Every moment following an initial breach is critical.
A Security Analyst has to respond to a threat, assess the impact to the organization and formulate a plan of attack to mitigate and remediate the incident. Each of these steps takes critical time, expanding the breach exposure and threatening your organization.
The front-line Security Operations Center (SOC) Analyst has the unenviable responsibility of being the first responder responsible for triage of the threat and determining if escalation is warranted. Making the right determination rapidly is critical to the success of the organization, and it needs to be made correctly every time.
What can you do?
This is why it is so important to put relevant information at the analyst's fingertips when an alert occurs. One of the key pieces of information a SOC Analyst requires when a network IDS alert is triggered is "What was the process on the endpoint that caused this alert to trigger?" Knowing the executable involved can help analysts quickly determine the extent of a breach on an endpoint, and what steps should be taken to determine how the Incident Response team handles the situation.
Download the white paper, "Network Intrusion Detection and Process Correlation," solution overview to discover how the SOC team can utilize SIEM/Log Management correlation techniques with their endpoint and network IDS logs allowing accurate identification of the endpoint process responsible for a network IDS alert.