incident-response

Transcript

Seth Knox: Mike, can you tell us a little bit about how customers you’ve worked with are doing phishing incident response today?

Mike Jones: Yeah, of course. It’s a pretty common scenario how enterprises and their security operations respond to phishing incidents when they happen. Most organizations these days have some way for their users to tell them when they’ve received what they think is a phishing email. So, the users will usually click a button in their email client that says report spam, or report phish. And then that report will go in to a mailbox that the SOC analyst has to look at.

That leads them into a process of triaging those emails that come into their mailbox to see if – is this really a phishing incident? Or is it actually just some kind of a false positive spam message that a user reported mistakenly. Once they make that determination, then they’ll move on to analysis, forensic analysis of the message where they look at the links and the attachments and other artifacts in the message to see what is the payload of the malicious email, and how do they need to respond to that.

There’s also an element of impact analysis where they have to go figure out, and this is usually a very manual process, and depending on how they’re set up it’s almost impossible to do for some security teams, but who else in the organization got this phishing incident? Is it part of a larger campaign? If so, what did they do with it? Did they read it? Did they download the attachment? Did they click on the link? Did they forward it to someone else? And then once they get through all that, then they finally have to take some actions. They have to either get those messages out of the user’s mailboxes, or they have to look at people’s machines to see if they’ve been infected or not.

Seth Knox: Okay, for a typical SOC analyst who’s going through this process, how many tools do they have to look at, it sounds very manual. What do they have to do without some kind of automation?

Mike Jones: It’s a very manual process almost in every organization where we’ve talked to our customers. They’re almost always using some … I mean, we’ve seen up to 20 to 30 different tools and products and websites that people go to, cutting and pasting various elements of a message into different sites to get an analysis.

Sometimes two or three different sites for the same piece of artifact from the message because they want multiple verdicts on it. And then usually there’s a lot of passing of information back and forth between teams as well, because one team doesn’t have access to all the right things to do the whole process end-to-end … So, there’s a lot of work involved, and it ends up taking a lot of people’s time.

Seth Knox: Okay, so how does Agari Incident Response automate that process?

Mike Jones: What Agari Incident Response does is it drastically reduces the time that it takes a SOC analyst through automating a lot of those manual steps and eliminating the need for some of those manual interactions that happen. So first of all, we want to get the analyst out of the Outlook mailbox. That’s always an inefficient start to the process. So, we do an automatic triage of the reports where it will assess the impact of the message automatically.

We’ll also do an initial analysis of the artifacts in the message, and we’ll present that in a clear triage dashboard where the analyst can just take a look and parse through all the messages, get a quick idea of which ones of these are high priority because we will get an auto-prioritization of these as well. So, they can look at the incidents at the top of their list. Make sure they react to those first, and then they can quickly go down the list and easily eliminate the spam and benign reports and just get those out of their view right away.

Seth Knox: Okay, and how does it help in terms of remediating? Like if you have a phishing incident, they figure out it’s something bad, what can Agari incidence response do to clean that up or help remediate?

Mike Jones: In addition to automating those initial manual triage steps and analysis step. We also automate the ability to go and actually see how the different recipients of the message interacted with the message. Did they read the message? Did they click on a link? Things like that. And then get the messages out of the user’s inboxes as quickly as possible. So that’s also an automated step that happens through just the click of a button in the UI, so you can quickly see these users didn’t read the message yet, I want to get it out of their view so that they can’t fall for the attack.

Seth Knox: And what happens if someone’s clicked on a malware attachment, or they’ve given up their username and password and you need to reset that? How does that workflow work with Agari Incident Response?

Mike Jones: In that case we will make it really easy so that at the click of a button you can take the investigation details that you’ve already gone through. And just by clicking a button send those off to the right team. Usually there’s a different team that does endpoint remediation or password resets, and it will just contain all of the details of the investigation that are needed by that team to go finish out the remediation.

Seth Knox: You mentioned kind of false positives and true phish, what have you seen in terms of these are employee reported phishing incidents, so they can definitely be wrong. What do you think the kind of ratios you’ve seen in terms of how many are false positives versus real phishing messages?

Mike Jones: Yeah, so what we’ve seen is they usually are wrong unfortunately. Unfortunately for the SOC analyst who have to deal with these things. I mean, the SOC analyst wants to focus on the real incidents that they can go dig into and do some real research and remediate them, but unfortunately employees aren’t that accurate in their reporting. And we’ve seen it varies from customer to customer, anywhere from 50% to 90% of the reports that come in can be false positive reports like messages that got reported but just aren’t
phishing messages.

Seth Knox: With some of the early customers that you’ve been working with, what do you expect to be the reduction in time to handle a phishing incident and what does that translate to in kind of ROI or benefit to the customer?

Mike Jones: Yeah, so for the reports that turn out to be benign or spam reports, really they can get rid of those in less than a minute is what we’ve seen. I mean, because with that auto triage you can pretty quickly see that this is not a malicious report, and you just don’t have to spend any more time on it. And typically, what we’ve seen and what we’ve heard from customers through that we’ve talked to is, that can take 30 minutes now just for a basic benign report because you still have to go through the process of checking all those things. When you don’t have to check them and it’s already done, you just look at it, you see that it’s benign and you close it out.

For the malicious examples we still reduce that time by anywhere from 70% to 90%. I mean, things that can take an hour up to a day or more for a typical malicious email to fully remediate it can happen in less than an hour with AIR.