by popular demand: co3's latest and greatest features
TRANSCRIPT
By Popular Demand: Co3's Latest & Greatest Features
WEBINAR
We’ll Get Started Shortly
By Popular Demand: Co3's Latest & Greatest Features
WEBINAR
Slide 3
Agenda
• Introductions
• Who Are We
• Latest & Greatest Features– Threat Intelligence
– SIEM Integrations
– Easy Customization
– Preview: Custom Action Framework
• Questions
Slide 4
Introductions
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Tim Armstrong, Incident Response Specialist, Co3 Systems
Slide 5
About Co3 – Incident Response Management
MITIGATEDocument Results &
Improve Performance• Generate reports for management, auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization
ASSESSIdentify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Correlate threat intelligence• Track incidents, maintain logbook• Prioritize activities based on criticality• Generate assessment summaries
PREPAREImprove Organizational Readiness• Appoint team members• Fine-tune response SOPs • Escalate from existing systems• Run simulations (firedrills / table tops)
MANAGEContain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment strategy• Isolate and remediate cause• Instruct evidence gathering and handling• Log evidence
Slide 6
Co3 IRMS
INCIDENT RESPONSE PLAN INSTANT CREATION & STREAMLINED COLLABORATION
HR IT
LEGAL/COMPLIANCE
MARKETING
PLAN SYNTHESIS
COMMUNITYBEST
PRACTICES
INDUSTRY STANDARD
FRAMEWORKS
ORGANIZATIONALSOPS
GLOBAL PRIVACY BREACH REGULATIONS
CONTRACTUALREQUIREMENTS
ACCELERATED MITIGATION CUSTOM ACTION FRAMEWORK
AUTOMATED ESCALATION WEB FORM TROUBLE TICKETING ENTRY WIZARD SIEM
PLAN ENRICHMENT
MALWARE SAMPLE
IP ADDRESS
DNS NAME
PROCESS NAME
DASHBOARDS AND REPORTING
INCIDENT TIMELINE /
STATUS
CSO DASHBOARD
AUDITOR DASHBOARD
TEAM UTILIZATION
INCIDENTS BY TYPE
OVER TIME
■ New Threat Intelligence Feeds
Slide 8
Integrated Threat Intelligence
New Threat Intelligence Feeds:
• Virus Total
• WHOIS
• GEOIP
Slide 9
Integrated Threat Intelligence
Virus Total
• Provides results from 55 Anti-virus engines
• Uses VT API key for results
• Can even upload files
Slide 10
Integrated Threat Intelligence
GEO IP
• Locates the latitude and longitude of an IP
• Plots on Google map
Slide 11
Integrated Threat Intelligence
WHOIS Lookups
• Detailed insights on all kinds of servers
How valuable is integrated threat intel?
POLL
■ SIEM Integrations
Slide 14
SIEM Integration
• Manual and Automatic Incident Escalation
• Threat Artifact submission
• Bidirectional communication
• Supports HP ArcSight, IBM Security QRadar, and many others
■ Easy Customization
Slide 16
Easy Customization
• Simple interface
• Drag and drop, button-based interaction
• Numerous areas of the UI
• No programming / coding required
Slide 17
Custom Fields
• Any number of fields
• Supports drop-downs, text, multi-selects, and more
• Can be used for alerting, sorting, reporting
Slide 18
Custom Workflows
• Create a library of response plans quickly
• SOP for any number of response teams
• Operationalize static plans
• Report on their success, SLA’s, etc
Slide 19
Conditional sections
• Collect only the relevant details for each incident type
• Ask the right questions
• Make fields required on open, close, or optional
• Create templates
How important is ease of customization?
POLL
Custom Action Framework
SNEAK PREVIEW
Slide 22
Connecting people, process, and technology for times of crisis
INCIDENT RESPONSE PLAN INSTANT CREATION & STREAMLINED COLLABORATION
HR IT
LEGAL/COMPLIANCE
MARKETING
PLAN SYNTHESIS
COMMUNITYBEST
PRACTICES
INDUSTRY STANDARD
FRAMEWORKS
ORGANIZATIONALSOPS
GLOBAL PRIVACY BREACH REGULATIONS
CONTRACTUALREQUIREMENTS
AUTOMATED ESCALATION WEB FORM TROUBLE TICKETING ENTRY WIZARD SIEM
PLAN ENRICHMENT
MALWARE SAMPLE
IP ADDRESS
DNS NAME
PROCESS NAME
DASHBOARDS AND REPORTING
INCIDENT TIMELINE /
STATUS
CSO DASHBOARD
AUDITOR DASHBOARD
TEAM UTILIZATION
INCIDENTS BY TYPE
OVER TIME
Custom Action Framework
Gather information and execute response plan tasks.
ACCELERATED MITIGATION CUSTOM ACTION FRAMEWORK
Slide 23
CAF Use Cases
Pull all employee details (name, dept, role, etc.)• Trigger: Adding username artifact• Action: Query directory for details, store results in artifact description
Kick off automatic Splunk / SIEM searches• Trigger: new host/IP IOCs• Action: Splunk/SIEM API search request
Automatic malware sandboxing• Trigger: Adding a new malware artifact/PE file artifact.• Action: Sends malware to internal sandbox. Returns URL to results.
Have we ever seen this hash before on our systems?• Trigger: Adding a new hash artifact• Action: Queries our internal application whitelisting logs, returns list of
machines who have also executed this file or seen this hash.
■ Questions?
Slide 25
Upcoming Co3 Events
• How The Grinch Stole Black Friday: Co3's 2014 Annual Review & Predictions, December 18, 2014, 1 pm EST
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“Co3…defines what software packages for privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and very well designed.”
PONEMON INSTITUTE
Slide 27
“Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
– PC Magazine, Editor’s Choice
“Platform is comprehensive, user friendly, and very well designed.”
– Ponemon Institute
“One of the most important startups in security…”
– Business Insider
“One of the hottest products at RSA…”– Network World
“...an invaluable weapon when responding to security incidents.”
– Government Computer News
“Co3 has done better than a home-run...it has knocked one out of the park.”
– SC Magazine
Most Innovative Product