Allesao | Use Cases2018-07-24T17:10:46+00:00

Allesao Use Cases

Here are some real-world use cases and workflows that will help you understand the role that Allesao can play in your Security Operations Center. Organizations are realizing that 80-90% of their security operations tasks can benefit from automation; and this is changing the way they think about their current processes. The efficiencies gained help security teams handle more tasks, focus more time on challenging issues, and significantly decrease the Mean Time to Respond (MTTR) to security incidents. Do you have a real-world use case that can benefit from Allesao?

Case Enrichment

SITUATION
Leveraging Threat Intelligence and Indicators of Compromise (IOC) data throughout your security infrastructure is time-consuming and challenging without some level of automation or orchestration.

PROBLEM
New and updated Indicators of Compromise (IOC) are being added to Threat Intelligence services, regularly. These services are also constantly evolving and strengthening their platforms and data. Researching and validating security alerts using these services is a repetitive, time-consuming, and manual process. But, enriching a case with accurate and up-to-date data is an important step in understanding a potential threat. The longer it takes an analyst to complete due diligence and start their incident response process… the more time a threat actor has to continue their attack campaign.

SOLUTION
Enrich cases using automation to lookup IOCs in all Threat Intelligence platforms with Allesao Managed SAO. Here is an example workflow using a SIEM, Threat Intelligence service and Next-generation Firewall.

Allesao Use Cases | Case Enrichment

RESULTS
Allesao case enrichment provides security operations teams with near-real time access to the most current threat intelligence data. Security automation and orchestration allows the SecOps team to work with updated and accurate information about the Indicators of Compromise (IOC) and respond quicker to incidents—minimizing risk and reducing the team’s Mean Time to Respond (MTTR).

Endpoint Security

SITUATION
The number of alerts generated by an Endpoint Detection and Response (EDR) system can quickly overwhelm a security operations team. Alert Fatigue can hinder an effective and timely response

PROBLEM
With hundreds or thousands of endpoints generating EDR alarms every day, large organizations struggle to manually resolve every alert. The process is time consuming and inefficient. This high Mean Time to Respond (MTTR) leaves plenty of time for threats to proliferate and increase an organization’s risk.

SOLUTION
Automatically triage endpoint security alerts and remediate confirmed incidents with Allesao Managed SAO. Here is an example workflow using a SIEM, a Threat Intelligence service, and an Endpoint Detection and Response solution.

Allesao Use Cases | Endpoint Protection

RESULTS
Allesao automatically triages Endpoint Security alarms and enriches cases with Threat Intelligence data from internal (CMDB) or external sources. It can also enhance the case records with data and context from the EDR tool. Using an automated workflow, Allesao uses this data to determine the appropriate actions for remediation, such as isolating an endpoint, killing processes, etc. Executing incident response at machine-speeds helps to respond to every endpoint alarm and prevent incidents from escalating into malicious security breaches.

Forensic Investigation

SITUATION
Manually gathering and centralizing forensic evidence from disparate tools and processes can hinder the speed and accuracy of an investigation.

PROBLEM
Investigators rely on the accuracy and availability of case data. But gathering and centralizing this data is often a manual task that involves multiple sources, systems, and tools. This cumbersome process can make it difficult to find and access evidence that may be stored in multiple locations or non-standard formats.

SOLUTION
Allesao automation and orchestration automatically gathers and centralizes relevant forensic data for case management. Here is an example workflow using a SIEM, and Forensic tool.

Allesao Use Cases | Forensic Investigation

RESULTS
Allesao automatically queries your SIEM to gather relevant forensic log data and initiates actions in your Forensic Software to gather additional data, such as endpoint memory dumps and disk images. The case management data is centralized in Allesao waiting for the investigators to perform a more in-depth analysis. The automated processes execute at machine-speeds saving administrative time that can be better spent on evidence analysis.

Identity Verification/Enforcement

SITUATION
Maintaining an organization’s security hygiene requires fast and efficient verification of user identities and credentials. The security operation teams need to protect against stolen or malicious use of credentials, while ensuring smooth and unencumbered access to authorized users.

PROBLEM
Security operations teams need to monitor, verify and enforce access to their systems. while quickly determining if the login is malicious or legitimate. Manually checking all user permissions and behaviors across multiple systems isn’t a practical strategy.

SOLUTION
Automatically validate user permissions for specific resources with Allesao Managed SAO. Here is a simple example workflow using a Endpoint Detection and Response soluton, Active Directory and a User and Entity Behavior Analytics (UEBA) solution.

Allesao Use Cases | Identity Verification and Enforcement

RESULTS
Organizations can verify and control access to their systems, while protecting confidential information from malicious activities. When alarms are triggered from unauthorized user behaviors, Allesao will execute workflows to disable the user accounts and quarantine the hosts to avoid further proliferation. Other automated actions can be quickly executed to minimize the impact of the attack, such as running anti-virus scans and disabling Active Directory accounts.

