Select Page

AUTOMATED INCIDENT RESPONSE EVIDENCE ANALYSIS 

WHAT IS AUTOMATED INCIDENT RESPONSE EVIDENCE ANALYSIS?

 

The Evolve “Automated Incident Response Evidence Analysis” solution is automatically triggered by the Evolve Automated Incident Response Evidence Collection. Evidence from your internal systems is collected every time a security breach occurs.

Evolve will orchestrate in real-time a scalable incident response analysis environment within the Evolve cloud. This automatic critical evidence analysis takes place whilst the attacker is still on the victim machine to help ensure security breaches are contained before the attacker can perform “lateral movement attacks” and compromise other internal systems.

Evolve will automatically analyze security breach evidence artefacts including memory dumps, network connections, running services, process lists, requested domains, security log files, latest changed files, registries, signed binaries, and many more.

Your security team can have faster access to verified information about a security breach meaning earlier triage and automated response for a streamlined and specialist incident response process.

Evolve “Automated Incident Response Evidence Analysis” natively integrates with Slack for status notifications enabling ChatSecOps capabilities to maximize your resources and security budgets.

Register your free Evolve account now 

 

EVOLVE MARKETPLACE

Automated Incident Response Evidence Analysis is available in the Evolve Marketplace. Simply import this automation workflow into your Evolve Account with flexible monthly subscriptions to maximize your security budgets MORE

GET STARTED

Our Getting Started Guide will step you through importing and launching your first Automated Incident Response Evidence Analysis workflow. Enhance your specialist security capabilities now MORE

FEATURES

Automated Evidence Analysis During Attack

Distributed Automated Incident Response

ChatOps Incident Response Notifications

Automated Incident Response Chaining

Automated Evidence Hash Confirmation

Automated Evidence Duplication

Automated Indicators of Compromise Generation

Automated Memory Dump Analysis

Automated Security and System Log Analysis

Automated Master File Table Analysis

Automated Network Connections Analysis

Automated Registry Analysis

Automated Services Analysis

Automated Device Drivers Analysis

Automated Running Processes Analysis

Automated User Information Analysis

Automated DNS Cache Analysis

Automated Signed Processes Analysis

Automated System Information Analysis

Automated System Files Analysis

FLEXIBLE SUBSCRIPTION PRICING

 

Evolve enables you to maximize your security budget by providing flexible monthly subscriptions with no lock in contracts. Simply import the Automated Incident Response Evidence Analysis capability from the Evolve Marketplace to begin your subscription.

 

US$750 per month with no lock in contract

OPTIMISE YOUR COSTS WITH USAGE-BASED BILLING

IMPORT USAGE

Importing workflows and modules from the Evolve Marketplace has once-off usage charges per import to orchestrate your new capabilities

SECURITY ZONE USAGE

Evolve transparently optimizes usage charges related to the scaling of Security Zone infrastructure and storage in real-time

WORKFLOW USAGE

Evolve Workflow usage occurs when launching new workflows to orchestrate and chain your security automation modules and data

MODULE USAGE

Evolve Modules are stored and executed on-demand and in real-time that incur usage. Optimize usage by reduced module executions

AGENT USAGE

Evolve Agents allow distributed orchestration of modules on premise and in the cloud. Optimize usage by reducing the polling frequency

CONTAINER USAGE

When storing and transferring data within Evolve Containers, usage charges can be optimized by compressing or expiring data

DASHBOARD USAGE

Generating and storing Evolve Dashboards incur usage to enable populating chart data from within Evolve Containers

EVENT USAGE

Evolve Event usage enables you to keep track of all of the security automation actions and events within your accounts

FREQUENTLY ASKED QUESTIONS

WHAT IS AUTOMATED INCIDENT RESPONSE EVIDENCE ANALYSIS?

The Evolve “Automated Incident Response Evidence Analysis” solution can be triggered as a result of the Evolve Automated Incident Response Evidence Collection automatically collecting evidence from your internal systems when a security breach occurs.

