Accelerate Incident Response Investigations

Accelerate Incident Response Investigations

Watch the “Accelerate Incident Response” video, or read below.

Incident Response and Asset Management Challenges

While Security Analysts often receive alerts that tell them what happened and how it happened, they still spend a great deal of time tracking down assets to resolve security incidents. This is costly, not only in terms of hours spent completing the task, but also additional risk that may be posed while incidents remain unresolved.

The rise of IoT and cloud devices makes this even more challenging- simply finding devices that may be associated with an incident can be a daunting task.

In order to speed up incident response investigations, security analysts need rich, correlated data on devices, users, and cloud instances.

Using Axonius to Quickly Find Details on Devices & Users

Security analysts reference fully correlated asset inventories in Axonius to accelerate Incident Response investigations. By connecting adapter sources that provide rich information on devices, users, and cloud assets, security analysts can easily correlate alerts with data in Axonius to answer critical incident response questions such as:

• Which devices and users were associated with the alerts?
• Where are the devices located?
• What software is running on the device?
• Which users are associated with the device?

Furthermore, Axonius provides a RESTful API - so customers can push Axonius data to SIEM/SOAR platforms they already use and focus investigations in one platform.

Recommended Data Sources

The more adapters you have connected in Axonius, the more data you’ll receive about each asset.

We recommend any or all of the following adapter types:

• Endpoint Agents: endpoint agents can provide rich information on devices, including running software, OS type and version, external IP, network interfaces, and more
• Configuration Patch Management: similarly, configuration and patch management agents like Tanium also provide detailed device information
• Ticketing & Helpdesk platforms: ticketing and helpdesk platforms like ServiceNow and ZenDesk often provide info such as device location, which department it is associated with, and first and last discovery date, and more
• Networking: understanding where the device is located on the network, and where it’s been provides a lot of necessary information
• Vulnerability Assessment Tools: understand if the device had known vulnerabilities that may have been exploited as part of the incident
• IAM Solutions: services like Active Directory, Okta, or Azure AD provide information on user privileges, whether they are enrolled in MFA, password strength and expiration, and more.
• Cloud Infrastructure: with many security incidents now taking place in the cloud, correlating data from cloud IAAS providers can provide useful information for investigations.

Triaging Alerts in Axonius

Axonius makes it simple to search for attributes of a particular device or user in order to triage alerts. Using the search bar on the Axonius dashboard, analysts can search for devices using asset name, host, manufacturer serial number, MAC addresses, IP addresses, last used users and tags.

You can also search for users by their email address, username, first name, and last name.

A simple, but effective way to speed up incident investigations is to query Axonius for any IP address that has been provided in alerts.

Example: If an analyst receives an alert of a possible malware infection associated with the IP address: 10.0.56.104, you search for this IP address in Axonius by simply entering it into the main search bar on the dashboard:

Google chrome users can also search for assets directly in the address bar by adding Axonius as a search engine.

After finding the device associated with the IP address, select Aggregated tab to retrieve rich information about the asset, including:

• Last Used User (if Active Directory or similar solutions know about the asset)
• Operating System
• MAC Address
• Installed Software & Agent Versions
• Network Interfaces
• Vulnerable Software

Examining Historical Data

Using historical snapshots, Axonius can also be used to investigate older incidents and pinpoint historical asset attributes.

By selecting the display by date on the devices or use pages, analysts can view historical asset attributes, such as:

• Did this device have certain security agents at the time of the alert?
• Did it have any vulnerable software related to the alert?
• Which user(s) were associated with the device at the time of the alert?

Enforcement Actions

Using the Axonius Security Policy Enforcement Center, analysts can take a few actions from notifying teams, to isolating incidents by taking actions on devices and users directly.

Creating a ticket

Create a ticket in ServiceNow, ZenDesk, Jira, and other helpdesk and ticketing platforms if incidents need to be resolved by a person other than the lead investigator.

Isolate devices from the network

Isolate the device from the network using connected endpoint security agents, such as CarbonBlack or Cybereason.

Disable risky, potentially compromised users

Prevent potential misuse of compromised accounts by disabling users or devices in Active Directory any team they meet a certain condition.