Integrating Attack Tracing and Intercept (ATI) into Existing Workflows
Updated: May 4, 2021
Attack tracing and intercept acts as a bridge between detection and response. In this role, ATI serves to provide greater fidelity and quality to existing alert triage and investigation workflows by integrating with existing solutions such as SIEM, SOAR, CWP, and other alert centers. ATI links and identifies traces of causally connected security events and context to immediately identify false positives or the full causal activity of credible attacks.
Due to the complexity of today’s IT environments, it's often too late to react to an alert, whether manually or through automated analytics, to ‘figure out what happened’. A key difference of ATI from existing solutions is the proactive and constant creation of the Operations Plane. Alerts and security events no longer exist in isolation. Spyderbat instantly maps security events in context by proactively establishing a graph of causally connected activity.
Establishing and tracking causal connections as they occur removes inference, manual log analysis, and guesswork. A security analyst immediately views all operations activity, security events, and context found causally connected to their investigation. Spyderbat captures this full set of causal activity as a Spydertrace.
An example of a Spydertrace:
Spydertraces are scored based on their causal depth and connection with alerts and red flags. This Spydertrace and corresponding score are live and automatically updated as new causally connected activities occur.
As an integrated piece of the puzzle, Spyderbat augments and enhances existing threat detection capabilities in five ways:
Instantly resolves false positives which are seen as alerts with no causal outcomes.
Catches ‘would-be false negatives’ by keeping state and recognizing new causal activities even after extended periods of time. This captures malware or attack techniques using random wait periods to avoid detection.
Groups together alerts connected via established causal relationships, reducing the overall number of alerts to individually triage.
Prioritizes fast moving attacks as recognized by the depth of the causal tree and connection with other alerts.
Instantly illuminates the root cause of the entire attack where alerts tend to signal symptoms of an attack.
Instead of replacing existing threat detection capabilities and workflows, Spyderbat adds new fidelity and quality to reduce manual steps within existing workflows and increase the effectiveness of each analyst. For example:
Spyderbat accepts feeds from third party alert centers and other context sources (e.g. threat intelligence, cloud tags, etc.) through open APIs. Using the details of the alert (e.g. the time stamp, account name, 5-tuple, etc.), Spyderbat maps the alert to the Operations Plane to immediately recognize previous or subsequent causal activities. This includes other security alerts and context flags.
By seamlessly fitting into existing alert triage and investigation workflows, ATI bridges threat detection and response with a new level of fidelity and quality for analysts' investigations. Using Spyderbat ATI, security analysts radically compress their time spent on alert triage and security investigation augmenting their existing workflows.
Learn more about Spyderbat’s Attack Tracing & Intercept including a white paper and an on-demand webinar available without registration.