Security Operations

Act Quickly and Confidently Against Digital Threats

In the SOC, you need to sift through a flood of alerts to quickly and accurately assess suspicious activity, exposures, and exploits, and their potential impact on your brand, employees, and customers. You need the data and tools that can provide your team with full visibility into digital threats outside the firewall that are directly related to security issues and incidents within your firewall — as well as means to effectively validate, triage, and mitigate threats.

The average total lifetime of a phishing site today is around 30 hours. By that time, taking it down is almost irrelevant as the threat actor has almost certainly moved on. Even if detected and reported right away, ISPs and registrars usually can’t handle takedown requests in a short enough period. RiskIQ’s scalable internet monitoring of digital threats and threat infrastructure analysis tackle this challenge head-on.

See how automated context yields lower MTTR

RiskIQ in Action

Security Operations Center

RiskIQ takes the approach of blocking threats as the first course of action. Our event review workflow includes built-in integration with Google Safe Browsing and Microsoft SmartScreen to automatically submit and block confirmed threats, including phishing and malware. This way, the threat is neutralized to 95% of all web traffic within minutes rather than hours. The threat is mitigated and damage prevented while the takedown request is pending.

 

For everything else, the RiskIQ interface is designed to present analysts with the data they need to assess and take action against a digital threat quickly:

  • A screenshot of the malicious page
  • The WHOIS record for the domain
  • The IP resolution and location of a website domain
  • The full document object model (DOM) of the page in question.
  • The time of the incident, browser type, and behavior that triggered malicious activity
  • Additional context about the domain, including blacklist association

 

With this information, analysts can quickly key in on what’s necessary to confirm or dismiss an alert at a glance without having to look up information in other tools.

After identifying a threat, RiskIQ gives researchers the information and relevant context to automatically bridge the pieces of an investigation within the organization. Using data sets that include passive DNS resolutions, current and historical WHOIS information, SSL certificate information, as well as other web infrastructure components like analytics tracking codes, PassiveTotal provides intelligent pivots and searches that can identify threat actors, as well as uncover additional infrastructure that they may use to conduct attacks.

 

RiskIQ also provides additional insight into SIEM alerts through our vast databases of dangerous URLs, phishing pages, blacklisted hosts and domains, known malware hashes, and more, which are also accessible via the RiskIQ platform and API.  This data improves prioritization and efficiency when investigating alerts, and allows teams to accurately address more alerts in less time.

With RiskIQ:

  • Have an up-to-date understanding of my entire attack surface
  • Never miss an event that results in a crippling security incident
  • Prevent employees and customers from getting phished
  • Defend against malware and drive-by-downloads spreading across employee, contractors, and vendor devices
  • Stop employees and partners going to malicious URLs

Read more about our products and how they can help you understand, detect, and mitigate digital threats against your organization