The cloud-native platform for centralized log management
Products built on the Devo Platform
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
Before deciding on a course of action, SOC analysts must determine the nature and tactics of a threat to appropriately respond to it. Threat investigation and digital forensics is the process of gathering evidence related to a flagged threat to validate the alert and inform response and recovery activities. The goal of any investigative effort is to validate, understand, and react to events happening simultaneously in an environment, before they become major incidents. Fast and accurate threat investigation can reduce the overall impact of a threat, saving the business from bad press, a dented wallet, and lots of agita.
The SOC leverages detection solutions with correlation capabilities to sort through, classify, and prioritize millions of events. High-risk events are then investigated by analysts to determine whether the alert merits incident status. SecOps teams rely on further investigative analysis of threat vector, tactics, business impact, functional context, and recoverability to determine the best-laid response plan.
Next generation attacks, orchestrated using AI and machine learning, can execute from previews, shut off antivirus systems, escalate privileges, and even disable logs to hinder forensics. Clearly, adversaries are growing smarter and stronger every day, but is SecOps keeping up?
One of the most common challenges of threat investigation is the dearth of high quality, de-siloed data. SecOps needs complete, contextual information about systems, people, and data to conduct a holistic threat investigation.
Threat actors are getting faster and faster, but without equally fast query speeds during threat investigation, SecOps risks sacrificing time to resolution.
Sifting through the barrage of alerts leaves limited time for threat investigation – often mere minutes. That doesn’t include the time and energy wasted on investigating false positives.
Strategic intelligence on a threat actor, source, and vector is critical to investigative efforts. SOC analysts must draw on different data sources – network, web, access, IDS – to build a book of evidence. This starts with adopting a solution that enables analysts to quickly access, correlate, and analyze real-time streaming and historical data at scale. Remember: Threats can stay dormant in an environment for months, even years, making historical analysis a stronghold for effective investigation.
Are your insights on point? Digital forensics must enrich data with threat intelligence and situational awareness to gain accurate insight on both historical and ongoing attacks. Behavior, computed, and atomic indicators and descriptive tactics, techniques, and procedures (TTPs) help to track, observe, and understand signs of compromise in an environment. More advanced SOCs are trending towards threat sharing exchanges – helping to build the industry’s bank of threat intelligence data.
The longer it takes to analyze a threat, the less time there is to stop it. Fast query speeds and intuitive design are key enablers for rapid response. The architecture of a solution should allow analysts to easily code-switch between different views and queries, and ask complex questions of their data. This includes being able to immediately drill down into logs right from an alert or visualize a threat path minutes after detecting it, to enable actionable insight.
No one wants a repeat of last year’s breach – that’s brand suicide. Investigators typically conduct in-depth analysis of the artifacts to document and learn from an incident. In many cases, this means updating incident response plans (IRPs) to incorporate new findings, documenting the process from chain of custody to affected systems and data, preserving digital evidence for legal and regulatory purposes, and integrating insights into existing workflows. The goal is always to limit the chance of a repeat attack.
Learn how to bring in all security-related data into one operational view.
Find out how Devo enables you to quickly gather evidence, gain an understanding of your adversary, and intelligently respond to a threat.
Discover how Devo can help you investigate threats in seconds.