Content Intelligence – Enriching the Incident Response Process

Categories: Advanced Cyber Defense,Advanced Security

Jeff Hale, Senior Practice Consultant, RSA Advanced Cyber Defense Practice

A common issue seen in many of our Advanced Cyber Defense (ACD) engagements are customers who have reasonably mature monitoring and incident response procedures but are inefficient in their capabilities of putting context around the artifacts of an incident.

Depending on the data source, many monitoring, SIEM-like, technologies will provide just basic information in an alert, source and destination IP address, possibly an external domain, and port/protocol. With this limited data set, responders are often forced to turn to several disparate sources to make a best effort determination of the details required such as the basic question: what machine/user had this source IP address at the time of the event? How can we enrich incident data to maximize incident response efficiency?

ACD defines “Content Intelligence” as the data enrichment workflow that brings together external data sources in an automated fashion to provide full context to the incident being analyzed. The ultimate goal of this workflow is to bring a SOC/CIRT closer to the reality of the “single pane of glass” for incident response. By integrating data feeds from sources such as a company’s IP address management system, employee database, external GeoIP data such as MaxMind, and many others, within their incident management system, such as RSA Archer, a tremendous increase in incident response efficiency can be achieved in addition to providing several new analytical points that may assist in discovering trends and targeted attack identification.

Jeff Hale is a Senior Practice Consultant for the RSA Advanced Cyber Defense (ACD) Services Practice – Americas. In this capacity Jeff is responsible for custom development and delivery of cyber defense professional service offerings for Advance Persistent Threat (APT) Breach Readiness, Incident Response/Discovery, SOC/CIRT operation implementation, Intelligence Analysis, and Threat Management.