What would you like to automate?

Phishing Attacks

SITUATION
The #1 vehicle for delivering malware to corporate networks is email. Damage from email phishing attacks is regularly in the news. Millions of phishing emails are sent out to unsuspecting users daily. Each one is the start of a new or proven malicious attack campaign that is costing American businesses over $500M dollars annually, and rising.

PROBLEM
There are simply too many potential phishing emails to investigate every day. Once identified, each incident investigation can take an average of 10-45 minutes with a security analyst manually engaging multiple security tools for case enrichment, analysis and remediation. Most organizations are not properly staffed to manually investigate the daily volume of phishing attacks that are identified. This leaves many phishing cases open and unresolved; and the potential risk of damage compounds daily.

SOLUTION
Automate the investigation and quarantine of suspected emails with Allesao Managed SAO. Here is an example workflow using integrations with email, Threat Intelligence, Sandboxing, Endpoint Detection and Response, and Ticketing systems.

Allesao Use Cases | Phishing

RESULTS
With Allesao, your phishing response processes are defined, documented and executed at machine-speeds. All potential phishing emails are investigated, tickets are created, and phishing emails are properly quarantined. The SecOps team can now handle a large volume of phishing attacks and lower their Mean Time to Resolution (MTTR). Automation also removes the opportunity for manual errors and eliminates any analyst-to-analyst process inconsistencies.

SIEM Triage

SITUATION
SIEMs are now creating the majority of security operations alerts, and less than 1% of the severe/critical alerts are actually being investigated. Instead of just addressing the highest rated alarms, SecOps needs a way to review and validate all alerts and potential threat campaigns.

PROBLEM
It is logistically impossible to manually review and investigate all SIEM alerts. The original alarms typically don’t contain enough information to confidently take action, so the cases will require additional, time-consuming research and enrichment. Following the documented playbook processes, the SecOps analyst will likely only be able to investigate a small percent of the alerts in the queue. This increases the opportunity for a successful attack.

SOLUTION
Automate as much of the incident response playbook as possible and enrich the case with investigation results with Allesao Managed SAO. Here is an example workflow using Active Directory, a SIEM, Threat Intelligence and Endpoint Detection & Response tools.

Allesao Use Cases | SIEM Triage

RESULTS
Without adding resources the security operations team will be able to automate 80-90% of their alerts, allowing them to handle a higher volume of alerts with accuracy. For the remaining alarms that need human intervention, the analysts will benefit from having the automated case enrichment data already in the Allesao record. This not only saves time, but also improves workflow consistency. Automating your workflows with Allesao improves team efficiency, reduces threat risk and increases your overall security posture.

Threat Hunting

SITUATION
Security Operations Centers can no longer remain passively vigilant. To defend against today’s malicious and aggressive threat campaigns analysts need to proactively hunt and identify unknown threats.

PROBLEM
Security operations analysts that execute their incident response and threat hunting processes manually often have limited time to be successful at threat hunting. Drilling into logs or packet captures to collect evidence is a time consuming process. Validating suspicious activities often requires manually accessing multiple external systems and then storing the results in a specific format and location for future reference.

SOLUTION
Automatically search Indicators of Compromise (IOC) against Threat Intelligence services with Allesao Managed SAO. Here is an example workflow using a SIEM, Threat Intelligence service, Packet Capture tool, Sandbox and Endpoint Detection and Response solution.

Allesao Use Cases | Threat Hunting

RESULTS
Allesao automatically centralizes the relevant data collected from the various systems and threat intelligent sources proving a comprehensive view of the threat landscape. Analysts will now have more time to proactively hunt threats and understand the integrated threat information.

Insider Threat Detection

SITUATION
Negligent user actions, malicious internal attacks and external threat campaigns that use valid user credentials are difficult threats to identify and prevent. These threats often lead to successful security breaches.

PROBLEM
Potential insider threats typically require significant manual research and validation using disparate security tools and services. Getting a complete picture of the attack is challenging and requires in-depth investigation. Since the attack mirrors a normal user’s authorized behavior, it is hard to detect and understand the scope of the attack—especially when it extends across multiple systems. Time is of the essence; reducing Mean Time to Detect (MTTD) and Mean Time to Resolution (MTTR) is critical to limit the impact of the malicious activity.

SOLUTION
Integrate multiple tools for faster insider threat detection and response with Allesao Managed SAO. Here is an example workflow using Endpoint Detection and Response, a SIEM, a Data Loss Prevention tool, User Behavior Analytics solution and Threat Intelligence service.

Allesao Use Cases | Insider Threat

RESULTS
Allesao security automation and orchestration helps to quickly identify and stop insider threats before they can cause major damage within your organization. Having an integrated set of security tools reduces your MTTD and MTTR, and provides the SecOps team with a complete understanding of the campaign’s attack vectors. Using Allesao to execute your insider threat incident detection and response process improves your security posture without adding resources.