5 Ways Mandiant’s New Tools Fight Breaches And Ransomware
From automating triage work to testing ransomware in production environments to detecting anomalies faster, here are five key takeaways on Mandiant Active Breach & Intel Monitoring and Ransomware Defense Validation.
A More Robust Response
The industry has embraced the ability to digest and inject Mandiant’s expertise into their environment in an automated manner since Mandiant Advantage debuted last year, said Mandiant Chief Product Officer Chris Key. The platform already has four modules delivering everything from automated defense and threat intelligence to security validation and attack surface management in a consumable manner.
“This really came down to seeing a need in the industry for us to help increase the effectiveness of security,” Key told CRN. “A core belief that we have is that effective security is actually driven by expertise and intelligence as opposed to just controls or technology deployed alone.”
The company announced two new Mandiant Advantage offerings Tuesday during its annual Cyber Defense Summit: Active Breach & Intel Monitoring and Ransomware Defense Validation. From automating correlation and triage work to testing ransomware in production environments to detecting abnormalities quickly and more accurately, here are five things to know about Mandiant’s new tools.
5. Connects Threats To User Environment And Helps Prioritization
Mandiant has long made its threat intelligence available to customers, but they were responsible for figuring out on their own what to escalate or modify based on that information, according to Key. But now with Active Breach & Intel Monitoring, Mandiant’s incident response is connected directly with a customer’s Security Operations Center (SOC) to proactively monitor for indications of an active breach.
Threat intelligence is operationalized and customers are proactively monitored if triggers during the investigation process indicate the threat would be relevant to a customer. In that scenario, Active Breach & Intel Monitoring would automatically check the customer’s event flow and security data both in real-time and historic to ensure customers are ready and prepared for the latest threats, Key said.
A diagram within the Active Breach & Intel Monitoring module helps with the escalation process by showing what customers need to act on and why, according to Key. This process is delivered completely through the module’s SaaS interface, with Mandiant experts making prioritization decisions on behalf of the customer, Key said.
4. Automates Much Of The Correlation And Triage Effort
Active Breach & Intel Monitoring relies heavily on automation to operationalize threat intelligence in a customer’s environment and scale the capability to as much of the industry as possible, according to Key. At the same time, Key said the module has trigger points and decision flows that pull in human eyes when necessary.
Automation is used to correlate what’s known to be bad from Mandiant’s threat intelligence with what’s in a customer’s environment as well as that an indicator assessment, which checks 130 unique features in an automated way to determine if the issue should be escalated. Mandiant incorporates geographic and industry context when determining whether or not to get a human involved, according to Key.
A threat that’s noisy and everywhere is much less likely to need human hands on a keyboard than a piece of malware that’s targeting a specific industry or type of environment, according to Key. If a piece of malicious content is tied to an active breach or has been highly attributed to a specific threat actor, Key said Mandiant is likely to put human eyes on it.
3. Tests Ransomware On Production Server For The First Time
Ransomware Defense Validation allows for the testing of different types of ransomware in customer environments in safe ways to determine whether the customer’s existing controls can stop an attack, according to Key It’s an entry-level offering derived from the broader Mandiant Security Validation module focused specifically on understanding an organization’s readiness for ransomware, Key said.
Mandiant traditionally required a virtualized environment to run ransomware, but with Ransomware Defense Validation is able for the first time able to test ransomware in a production environment by using malware reversers. The module offers not only the same level of technology and reporting as Security Validation, but also includes Mandiant experts to run the test and decide what’s a priority.
With Ransomware Defense Validation, Key said Mandiant experts run the test and explain the results to the customers rather than directing the customer to conduct the exercise themselves. The tool provides more narrow content, reporting and views than Mandiant Security Validation, which Key said should make it more affordable and digestible for smaller organizations.
2. Detects Problems Quicker And More Accurately With Less Work
Mandiant Active Breach & Intel Monitoring aims to increase detection efficacy as well as SOC analyst efficiency by moving up the funnel to look at more customer events while at the same time shrinking the number of events that actually get escalated to customers, according to Key. Ingesting more customer security data should make Mandiant more effective at detection without burdening the customer at all.
Ransomware Defense Validation, meanwhile, is focused on enabling customers to check how their controls fare against different ransomware families earlier and sooner, according to Key. It’s focused on reducing mean time to detection and response while getting prevention as early in the cycle as possible, Key said.
The module also provides a longitudinal view of how controls have fared against different ransomware families over time to ensure nothing has regressed in the organization’s environment and diminished readiness, Key said. Straightforward visuals in Ransomware Defense Validation track whether or not organizations are increasing their test and pass rate in line with expectations, according to Key.
1. Makes Protection Affordable Outside The Large Enterprise
Both Mandiant Ransomware Defense Validation and Active Breach & Intel Monitoring will be available as a subscription that costs less than $100,000 annually, according to Key. He anticipates Ransomware Defense Validation will cost between $60,000 and $100,000 when it becomes generally available Jan. 1, which will allow it to serve as an entry point into Mandiant for mid-market and small organizations.
Active Breach & Intel Monitoring will be available in sub-$100,000 and greater than $100,000 versions based on the size of the customer and how frequently they’re using the tool, Key said. Large companies that want to look at all the telemetry in their environment will likely need to buy the more expensive version, Key said, while companies that just want to monitor specific areas can use the entry-level tool.
Both modules are currently in the beta testing phase with select Mandiant customers, and – like all Mandiant Advantage products – will be available as an annual subscription.