If you are responsible for protecting digital information, then you will need to respond to a security incident at some point. However, many challenges arise during a response:
- Unfocused tools that can be complicated to use
- High false positive rates from automated tools
- Changing attack tactics that grow more advanced every day
Whether you have a dedicated and experienced response team or a single IT person who attended an online course, efficiency is critical and time is of the essence. Basis Technology is building a new software product, called Cyber Triage, because we want to change the dynamic of incident response and the teams that are assembled to perform it so that incidents are contained more quickly.
A Faster Tool for Computer Security Incident Response
Cyber Triage is cybersecurity software that enables IT and information security incident responders to quickly collect, analyze, and act. We want to help you find patient 0 as fast as possible.
Smarter approach to finding the indicators
Our approach with Cyber Triage is to automate as much as possible and to provide the responder with enough situational awareness to decide and act. We use the following techniques:
- Automated Collection: With the press of a button, data is collected from a live or dead host and saved to a central repository. The automated techniques save time and errors.
- Automated Threat Scoring: Cyber Triage leverages information from previous incidents, threat intelligence, and malware scanning tools to automatically identify files and events that are suspicious. These are quickly brought to the responder’s attention.
- Guided Review: Attackers try their best to blend in and often a human is needed to review data to determine if the activity is suspicious or not. Cyber Triage fuses data from many sources into a simple interface so that the responder can quickly decide if user or system activity is suspicious or not.
By automating the process, we can not only make the basic response faster, but we can also collect and analyze more data.
Fusion: Incident-related data is stored in many places: files, Windows registry, log files, servers, web history, e-mail, etc. Cyber Triage analyzes these sources and puts them together to reconstruct events so that the responder can start with a single executable and find out when it was run and how it got there.
Focus on configuration: To better alert your responders when critical systems are involved with an incident, your network layout and critical assets can be integrated into Cyber Triage before an incident occurs.
Analytics: There are general rules to what might look suspicious – we call this heuristic analysis. They save time by identifying things that warrant deeper investigation—multiple failed login attempts and unsigned startup executables for instance—without wasting an investigator’s time on unnecessary items. Cyber Triage uses analytics in two ways:
Presenting aggregated behavior information and highlighting patterns identified as potentially suspicious for user review and
Using rules configured to identify files that warrant deep malware analysis and then processing those files in our malware analysis engine (both static and dynamic) to arrive at the true threat score for an executable.
The right data in the right places
While Cyber Triage is doing a lot of analysis behind the scenes, the results are presented simply to the user.
Simplified UI: Cyber Triage provides a straightforward no-nonsense UI that doesn’t make you hunt for how to work with the data. We just present it logically so that you can stay focused on the case to get done faster.
Focused results: Cyber Triage doesn’t fill the screen with noise and focuses on providing you with an intuitive interface to navigate and score threats during your investigation – whether its user activity, rogue network connections, or suspicious executables.
Cyber Triage is designed to help you act faster. It does this by being smarter about finding what doesn’t look normal, automating the collection and fusion of data, and presenting the right information in the right way. By using this tool, IT and information security incident responders can churn through backlog, better handle the first level of response during a computer security incident, and save money for the organization by taking a better approach to investigating data breaches and intrusions.