In real-time, Evolve will orchestrate a scalable incident response analysis environment within the Evolve cloud. This provides automatic critical evidence analysis whilst the attacker is still on the victim machine to help ensure that security breaches are contained before the attacker can perform “lateral movement attacks” to compromise other internal systems.

Evolve will automatically analyze security breach evidence artefacts including memory dumps, network connections, running services, process lists, requested domains, security log files, latest changed files, registries, signed binaries, and many more.

This provides your security team with faster access to verified information about a security breach allowing automated triage and response.

HOW DO I GET STARTED?

The first step is to register for an Evolve Account. You will then have access to the Evolve Marketplace where you can subscribe to the Automated Incident Response Evidence Analysis solution. Simply import this automation workflow into your Evolve Account.

You can follow the Getting Started Guide to then setup your first Automated Incident Response Evidence Analysis workflow instance.

You can chain the “Evolve Automated Incident Response Evidence Collection” and “Evolve Automated Incident Response Actions” workflows for automated evidence collection and response.

HOW DO I INTEGRATE WITH SLACK FOR MODERN NOTIFICATIONS?

Evolve Automated Incident Response Evidence Analysis natively integrates with Slack.

The Evolve SlackBot can automatically notify your security team of the incident response analysis progress to ensure that your team is kept up to date with the progress of your incident response activities, allowing you to remain in full control of your incident response processes.

Simply import the Evolve SlackBot from the Evolve Marketplace and launch an instance of the Evolve SlackBot module. This SlackBot module instance is chained before and after the Evolve Automated Incident Response Evidence Analysis workflow so that automated notifications are generated via Slack.

GETTING STARTED WITH
AUTOMATED INCIDENT RESPONSE EVIDENCE ANALYSIS

STEP 1: REGISTER AN EVOLVE ACCOUNT

Congratulations for deciding to mature and streamline your security capabilities and maximize your security budgets. Your first step is to simply Register an Evolve Account using the Register button on the Evolve website.

STEP 2: LOGIN TO YOUR EVOLVE ACCOUNT

Now that you have an Evolve Account, login using the Sign-In button on the Evolve website. This will take you to the Evolve welcome screen.
 

STEP 3: SETUP YOUR EVOLVE BILLING

Evolve subscriptions and usage-based bills are charged via credit card. You can setup your payment method via the Billing feature located under your Profile Menu towards the top right-hand corner of your Evolve Account. Select the “Add Payment Method” button that will load the Evolve Secure Payment Gateway page where you can add your credit card details.

As part of our fraud-prevention controls, your credit card will be charged a nominal amount that you need to enter to verify your credit card before it can be used for payments. Your Evolve Account is now setup and you are ready to mature your security.
  

STEP 4: SELECT YOUR EVOLVE REGION

Evolve is a specialist security automation cloud, which means that it has globally distributed infrastructure enabling geographic security controls allowing you to keep your data and processing within the geographical regions aligned to your business needs. You can select your Evolve Region in the top right-hand corner of your Evolve Account. Any actions you take will occur within your selected Evolve Region.
  

STEP 5: IMPORT WORKFLOW FROM THE EVOLVE MARKETPLACE

The Automated Incident Response Evidence Analysis workflow is available in the Evolve Marketplace, which you can navigate to under the Marketplace side-menu. Whilst in the Evolve Marketplace, you can locate this workflow by either selecting the “Incident Response” category and browsing through the available workflows, or by searching for the keyword “analysis”.

By clicking on the Automated Incident Response EvidenceAnalysis workflow marketplace item, you can review the overview of the workflow, as well as usage and subscription pricing information. Click the Import button and simply step through the import steps, where you will then be redirected to the Imports page. You may need to use the Reload button to see your newly imported workflow.

Once the import status changes from “Pending” to “Available”, you have successfully subscribed to this security automation workflow and added this specialist security capability to your business.
  

