Digital Anarchist RSAC 2020: Overcoming the challenges of forensics collection for faster, more accurate threat response

Digital Anarchist interview with Nir Greenberg, Senior Director of Field Engineering and Customer Success at Illusive Networks

When collecting forensics and applying them across the threat response process, organizations often face challenges―what is the fidelity of detail in the information collected? Do staff have the depth of experience needed to properly investigate? Can we simply outsource the forensics collection process?

Illusive is helping customers address these challenges by running the collection of source-based forensics against compromised machines identified from alerts generated by other products. Illusive’s forensics help provide additional context which can be correlated, along with other tools' forensic information, into a graphical, easy-to-use forensics timeline to better understand where the incident occurred along with all running processes. The output helps better optimize resources available and cut through the noise that stalls valuable response time when determining if an incident is truly malicious in nature.

In this video, Nir Greenberg, Senior Director, Field Engineering and Customer Success at Illusive Networks, sits down with Matt Hines, Security Analyst, MediaOps at RSAC 2020 to discuss how the Illusive platform delivers high-fidelity, easy-to-consume and on-demand forensics―even when alerts originate from other solutions.

Time to response is critical, and Nir shares how a company’s use of Illusive forensics is helping reduce response time typically needed to isolate computers and conduct related analysis by 90%, allowing faster incident response. In fact, investigation to determine the severity of an alert that typically would have taken 6 hours was reduced to mere minutes. In cases where the threat was real, the ability to respond immediately with precise details is often the difference between damage done or damage avoided.

Points discussed in this video:

  • Nir reviews Illusive’s unique approach to real-time forensics collection, which is based on an agentless design that enables faster collection compared to agent-based alternatives that require time to upload forensic data and slow responses
  • The benefits of coupling Illusive forensics with other system alerts for deeper understanding and context of a malicious event, e.g., an anti-virus alert of malware being injected into the system is sent to a SIEM, triggering isolation of a computer and related reviews. However, for more contextual information about where this malware came from, the organization’s ticketing system can automatically launch Illusive’s forensics onto the compromised machine to better understand elements of who, what, when, where and how to inform additional levels of investigative response
  • How Illusive helps companies shift from the uncertainties of probablistic alerts that require time-consuming research to confirm malicious intent to a deterministic approach through deceptions that deliver incontrovertible evidence of an attack in motion
  • See what you’re missing. Free Illusive Attack Risk Assessments take half a day, delivering a full report about your current vulnerabilities