So, you've got an alarm - or 400 alarms maybe, now what? Security incident investigations can take many paths leading to incident response, a false positive or something else entirely. Join this webcast to see security experts from AlienVault and Castra Consulting work on real security events (well, real at one point), and perform real investigations, using AlienVault USM as the investigative tool. Process or art form? Yes. You'll learn: Tips for assessing context for the investigation How to spend your time doing the right things How to to classify alarms, rule out false positives and improve tuning The value of documentation for effective incident response and security controls How to speed security incident investigation and response with AlienVault USM

2. Agenda
Investigations
• What are they?
• What questions can they answer?
• Is the number 42 always relevant?
Investigation Walk-Throughs
• This won’t be all slides…we promise..
Recap

3. What is an Investigation?
An Investigation is the act of ascertaining facts
A careful examination
Or simply it answers: “What do I do?”
And there is a result……..sometimes

4. What Initiates an Investigation?
Someone asks you
• Hey I think PlayStation network is down?
You see something unusual
• Ever get that feeling someone is watching you?
• Certain patterns of logs
• New Assets
Alarms!
• More..

5. ..but what does it all mean?

6. What is an Alarm?
An alarm is a pattern of activity that should be investigated
• The logic that creates an alarm is customizable
Inside a SIEM an alarm could be
• A single event
• A series of events
• Event quantity
• ..and more

7. Process of an Investigation
Gather Information
Follow the trail
Look for Clues
Determine severity

8. Am I Finished?
Do you know what to do?
What does the IRP say?
Hint: no you aren’t

9. Document it!
If it’s not in a Ticket– it didn’t happen!

10. Why is Documentation Important?
Avoid Repetition
Avoid Repetition (yes we repeated this)
Share Information
Liability
Find patterns
Find anomalies or outliers
Find misconfigurations or unapproved changes

11. Demo Time
Show me the packets!

12. ASSET DISCOVERY
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
VULNERABILITY ASSESSMENT
• Continuous
Vulnerability Monitoring
• Authenticated / Unauthenticated
Active Scanning
BEHAVIORAL MONITORING
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
SECURITY INTELLIGENCE/SIEM
• SIEM Event Correlation
• Incident Response
THREAT DETECTION
• Network IDS
• Host IDS
• File Integrity Monitoring
USM Platform
Integrated, Essential Security Controls

13. Unified Security Management Platform
A single platform for simplified, accelerated threat detection, incident response
& policy compliance
AlienVault Labs Threat Intelligence
Correlation rules and directives written by our
AlienVault Labs team and displayed through
the USM interface
Open Threat Exchange
The world’s largest repository of
crowd-sourced threat data providing a
continuous view of real time threats that may
have penetrated the company’s defenses.
Unified Security Management

14. Demo Time
Show me the packets!

15. Recap
It’s important to know what the alarm is
Use search filters to help you prioritize investigations
Use policy to filter alarms you don’t need to re-investigate
Even though it’s familiar you still need to investigate
Have a plan for what you could find (IRP)
Write stuff down….

16. 888.613.6023
ALIENVAULT.COM
CONTACT US
HELLO@ALIENVAULT.COM
Now for some Questions..
Questions? Hello@AlienVault.com
Twitter : @alienvault
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Check out our 15-Day Trial of USM for AWS
https://www.alienvault.com/free-trial/usm-for-aws
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site