STEP 6: LAUNCH A SECURITY ZONE

Evolve Security Zones are isolated environments that provide scalable compute and storage to execute your Evolve Workflows.

Select the Security Zones side menu item and click the New Security Zone button. Set a useful name for your Security Zone and click the Next button, which will take you to the Security Zone Size page. For most use cases to execute Automated Incident Response Evidence Analysis workflows, a Large Security Zone is recommended. If your organization has systems with large amounts of memory, then an Extra Large Security Zone may want to be considered. Click the Next button once your Size has been selected.

The Configuration page allows you to specify the settings of your Security Zone:

  • The Volume Size is the size of your Security Zone cluster nodes’ disks used to temporarily store your module data during processing. The default size should be sufficient forAutomated Incident Response Evidence Analysis.
  • The Scalable setting configures the Security Zone to automatically scale up as the number of modules to be executed in parallel increases, whilst also automatically scaling down to nothing whilst the Security Zone is not being used in order to natively optimize usage charges. The Scalable setting should be selected forAutomated Incident Response Evidence Analysis.
  • The NAT Gateway can be left as blank, which means that the Security Zone nodes will receive dynamic public IP addresses. Since this workflow is passive then we don’t need to have a static IP address for its activities.
  • The VPN Gateway can be left as blank since this workflow does not need to access your organization’s internal systems.

Click the Next button, review your settings, and then click the Create button. This will automatically orchestrate your Security Zone with the configurations specified and will take around five minutes.

You should wait for the Security Zone state to change from “Pending” to “Available” before moving onto the next step.
  

STEP 7: LAUNCH A WORKFLOW INSTANCE

You have imported the Automated Incident Response Evidence Analysis workflow. You now need to launch a Workflow Instance to be orchestrated and executed each time a security breach occurs.

Select the Workflows side menu item to list your available workflows. You will find a series of buttons alongside your Automated Incident Response Evidence Analysis workflow where you will need to click the button called “Create Instance”. Set a useful name for your workflow instance and click the Next button, which will take you to the Parameters page.

Set the Input Container to be the Automated Incident Response Evidence Collection Output Container.

Leave the Output Container blank, which means that Evolve will automatically create the Output Container for you.

Click the Next button to go to the Configuration page where you select the default location for modules will be executed. You should select your Incident Response Security Zone. The Agents and Agent Devices can be left blank.

Click the Next button, review your settings, and then click the Create button.

This will automatically orchestrate your Automated Incident Response Evidence Analysis workflow instance, including all Module Instances and Containers.

Your workflow will be automatically launched by Evolve every time a new Evolve Evidence ZIP File is uploaded to the Input Container, triggering the evidence to be automatically analyzed.
  

STEP 8: REVIEW YOUR RESULTS

The Evolve Automated Incident Response Evidence Analysis workflow will automatically generate the Indicators of Compromise (IOCs) as a Yara File and upload it to the configured Evolve Output Container.

From within the Evolve Console, select the Containers side menu to list your available Evolve Containers. In the search box, type “analyzer” to filter down your Container list. Locate the Evidence Analyzer Output Container. You will find a series of buttons alongside your Container where you will need to click the button called “View”. This will list the analysis Yara files stored within your Evolve Container. You may download the Yara files using the corresponding “Download” button.

More advanced users may also want to be notified when your incident response analysis is complete by importing the Evolve SlackBot from the Evolve Marketplace and chaining it off your Output Container for real-time ChatOps notifications.

SECURITY BUDGET
OPTIMISATION WITH EVOLVE

Facebook Twitter LinkedIn Youtube

Facebook Twitter LinkedIn Youtube

© Threat Intelligence Pty Ltd | info@threatintelligence.com | 1300 809 437 | Register Account | Terms & Conditions | Privacy Policy

© Threat Intelligence Pty Ltd | info@threatintelligence.com | 1300 809 437 | Register Account | Terms & Conditions | Privacy Policy