A slow response to a data breach or other cybersecurity incident can cost companies time and money, as well as damage to their reputation. To help companies accelerate their response to cybersecurity incidents, Magnet Forensics is offering a new application, Magnet Automate Enterprise, designed to automatically trigger investigations into security breaches and synchronize incident detection and response tasks by third party tools.
Magnet Forensics has a track record for developing investigation software for the processing of evidence from computers, mobile devices, IoT devices and cloud services, and has had a strong user base among law enforcement and government agencies. The new software is geared specifically for enterprises, allowing them to recover evidence of security incidents from corporate networks and remote endpoints.
The problem Automate Enterprise aims to address is the considerable amount of lag time often seen in the response time to a cybersecurity incident, owing to the manual handoffs involved in the process. Hours are lost due to, for example, delays arising from the change of employee shifts, weekends, and holidays.
Syncing EDR, SIEM and digital forensic tools
Automate Enterprise is designed to automate basic and repetitive manual tasks round the clock without human intervention, integrating with EDR (end-point detection and response) and SIEM (security information and event management) tools with post-incident tools. The goal is to automatically trigger a response to security incidents, coordinating the acquisition of evidence from multiple devices, computing environments, and communications services.
A phishing email delivered into a corporate network and awaiting a user to click on it, thereby initiating a download attempt from a malicious third party, constitutes a threat or a security event that can be detected and thwarted with detection and response tools. If the malicious attempt, however, is not stopped initially and malware is deployed on a machine and starts to encrypt data, the security incident requires a rapid response.
“Automate’s intuitive user interface will enable analysts to build custom workflows and rapidly respond to cybersecurity incidents,” says Adam Belsher, CEO of Magnet Forensics. “Understanding organizations depend on solutions from multiple vendors, Automate is purpose-built to integrate seamlessly with our customers’ pre-existing cybersecurity and digital forensics tools.”
Any application that has a command-line component or an API can be built into a custom workflow in Automate, according to Belsher. Creating and running a custom workflow with EDR, SIEM, and digital forensic tools can be done using drag-and-drop functionality, Belsher says.
Automate allows companies to concurrently process security-related data from computers, mobile phones, cloud storage environments such as Amazon Web Services and Microsoft Azure, and communication services such as Microsoft Teams and Slack.
Automating workflow for incident investigation
Automate coordinates security breach investigations and response via what Magnet calls Watch Folders. Watch Folders process system images from any acquisition tool, even if they don’t have a command line interface, including applications such as GrayKey, F-Response, and Tableau TX1 Forensic Imager.
Watch Folders also let users, via a visual workflow builder, configure a file or networked path that points to where the acquisition tool will be saving images. Triage features allow users to run scans only on defined areas of a disk, speeding up scan times. Users also use Watch Folders to set up automated workflows, synchronizing analytics, triggers and alerts of the various security applications in a company’s toolset.
“Traditionally, a workflow would involve SIEM tools alerting security teams to a potential threat, a triage scan being initiated to identify impacted endpoints, and a digital forensic analysis being carried out to investigate the damage. In between each step, there would be a manual handoff that delayed response time,” says Belsher.
Help in an increasingly complex environment
There are strong use cases for Automate as enterprises increasingly adopt complex and multifaceted digital infrastructures, leaving them vulnerable to attacks and incidents. Quicker response and recovery systems would top the priority chart as organizations look to contain the damage from these attacks.
“Automate purports to significantly speed up the multifaceted workflow associated with responding to a cybersecurity incident,” says Gary McAlum, senior analyst at TAG Cyber. “There are a lot of players in this market space already but the opportunity for this particular company will be around how well they differentiate themselves from the other solutions.”
A detailed comparative analysis for the product would include its scope of coverage (number of investigative elements) and its scalability, according to McAlum.
“Can their solution cover large-scale events particularly in large, heterogenous IT environments where data and systems may be spread across traditional on-premise and cloud environments. Many tools work well in localized settings but quickly bog-down in large, complex IT situations,” adds McAllum.