Incident Detection & Response

Managed Detection & Response is often considered the core capability in an organization’s cyber defense spanning the critical lifecycle of detect, analyze, respond and where possible remediate.  While preventative capabilities such as network security or endpoint protection have become commonplace, strong Incident Management ensures that compromises that occur are immediately detected and either automatically resolved or sent quickly to the proper experts in the SOC for remediation. 

Because the needs of every company vary dramatically when it comes to Incident Management and Response, Integrated Cyber offers a choice in complexity and capability to better align our solution to the affordability or maturity level of our customers.

IC360 has integrated extremely powerful capabilities in this offering and augmented it with orchestrated cyber experts in our virtual Incident Response Team: a network of top cyber experts across the globe able to assist our customers when required.

Detect, Analyze, Respond, and Remediate

Collectors &

Responders

Next-Gen Security, Incident, Event Management - SIEM

Security, Orchestration, Automation & Response - SOAR

Incident Management & Response Architecture

 

Collectors & Responders

Supported capabilities for SIEM Collectors & Responder

Collectors

  • Standard collectors are agent-less with the flexibility of delivering agent-based collectors if your organization requires them 

  • Support continuous real-time monitoring

  • Simultaneously perform continuous discovery of devices on your network

  • Support for IT devices/endpoints and OT endpoints (sensors/machines)

Responders

  • We provide agent-less responders through advanced features that will only be available with agents in the most complex distributed environments.

  • Responders execute automated threat responses (auto-containment or auto-remediation) including specifically: Quarantine, Suspend Process as well as Clean and Collect Forensics (useful to help hunt for dormant stealth malware). 

Next-Gen SIEM - Security Incident & Event Management  

Supported capabilities for SIEM Collectors & Responders

Open Data Lake

Architecture

  • You'll benefit from the IC360 Operating System that integrates one of the most advanced, next-generation IEMs on the market, based on an Elastic Search Architecture on top of a highly scalable data lake platform.​

  • Advanced AI and Machine Learning algorithms will process massive amounts of data with exceptional performance. 

  • Complex correlations are possible across large amounts of actual and historical data in order to detect anomalies, recognize patterns and learn effective responses.  This level of performance is not possible on traditional SIEM platforms.

  • You're not getting the performance you deserve by using traditional SIEMs that are based on structured data warehouse schemas that are unable to keep up with the volumes of data, AI / Machine-Learning algorithms or advanced search requirements.

Real-Time Threat Detection

  • By leveraging our next-generation SIEM, the IC360 Operating System, you'll finally get real-time threat detection, whereas older SIEM systems were only able to offer hourly service level agreement because they were not able to process the massive data feeds quickly enough. 

  • The IC360 Operating System threat detection will identify more than just traditional malware or signature-based threats, it will find the most advanced, difficult to detect, and evolving threats such as APTs, ransomware, zero-day, or carefully planned insider attacks.  

  •  IC360 Incident Management allows our SOC Agents to visually track the continuous alerts and active intrusions in real-time.  

Machine Learning
& AI-Analytics

  • Our algorithms learn from human decisions so that the machine makes better alerts over time.  This is based on the branch of Artificial Intelligence known as Machine Learning.

  • The IC360 Operating System takes advantage of this advanced capability but not rely entirely on it.  While we use AI to determine whether the machine will be allowed to intervene autonomously, we'll trigger auto-containment or auto-remediation if all perquisites are met. This process ensures that automated responses don’t inadvertently create more problems than they solve. 

Behavior Anomaly Detection

  • While relying on the strong AI-enabled analysis, behavioral anomalies may be relevant to either human behavior or device/network behavior.  The solution is able to identify all types of anomalous behaviors, including inconsistencies or risky behaviors of end-users (critical to the detection of potential insider-threats) as well as symptoms of other threats such as erratic device or network performance or traffic.  The advances in machine learning allow us to process massive amounts of information and execute complex correlations not previously available in past generation security solutions. 

Threat Intelligence Compiler

  • Multiple threat intelligence feeds are ingested and normalized to ensure that the latest information is available for vulnerability and incident analysis.  Our Incident Response Team is constantly hunting and learning about new threats or vulnerabilities and feeding them into the compiler.

  • Threat Intelligence data is used to help our SIEM analyze massive amounts of data looking for identified patterns as well as previous or current attacks and potential solutions. 

Anomaly

Detection

  • When an anomaly (compromise attempt) is detected, the IC360° Operating system can trigger automatic machine-to-machine blocking or quarantine actions before being sent to humans in the SOC/IRT for inspection and final resolution.  This protects the environment from further damage while the situation is better understood.

Sandbox

Detection

  • You also get Sandbox Detection; the ability to rapidly simulate a safe or ‘sandbox’ environment in which advanced threats can be allowed to execute.  This is extremely important for the constantly morphing or zero-day threats that would not be recognized by traditional signature-based detection. 

Threat

Hunting

  • The IC360 Operating System includes automated root-cause or forensic hunting.  While SOC agents will continue to investigate hypotheses or suspicious behaviors, the system will continuously and iteratively search the client environments for known or suspected risks or anomalous behaviors.  It will also diagnose attack vectors to contain the spread and isolate the root cause.

 
 

SOAR - Security Orchestration, Automation & Response

​Like SIEM, SOAR is designed to help cyber security teams manage and respond to endless alarms at machine speeds. Integrated Cyber takes things a step further by combining comprehensive data gathering, case management, standardization, workflow and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities. Your SOAR features include: 

  • IC360 Incident Management and Response is based on SOAR: Security Orchestration, Automation and Response.  We do not simply detect and inform our clients about threats and vulnerabilities, but actively and sometimes automatically respond and either directly remediate or assist in the remediation with our clients’ IT organizations.

  • IC360 SOAR includes a wide and growing number of incident response playbooks to handle scenarios in a consistent and continuously measured way.  This enables us to respond to incidents quickly and with a high degree of success.

  • Our SOAR capabilities are supported by a multitude of integration, workflow automation, collaboration, and robotic process automation tools to not only orchestrate the automated responses but also engage humans in the process – both for the SOC as well as for the IRT (expert interventions).  The ability to automatically dispatch deep expertise to our global network of networks when highly challenging threats are identified is an essential part of the operating model. 

  • Integration into Client processes is also supported via a separate integration project – but it allows IC360 to seamlessly transfer tickets with an IT Service Management tool or use the same process automation to engage local client resources in key situations.