12 Cool New Threat Detection And Response Products Unveiled At Black Hat 2019

Here's a look at 12 products released around Black Hat 2019 that make it easier for customers and partners to locate and prioritize advanced threats and respond to security incidents in an automated fashion.

Keeping Threats Under Control

Vendors attending Black Hat 2019 have invested heavily in making it easier for customers and partners to get insight into environmental changes, locate advanced threats, and respond to security incidents in an automated fashion.

Vendors have doubled down on improving their threat detection and response capabilities through real-time threat scoring, automated incident response playbooks, and filtering out unnecessary noise. Taken collectively, the tools and features seek to achieve better visibility into risk while reducing response times.

Here's a look at 12 products being showcased at Black Hat 2019 and how they are managing and isolating critical malware, automating decision-making across disparate security operations, and accelerating investigations into potential intrusions.

CrowdStrike CrowdScore

CrowdStrike’s CrowdScore leverages cloud-based analytics and artificial intelligence to provide a single view for executives about the real-time threat level their organizations are facing, enabling them to speed up triage, prioritization and incident response. It leverages CrowdStrike's global visibility and advanced analytics to produce actionable insight for executives, analysts and investigators.

CrowdScore's organizational “Defcon” score makes it easy for security leaders to understand if they are under attack and the severity of the threat so they can immediately mobilize the appropriate response. The tool's smart prioritization streamlines the triage process and presents the most important incidents to analysts via a central dashboard, ensuring they are directed to the most critical threats first.

Meanwhile, CrowdScore's Incident Workbench will automate the cumbersome labor involved in collecting the data needed to understand the scope of an emerging threat. Incident Workbench's sophisticated visualizations and workflows significantly reduce the time needed to orient and act against modern threats of all types.

Secureworks Managed Detection And Response

Secureworks' Managed Detection and Response (MDR) service leverages the detectors, analytics and correlation capabilities of Red Cloak Threat Detection and Response (TDR) to find advanced threats that evade normal detection, and to expand the context around each alert.

Knowledge gained from Secureworks' more than 1,000 incident response engagements each year informs the continuously updated threat intelligence and analytics used to recognize malicious activity. With more accurate detections and better context, Secureworks said false alerts are reduced and customers can focus on the most important events.

When an event requires action, customers have he option to check analyst recommendations via an intuitive interface or collaborate directly with Secureworks analysts using a built-in chat box. The Secureworks MDR service includes threat hunting to proactively isolate and contain threats, and comes with incident response support for peace of mind during critical investigations.

Malwarebytes Malware Removal Service

Malwarebytes’ Malware Removal Service (MRS) provides rapid expert intervention and triage to effectively manage and isolate a critical malware incident. Working remotely, malware removal specialists provide the intelligence, solutions and processes needed to eradicate active threats in a customer's environment and help return systems to a trusted state.

Once the threat analyst has helped restore the customer's environment to a safe state, Malwarebytes ensures the affected business has the proper risk indicators and systems in place. After the completion of the service, the customer's environment will retain the protections provided by Malwarebytes’ Endpoint Protection and Response, which include phone, email and chat support.

Quick and effective isolation and malware removal can make or break a business under active attack, according to Malwarebytes Senior Vice President of Products Akshay Bhargava. The new incident response service is built to ensure organizations receive the tools and expert analyst guidance needed to get their business operational again, Bhargava said.

LogicHub SOAR+

The LogicHub SOAR+ platform delivers autonomous detection and response, advanced analytics and machine learning to automate decision-making with extreme accuracy across historically disparate security operations. The platform gains advanced threat context and virtualizes the expertise of Level 3 security analysts to deliver expert recommendations in real time.

LogicHub automates advanced threat hunting activities by applying a machine-learning model for malicious process detection to differentiate benign from malicious. This enables security teams to easily decipher potentially dangerous activity while recognizing actions carried out by an authorized systems administrator.

The company's new alert triage capabilities, meanwhile, apply data science to automatically produce decision trees based on numerous alert factors, eliminating the time constraints and false positives or negatives associated with manual investigation. And LogicHub's automated case management features turn enhanced threat hunting playbooks into actionable incident response recommendations.

ManageEngine Log360

ManageEngine's Log360 comprehensive SIEM offering can now launch automated response measures to security incidents to help reduce the workload of security teams and contain the scale of an attack. The new automated incident response feature allows IT teams to associate predefined or custom workflows with security alerts to automate standard incident response measures.

Log360 provides automated responses through incident workflows, which lay out the sequence of steps to be taken following a security incident. Automated responses—such as shutting down compromised systems or disabling malicious user accounts—help organizations contain breaches more quickly.

The SIEM platform offers several advanced features to detect, manage and respond to security incidents, including in-depth security analytics, real-time threat intelligence, user and entity behavior analytics, and streamlined incident management. Automated incident response is available immediately in the latest version of Log360.

