Review Your Security Incidents
First, you look at the Incident Management dashboard, which provides a centralized view of all ongoing security incidents, along with their status, severity and other details.
You see an incident that requires attention,so you click to open it.
Dig Deeper into Incident Details
From the Incident Overview page, you gather additional facts:
The incident score for severity- Compromised assets
- Data sources for raised alerts
- Automated responses already performed
Dig Deeper into Incident Details
To generate this incident, Cortex XDR created enriched records of activity by stitching events from multiple sources, establishing the connection between hosts, identities, network traffic, and more to broaden incident context.
Hundreds of machine learning models looked for anomalous activity within stitched data, generating new detection alerts.
Cortex XDR then grouped related alerts into a single incident, painting a comprehensive picture of the attack and reducing the number of alerts that you need to review manually by 98%.
Identify Compromised Assets
Within the incident, you notice that a Windows PC and an internet-facing server hosted in the cloud may have been compromised.
Check the MITRE ATT&CK® Framework
You also see the attack mapped to the MITRE ATT&CK® Framework, providing a standardized taxonomy for categorizing and describing cyber threats and attack techniques. By automatically mapping an attack to this framework, Cortex XDR gives you a complete view of all related activity.
Investigate with Alerts & Insights
Your critical alerts confirm the Windows PC has been compromised.
Down the list, you see that the cloud-hosted server has a medium-severity alert. In the alert, you discover that a brute-force attack was attempted, and failed.
Now, it is time to isolate the compromised Windows PC to stop the attack from progressing any further.
Stop the Attack in its Tracks
Isolating an endpoint helps contain the spread of malware and other threats.
By disconnecting the compromised endpoint from the network, you prevent the threat from propagating to other devices or systems, limiting the scope and impact of the incident.
Search for and Destroy Malware
Now it's time to search for and destroy the ransomware file.
Using the live terminal, you can execute commands and scripts remotely on endpoints to facilitate rapid remediation without needing physical access to the affected devices.
Pulling Back the Curtain
So why wasn't this attack blocked by the endpoint agent?
For the purposes of this demonstration, we set the Endpoint Policy to report only, allowing the attack to progress, while notifying us of its progress. This is also a reminder to always follow the best practices while configuring policies.
Now, let's set the policy to block, and keep moving!
Identify Security Gaps and Ensure Alignment with Regulatory Standards
With a good handle on this ransomware incident, you remember that a cloud asset was involved in a brute force attempt earlier on. With this in mind, you initiate work on some proactive security measures to enhance your cloud security.
The Cloud Compliance capabilities of Cortex XDR performs Center for Internet Security (CIS) benchmarking compliance checks on cloud resources. This helps to identify potential security gaps, mitigate risks, and avoid regulatory fines or penalties.
You notice that the compliance is only at 74%, which you decide is important to include in your final report.
Assess Vulnerabilities in a Single Dashboard
Since you discovered a compromised PC during your investigation, you use Vulnerability Assessment to check for potential vulnerabilities that may have been unpatched and exploited.
You see that the compromised PC you flagged has several vulnerabilities that contributed to the ransomware attack, giving you the information you need to start patching.
Concise, Easy Reporting
It's time to generate reports for your manager in a concise format. You can select from a number of pre-built templates or create custom reports.
You generate reports about your investigation, including the Incident Management, Cloud Compliance, and Vulnerability Assessment.
Click a row to generate a report
Surf's Up!
Congratulations. You successfully investigated and resolved the ransomware attack. The investigation revealed a:
- Brute force attack attempt on a cloud asset
- PC with an unpatched vulnerability
- A security policy set to report only, allowing the attack to progress.
Fortunately, you quickly isolated the compromised endpoint and eliminated the ransomware file without physical access to the PC.
Reports detailing the entire incident have been generated. And now you're beachbound in t-minus 1 hour.
There's No Time Like More Time
Cortex XDR frees security analysts to focus on what they do best. Security Operations can leverage Cortex XDR to:
- Prevent threats like ransomware on endpoints and cloud workloads
- Accelerate MTTD (mean time to detect) to machine-speed
- Rapidly respond to the root cause of attacks
Get more security done with Cortex XDR.
98% reduction in alerts
8x faster investigations
100% prevention and detection with no configuration changes in MITRE Engenuity 2023