Long-term Search Cover Giacomo Lanzi

Long-term search: what’s new in the SOCaaS service

Ransomware commonly comes up with an email that tricks users into trusting a malicious file. Many of the most recent data breaches have been completed because a user has been the victim of such an attack in the previous period. Threats such as ransomware, which focus on user compromise, are causing more and more companies to adopt user and entity behavior analysis (UEBA) in their security operations center (SOC). The new functions of the SOC service, including long-term search, are oriented towards the increasing offer of additional tools for the optimal management of corporate security.

We continue to innovate our platform to increase the power of SOC in fighting ransomware and other threats. In our latest release, we have added even more machine-learning and context-aware detection capabilities that enable security analysts to tackle the most sophisticated attacks. Furthermore, the latest updates bring an ever greater ease of use for security architects.

Long-term search - SOCaaS news

Long-term search for the security analyst

The service introduces a number of innovations to reduce detection and response times for security analysts and threat seekers.

Improved detection of sophisticated threats

Long-term search helps analysts discover hidden threats by providing a search capability on archived data. The search is scalable and does not affect SIEM performance.
Analytics Sandbox helps break down false positives by providing an online QA environment to test and validate use cases.
– Persona-based threat chains detect advanced threats more accurately, including the dynamic relationship between users, hosts, IP addresses, and email addresses. Analysts benefit from greater visibility into the progression of an attack. This feature combines suspicious activity from a single user into a single priority alert, instead of separate and unrelated alerts.
Relative Rarity offers analysts a broader context on how rare an event is compared to all other events in their environment.
Viewing security alerts using the MITER ATT&CK Threat Framework helps analysts prioritize risk and reduce response times.

Reduction of response times

Improved case management allows for better management, sharing and investigation of alarms, allowing operators to respond more quickly.
New EDR integrations improve incident response by providing additional endpoint data from CarbonBlack Defense, Tanium, Symantec DLP and others.
Better search views improve the analyst experience by reducing detection and response times. They help analysts easily identify compromised accounts, data exfiltration, and associated hotspots.

Why long-term search is so important

With a global dwell time of around 60 days on average, threat hunting continues to be an important part of cybersecurity resilience. However, searching through the data history usually takes a long time.

Many vendors are unable to dynamically scale a quick search through archived data without significant effort. The latest features of our SOCaaS provide this possibility for threat hunters with long-term search on an almost unlimited scale. With long-term research, organizations can reduce the time it takes to investigate and find threats that are already in their environment.

Analysts need to continually query the data to see if there are new threats. For example, an analyst might learn from a trusted source that their industry has been targeted. At this point we need to investigate a new indicator of compromise that has just been discovered to verify if an attacker is already inside.

Through long-term search, SOD’s native SOCaaS SIEM allows threat hunters to be proactive, making historical data research fast and convenient.

Conclusions

By introducing new technologies into our SOC service, we are offering more and more security for our customers.

We take care of your data by verifying not only that it is not safe now, but also that it has not been breached in the past. In case we suspect a new threat, we know how to spot it.

If you have any questions, contact us, we will be happy to answer all your questions.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • SEC Consult SA-20241204-0 :: Multiple Critical Vulnerabilities in Image Access Scan2Net (14 CVE) December 5, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Dec 04SEC Consult Vulnerability Lab Security Advisory < 20241204-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: Image Access Scan2Net vulnerable version: Firmware
  • Microsoft Warbird and PMP security research - technical doc December 3, 2024
    Posted by Security Explorations on Dec 03Hello All, We have released a technical document pertaining to our Warbird / PMP security research. It is available for download from this location: https://security-explorations.com/materials/wbpmp_doc.md.txt The document provides a more in-depth technical explanation, illustration and verification of discovered attacks affecting PlayReady on Windows 10 / 11 x64 and pertaining […]
  • Access Control in Paxton Net2 software December 3, 2024
    Posted by Jeroen Hermans via Fulldisclosure on Dec 02CloudAware Security Advisory [CVE pending]: Potential PII leak and incorrect access control in Paxton Net2 software ======================================================================== Summary ======================================================================== Insecure backend database in the Paxton Net2 software. Possible leaking of PII incorrect access control. No physical access to computer running Paxton Net2 is required....
  • SEC Consult SA-20241127-0 :: Stored Cross-Site Scripting in Omada Identity (CVE-2024-52951) November 27, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Nov 27SEC Consult Vulnerability Lab Security Advisory < 20241127-0 > ======================================================================= title: Stored Cross-Site Scripting product: Omada Identity vulnerable version:
  • SEC Consult SA-20241125-0 :: Unlocked JTAG interface and buffer overflow in Siemens SM-2558 Protocol Element, Siemens CP-2016 & CP-2019 November 27, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Nov 27SEC Consult Vulnerability Lab Security Advisory < 20241125-0 > ======================================================================= title: Unlocked JTAG interface and buffer overflow product: Siemens SM-2558 Protocol Element (extension module for Siemens SICAM AK3/TM/BC), Siemens CP-2016 & CP-2019 vulnerable version: JTAG: Unknown HW revision, Zynq Firmware...
  • Re: Local Privilege Escalations in needrestart November 27, 2024
    Posted by Mark Esler on Nov 27The security fix for CVE-2024-48991, 6ce6136 (“core: prevent race condition on /proc/$PID/exec evaluation”) [0], introduced a regression which was subsequently fixed 42af5d3 ("core: fix regression of false positives for processes running in chroot or mountns (#317)") [1]. Many thanks to Ivan Kurnosov and Salvatore Bonaccorso for their review. [0] […]
  • APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1 macOS Sequoia 15.1.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/121753. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: macOS Sequoia Impact: Processing maliciously crafted […]
  • Local Privilege Escalations in needrestart November 21, 2024
    Posted by Qualys Security Advisory via Fulldisclosure on Nov 21Qualys Security Advisory LPEs in needrestart (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) ======================================================================== Contents ======================================================================== Summary Background CVE-2024-48990 (and CVE-2024-48992) CVE-2024-48991 CVE-2024-10224 (and CVE-2024-11003) Mitigation Acknowledgments Timeline I got bugs...
  • APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2 iOS 17.7.2 and iPadOS 17.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121754. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: iPhone XS […]
  • APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1 iOS 18.1.1 and iPadOS 18.1.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/121752. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: iPhone XS […]

Customers

Newsletter

{subscription_form_1}