ReversingLabs Titanium Platform

ReversingLabs’ Titanium Platform provides complete visibility and insight into every destructive object regardless of its size, complexity or type in a manner that optimizes existing security investments. This makes it possible to seamlessly incorporate findings into established business processes across security, IT, architecture and DevOps teams.

Insight obtained from the ReversingLabs Titanium Platform enables security and threat hunting teams to achieve better risk visibility while reducing mean time to respond from minutes to seconds. Meanwhile, automation of malware and security operations helps fill important skill gaps and reduces the hours dedicated to time-consuming malware analysis by humans.

ReversingLabs also simultaneously enables the safe migration of applications and data to the cloud, backup and restoration of data, and distribution of trusted third-party code. This makes it possible for DevOps teams to accelerate the development, testing and release of applications in a frictionless but safe manner.

Infocyte Dashboards

Infocyte's new dashboards provide insight into environmental changes such as new hosts being discovered, new applications being introduced into the environment, new administrative accounts being found, and security alerts being increased. The dashboards also provide an overview of how well organizations are doing in regard to responding to and remediating security findings.

Infocyte highlights this response data as a key performance indicator (KPI) for businesses to measure against so they can see how their dwell time in dealing with bad objects changes over time. Customers are also given trending data to highlight weekly developments in key areas such as discovered/scanned hosts, threats, vulnerabilities and risks.

All told, the dashboards are intended to provide customers with an overview of what Infocyte is doing for them and specifically point out either areas of increased risk or areas where their risk is being reducied. The dashboards are primarily meant for those managing risk and the overall improvement of the organization's security stance.

Digital Guardian DG Wingman

Digital Guardian's DG Wingman tool combines many forensic collection capabilities into one to accelerate intrusion investigations. The tool makes it possible for security professionals to instantly extract key forensic artifacts such as the Master File Table, Windows registry and Windows event logs for further analysis.

Security professionals using DG Wingman can run a full scan of the endpoint and collect metadata from portable executable files such as hashes, certificates and strings. Alternatively, they can execute custom commands as SYSTEM.

It's critical to collect all necessary forensic data during a security incident to scope endpoint intrusions and ensure a proper investigation takes place. DG Wingman was developed by the team that delivers Digital Guardian's managed detection and response services to hundreds of customers around the world.

Juniper SecIntel

The incorporation of security intelligence (SecIntel) into Juniper's MX Series routers extends security to routing infrastructure by blocking command and control traffic at the hardware level. Traffic that needs to be blocked can be supplied by custom blacklists or discovered by Juniper Sky ATP and Juniper Threat Labs, turning connectivity layers into automated defense layers.

Juniper SecIntel complements the DDoS offering the company has developed with Corero, allowing a true defense-in-depth architecture to be created without investing in additional hardware. Together, these products reduce strain on upstream security resources by filtering out the noise that doesn't require a deeper level of inspection, enabling greater scale on higher compute-cost security resources.

SecIntel is available on version 19.3 of the Junos network operating system.

Infocyte Automated Response

Infocyte has given analysts or workflow automation tools the ability to conduct response actions related to account lockout, host isolation and process termination. The company is also allowing customers to create customized webhooks so that alerts can be routed to third-party systems such as ticketing systems, alerting systems and ChatOps tools.

Infocyte's API-first platform allows for quick and simple integrations with security orchestration, automation and response (SOAR) platforms as well as other security workflow tools. This makes it possible for companies to automate common security operations playbooks associated with incident response.

Navisite-Alert Logic Managed Threat Detection And Remediation

The Navisite-Alert Logic Managed Threat Detection and Remediation service brings together Alert Logic's SIEMless Threat Management platform with Navisite's security and infrastructure experts to provide customers with an advanced, fully managed security offering.

Navisite will leverage its complete set of managed services to enhance security and resiliency through real-time remediation capabilities and an application-centric approach. The integration will enable Navisite to collect asset data, logs and events; correlate collected data for behavior and anomaly detection; validate incidents by reviewing indicators of compromise; and remediate issues rapidly.

The combination of Alert Logic's advanced security platform with Navisite's infrastructure and security expertise allows Navisite experts to apply their knowledge of the underlying infrastructure to help businesses mitigate the risk of a breach. This in turn ensures business-critical applications and customer data are secure.

ArcSight Enterprise Security Manager-EndaceProbe Analytics Platform Integration

The new integration between Micro Focus' ArcSight Enterprise Security Manager and the EndaceProbe Analytics Platform will dramatically reduce the time required for security analysts to respond to cybersecurity threats at scale.

Security analysts will now be able to go directly from a threat alert in the ArcSight Enterprise Security Manager console to the related packet history with a single click. This gives analysts access to definitive evidence and allows them to prioritize, investigate, and respond to threats quickly and accurately.

Centralizing the management, analysis and reporting of all enterprise security events using the ArcSight Enterprise Security Manager reduces threat exposure and gives customers much greater visibility into the threats detected by security monitoring tools. Combining this rich security intelligence with the ability to quickly connect threat alerts to their related network history will increase analyst productivity.