Below is an eyewitness account we received from one of our U.S. bank customers following a security incident. Names and details have been withheld for confidentiality purposes.
“Today, I was working in our Security Operations Center (SOC) in New York City doing some real-time testing on our threat analysis platform, which I introduced to the bank and am responsible for the deployment.
“At around 2:00 p.m., one of the SOC analysts received a call that indicated several similar financial organizations were being attacked by malicious actors. The attackers were using email and other channels to install ransomware as well as attack local and network devices.
“Immediately, the SOC team gathered together and divided responsibilities and actions between them to handle the incident. It was a perfect opportunity to see how the integrated platform performed in real time and under pressure. One of the security analysts connected his computer to a big screen in the center of the SOC and, using the platform, started researching the malicious IPs. As the IPs were identified, they were dragged to the visual threat analysis screen and searched for relationships between them and our bank entities. All in all, it was a simple procedure that didn’t take longer than a minute.
“The other security analysts and managers gathered around the big screen and asked to filter the results in different ways (i.e., by port, internal and external entities, and product). Everybody was pointing at the screen and collaborating. They performed new tasks concerning various entities, verified findings and called other departments in the bank based on the information divulged by the system.
“I was amazed. It was the first time that I witnessed a 10-person team using the threat analysis platform and in such a graceful way. It had become the team’s hub; all of the actions for managing the incident response process began from the platform.
“Managers came in and asked for some more details and got simple and fast explanations from the analysts using the visual interface. It was easy for the analysts to research relevant events; they could see all the event types in one screen, filter and drill down a specific event, and easily see which entity was internal, external or suspicious because the system divides entities by colors. It seemed like a lot of details that needed to be checked and verified manually in previous incidents were now automatically presented and visualized by the threat analysis platform.
“When it was all done and the incident was over, managers and analysts complimented me about the way that the system worked. They really liked the amount of time saved and how the threat analysis tools helped team members avoid misunderstandings that often occur under the pressure of remediating a threat.”
The post originally appeared on IT Briefcase