Rapidly Qualify and Triage Alarms with Contextual SmartResponse Automation

Alarms don’t fire when it’s convenient. You could be threat hunting, out to lunch, or even in bed at 4 a.m. when an alarm comes your way. No matter where you are, you’ll need to quickly determine the severity of the alarm to understand the best way to proceed. And this severity is best determined when you have pertinent information. You should know how fast to act to stop a threat from compromising mission-critical data or incurring severe damage.

Should you stop threat hunting to investigate the alarm? Should you come back early from lunch, or even get out of bed in the middle of the night? The answers to these questions can only be uncovered when you have the right information to qualify an incident.

LogRhythm SmartResponse™ Automation notifies your analysts when an anomalous event occurs via their preferred channel, so they are aware of the potential issue as soon as possible. But a notification is only as good its contextual information — simply being aware of an alarm is not enough. You need actionable information to begin triaging and resolving the event. Without it, your analysts will spend time and resources searching for this information. In fact, an alarm without actionable information will simply add work and take more time up in your day. This is particularly draining when you spend time gathering contextual information around what turns out to be a false positive.

That’s why LogRhythm Contextual SmartResponse actions don’t just alert — they also immediately provide the information your analysts need to qualify a threat.

What is Contextual Information?

Contextual information offers analysts background information around an alarm so they can make an informed decision regarding their response. Contextual information can contain simple or more detailed data.

For example, let’s say you receive an alarm, and with it, you are notified of impacted users’ email addresses. However, you also need these users’ full names, titles, and departments — in other words, you want all the basics. You can configure LogRhythm SmartResponse Automation to automatically query Active Directory or another IAM solution and include to automatically include this information in your alarm details. This will allow you to easily identify users, contact the affected parties, and quarantine to stop the threat before it spreads.

Contextual SmartResponse actions can also be used to automatically gather more complex information. For instance, an alarm may present affected users’ email addresses, but you need to figure out which workstation each user owns and what’s been happening on those workstations to resolve the issue. LogRhythm SmartResponse can query active directory or asset-management database and populate this detailed information for you in your alarm details, so you don’t waste time searching for it.

LogRhythm automates the information gathering process, so you immediately get what you need delivered in your notification. But this feature is flexible. You can configure your contextual information to can be included in your notification, in the alarm details, or in the case notes. It’s up to you and your preferences.

How does Contextual SmartResponse Automation work in action? Let’s look at a few specific use cases to find out.

SmartResponse Automation Expedites Qualification of a Phishing Attack

When an alarm fires that signifies a phishing attack, you first ask, “Is this or is this not an emergency?” You need to qualify a true threat, determine its scope, then figure out how you are going to deal with it. LogRhythm Contextual SmartResponse Automation supports your analysts through this workflow — from qualification, to triage, to remediation.

When you receive a notification of a phishing incident, it is ideal to have as much information in the notification as possible. Your analysts need a few critical pieces of information to determine the severity of the alarm and qualify the incident, including:

  • Which users received the email?
  • Which users did or did not report the email?
  • Information regarding the nature of the email, such as: Who was the sender? What was the subject line? Are links or attachments present? What’s the nature of the threat? Does it appear to be malware, credential compromise, or social engineering? etc.

With this information, triage steps automatically initiate. All you have to do is review the output. You can determine if the incident is real and urgent enough that you must jump into immediate action — even if it’s inconvenient. You need to equip your analysts with the contextual information they to make an informed decision regarding remediation.

Let’s say a single person in your organization received a phishing email and that person reported it to your SOC. In this scenario, you probably would not need to get out of bed at 4 a.m. and respond. The incident is contained and not a major threat.

On the other hand, let’s say 30 people in your organization receive a phishing email and only two report it. This is cause for concern and could indicate that there is a greater chance someone has clicked on a link and exposed their credentials. You can use LogRhythm SmartResponse Automation to determine who received the email and in which department he or she works. If you find, a recipient from the finance department on the list, it might be time to get out of bed as sensitive data could be exposed.

