24/7 protection during Covid-19 – Defender ATP Auto IR
One thing we usually discuss with customers is the workload. Everyone has too much to do and it can, sometimes be difficult to prioritize investigations.
Especially now, where you might be short on staff, and the Covid-19 virus can strike at the SOC organization or reduce the numbers of available people.
Of course, this does not only apply during the world crisis of Covid-19. Automation is also a help in the normal day to day work.
There are benefits of being able to automate responses and we have these discussions with many customers.
MDATP Automatic self-healing is built-in into Defender ATP and is mimicking these ideal steps a human would take to investigate and remediate organizational assets, impacted by a cyber threat.
This is done using 20 built-in investigation playbooks and 10 remediation actions
Increased Capacity
- Respond at the speed of automation
- Investigate and remediate all alerts automatically
- Free up critical resources to work on strategic initiatives
Cost implications
- It will drive down the cost per investigation and remediation
- Takes away manual, repetitive tasks
- Automated remediation eliminates downtime
Get full value of your protection suite and people, quick configuration and you are up and running
SecOps Investigation (Manual)
Sometimes it will take some time from the alert being triggered until someone has the time to start looking at it. Manual work also requires more resources for review and approval for each action
From a SecOPs perspective, an initial response involves information gathering.
Collecting:
- Process list
- Services
- Drivers
- Network connections
- Files created
- Where did the file originate from?
- etc
Based on our results, we will decide the remediation steps (if we do not follow a playbook here, the catch will be different result depending on who makes the response).
Remediation:
The remediation will include connecting remotely or manually collect the device and then launch tools for the remediation process.
Automatic response with Auto IR
Fast time to respond which will avoid additional damage and compromise of additional devices, when attackers will start moving lateral in the environment.
It’s our 24/7 buddy who assists the SOC staff to remediate threats so the human staff can focus on other things
- MDATP is sending telemetry data to the cloud
- MDATP cloud continuously analyzes the data to detect threats
- Once a threat is identitfied an alert is being raised
- The alert kicks off a new automated investigation
- AIRS component asks Sense client to initiate SenseIR
- SenseIR is then orchestrated by AIRS on what action should be executed (Collection/Remediation)
- Based on the data collected from the machine (current and historical) AIRS decides what actions should be taken
- For every threat identified, AIRS will automatically analyze the best course of action and tailor a dedicated surgical remediation action to be executed using on device components (e.g. Windows Defender Antivirus)
Playbook is executed
“suspicious host” playbook is just an example of “catch all” playbook that is applied after detailed AutoIR investigation for evidences raised by alerts / incident to ensure that nothing is missed.
Data Collection
- Volatile
data
- All processes list – main image, loaded modules, handles, suspicious memory sections
- All services list
- All drivers list
- All connections
- None-Volatile
data
- Recently created files – x minutes febore / after alert
- All persistence methods
- Recently executed files
- Download location
Incrimination
- Microsoft Security Graph eco system – DaaS, AVaaS, TI, TA, Detection engine, ML infrastructure etc.
- Custom TI indicators – for allow / block list
Remediation
- How?
- By leveraging OS components (e.g. Defender Antivirus) to perform the remediation (prebuilt into the system, low level actions (driver), tried and tested)
- What?
- File actions
- Process actions
- Service actions
- Registry actions
- Driver actions
- Persistency methods (Reg, Link files, etc.) actions
- Scheduled task actions
- More…
Getting started
- Go to the MDATP portal (https://securitycenter.windows.com)
- Click settings and then Advanced features
- Turn on Automated Investigation and Automatically resolve alerts
- In machine groups select Add machine group
As you can see in the options, you can select different AutoIR levels
Summary
Go auto approval, save time and protect your business!
Happy Hunting
