Recently, Armis engaged with a heavily regulated energy company that had identified themselves as an Implementation Group 3 (IG3) organization under the definition set by the Centre of Internet Security. Essentially this means that:
Also stipulated by the CIS Controls is the requirement to deploy a “passive asset discovery tool” and one of the reasons they selected Armis as their platform of choice. With our platform they were able to:
Ensuring that their asset inventory capability was compliant with IG3 entities was part of their initial use case, which was building out compliance with the CIS18 Controls. However, they soon began to look for other ways their organization could benefit from passive continuous network monitoring. One such request came from the Security Operation Centre (SOC) team who were suffering from classic SOC syndrome: too many alerts and not enough people.
Now, not all alerts are created equal, and the SOC team was having a tough time prioritizing which alerts were the most severe and required the most urgent attention. There was no ability to easily distinguish between false positives, near misses, blocked attacks and actually successfully infected devices.
Armis´s network detection capability allowed the SOC team not only to map to attack matrix or kill-chain phases but it also allowed the SOC to join behaviors across the killchain phases by linking activities together as they occurred over time to an individual device. This allowed the SOC to prioritize the triage of devices by identifying which ones have been seen to move through a kill-chain process, firstly in the delivery phase, subsequently in the exploitation and infection phase and finally in the compromise phase.
This “phase chaining” capability removes false positives, near misses and blocked attacks from the alerting funnel. In layman’s terms, you can get rid of a big source of inefficiency in the SOC.
Figure 1 above outlines a typical compromise process for a device: “laptop-6” encounters a malicious site – in Armis speak we call this suspicious hosts.
However, if you are able to join these signals together per device they become a very strong signal indeed.
Figure 2, below shows how the multi-phase attack chaining engine in Armis with corresponding traffic light stages, captures the complex patterns of attack by linking activities across the kill-chain together. The specific example represents how Armis mimics the DNA of this particular form of attack that was represented in Figure 1. The engine can be dialed in to capture the DNA of any form of attack across its various phases.
In conclusion, the SOC team had 100000 alerts a day, but actually these alerts are just pieces of data, representative of many things, not just attacks. When the SOC plugged Armis into the network stream responsible for producing these alerts, they found that only 1 device matched a successful compromise pattern, and the rest of the alerts were false positives, stale intel, near misses or dead attacks.
Sign up to receive the latest news