Are your analysts struggling with when to escalate alerts?
Learn how this security team cut costs and derisked escalation decisions with Cyber Triage.
Let’s jump in…
Challenge
The security team of a major German bank had a big job. While the company outsourced their SOC and IR functions, the internal team wanted to own the interaction. When the bank’s external SOC sent over an alert, the internal team — all security generalists — was tasked with deciding if the alert should be escalated to external IR.
The team’s 3 challenges:
| Challenge #1 | Challenge #2 | Challenge #3 |
|---|---|---|
| They wanted to own the handoff between external SOC and IR teams. | This meant deciding what to escalate to IR when the SOC sent over a valid alert. | Slow decisions = higher risk. Inaccurate decisions = higher costs. They wanted neither. |
To address these challenges, the team looked for platform that could help them quickly and comprehensively investigate valid alerts.
Solution
The search ended with Cyber Triage. Cyber Triage is an automated digital investigations platform designed to help security teams make fast and accurate decisions.
The Team’s new process:
| Step 1 | The external SOC sends a valid alert about an endpoint to the internal team. |
| Step 2 | The team launches Cyber Triage. Cyber Triage can work directly within EDRs, allowing teams to quickly start investigations from the console. |
| Step 3 | Data is collected from the suspicious endpoint and sent to Cyber Triage. The Collecter is “adaptive,” which means it expands according to what it finds. This maximizes the relevant data collected, especially scripts and executable content. |
| Step 4 | Cyber Triage prioritizes bad and suspicious items using 40+ malware engines, Hyabusa, ImpHash, etc. Items are presented to the team for review. |
| Step 5 | The internal team reviews the items, determines scope, and decides to escalate or handle themselves. The entire process is much faster than traditional forensics tools. |
Results
| The Team Could Decide with Confidence |
|---|
| Cyber Triage automatically collected and prioritized evidence, giving the team immediate visibility into activity behind every alert. With a clear picture of scope and risk, the internal security team could confidently decide whether they should handle the situation internally or invoke IR. |
| The Team Minimized Risk and Cost |
|---|
| Cyber Triage’s automated workflows dramatically cut decision time, minimizing the exposure risk created by slow investigations. The team’s escalation decisions were also more accurate, meaning they only spent money on external IR when necessary. |
| The Team Owned Their Security Resources |
|---|
| With Cyber Triage, the security team now had a system for quickly and effectively collaborating with their external SOC and IR. They only used what they needed, when they needed it. They were in the driver’s seat. |
Future
The success of this deployment has the bank’s security team thinking bigger. They’re now implementing a new EDR (Windows Defender) and looking to test Cyber Triage’s powerful Defender Integration, which can directly import telemetry from the EDR.
From speeding up incident validation to building an EDR + DFIR investigation platform, Cyber Triage has helped the team take the next step.
And it can do the same for yours.
Try it for yourself free for 7 days.