Once you’ve learned more about those affected, you can use LogRhythm SmartResponse Automation to determine the breadth of the phishing outbreak. How widespread is the issue, and how severe is it? You know people received the email and did not report it, but you need to look into their account activity to see if there is anomalous behavior indicating a potential compromise. You can use contextual SmartResponse actions to dig into user activity and gain visibility into activities such as a suspicious login location or inappropriate software installation.

When you qualify the alarm as an incident and understand the scope of the breach, you can make a call on next steps. What do you need to do to contain the threat? With LogRhythm SmartResponse Automation, you can rapidly understand the complete picture of the incident and its scope to inform your plan for remediation.

SmartResponse Automation and Operations

You can also use LogRhythm SmartResponse Automation to protect business interests outside of security. Let’s say updates were made to your production website and, unbeknownst to whomever made these updates, a bug was introduced to your website that impacted business functionality. In turn, your website begins generating an unusual number of error messages.

When you receive an alarm about this unusual activity, you’ll need some context to get to the root of the problem, determine if it’s an emergency, and remedy it. You’ll need to know which webpage specifically is generating the error message, when this page was last updated, and who updated it. With LogRhythm SmartResponse, these details are available with your notification and delivered to you via your medium of preference.

When an engineer receives a website error alert with the accompanying contextual information, he can rapidly determine the severity of the loss of functionality — without having manually to triage it. The engineer could also use contextual SmartResponse actions to determine which most recent commit(s) for the affected page, as well as what other pages were changed at the same time — in case the update broke more than one page. He can also determine when the update occurred and which page or resource change.

This engineer could go ask the employee responsible for the change to review it and remedy the error. Or, in the case of an emergency, the engineer could quickly revert the page to its most recent version to restore business functionality, and work on troubleshooting the update at a later time. This would be particularly useful if the page error is causing the business to actively lose money. For example, such an error could be found in the check-out page on an e-commerce site.

From both a security and operations standpoint, you can use LogRhythm SmartResponse Automation to qualify an issue as a true threat to business and inform the relevant teams about their next step to stop the issue from incurring further damage.

Resolve Complex Use Cases Faster

Every step in your threat detection and response process should be completed as quickly as possible to ensure your network is protected — and gathering contextual information is no different. You should aim for the lowest mean time to detect (MTTD) and mean time to respond (MTTR) to a threat as possible.

Your goal is to minimize the scope of a security incident, such as that of the above phishing use case, by identifying it as quickly as possible and minimizing the financial or business impact of the operations issue.

LogRhythm offers a built-in framework for automation that supports many custom use cases. You can easily implement LogRhythm SmartResponse Automation to reduce your time to detect and respond across your workflows.

Using SmartResponse Automation to Solve Your Staffing Problem

LogRhythm SmartResponse Automation is an embedded feature in LogRhythm RespondX, a security orchestration, automation, and response (SOAR) solution. SOAR really boils down to a staffing problem. If you had an unlimited security operations center (SOC) staff, you wouldn’t need automation — you could simply assign any analyst to any case. But that’s not realistic. Even large enterprises struggle with a security staffing issue. For example, you might have 10,000 users, 30 supporting SOC analysts, and a varied tech stack. So, what happens when you employ automation? It means that you don’t necessarily need to hire people with expertise in all of these varying technologies, and don’t have to give all of those analysts direct access to all the different platforms.

You can give a SOC analyst access to pull contextual information from Office 365, without giving full access to Office365, and you don’t have to hire an Office 365 expert. It’s already hard enough to hire and retain analysts with strong creative problem-solving capabilities, but it becomes more difficult when most of your SOC analysts’ work is tedious. With LogRhythm SmartResponse Automation, you can automate these repetitive steps to eliminate tedious work and help retain top talent.