert to the analyst, it is an entity-based alert, already showing the analyst ALL the actions taken to and on the particular entity at risk. This includes information on the entity and related entities, and previously recorded actions, saving the analyst invaluable time and effort.
This week we released version 3.4 of i-SIEM, which includes a number of new features that support the entity-centric security event management methodology and make the management of entities even more effective than before.
Here’s how the analyst’s workflow progresses in i-SIEM.
Following empow’s patented automation process, the analyst receives a list of entities at top risk, with an entity risk score, or “Security Score” (this feature was available in previous versions of i-SIEM as well).
empow’s dashboard presents the analyst with a short list of entities under high risk of attack. Typically, even at large organizations we will end up with limited number of entities with a high security score. This is the key to success in entity-centric security monitoring.
The analyst clicks on a particular entity and enters the entity card. The entity card includes a feature that allows the analyst to “reset security score.” This means if, following investigation, the analysts has concluded that the entity is not at real risk, he or she can reset that entity’s security score, so that it will no longer appear in their list of top entities, unless further suspicious events occur on that entity.
In version 3.4 we added new functionalities in the entity card to make life easier for the analyst. One is the “Review Status” If the analyst has reviewed the entity and concluded that – for example - it is truly at high-risk, or in other words a “positive” alert, they can mark it as “True Positive Handled” in the Review Status field. This is important for recording the history of an entity and enables a team to work on the same entities.
Another new feature in this version is the Summary feature, which lets the analyst write his or her conclusions from the investigation and keep them for future reference. This data, together with the information from active directory and other sources, shows a summary of everything the analyst needs to know to handle the entity efficiently.
Finally, this version also added an “Incident Response Journal” in which the analyst can record the history of that entity, and where events such as reset, review summary update etc. related to that entity are also automatically entered by the platform.
Together these new features expand and enrich the analyst’s ability to even more effectively manage their security network through the lens of the entities at risk, cleanly and efficiently.