Managed Threat Detection and Response (MTDR) Newsletter

Welcome to the LevelBlue MTDR newsletter! We’ve had an exciting couple of months and have many updates to share with you.

We are pleased to share the results of a recent third-party evaluation of the USM Anywhere platform. The evaluation was performed by independent testing organization SecureIQLab and involved 41 attack scenarios incorporating multiple real-world threats and attack stages. The scores affirm our strong extended detection and response capabilities. Below are some highlighted results. To read the full report, please visit our website.

You can keep up with our regular product releases by reading the release notes in the USM Anywhere Product Forum, and you can direct any questions or support issues to the LevelBlue Success Center.

Automated playbooks build on Manual Playbooks, adding the ability for customers to automatically run a set of predefined actions in response to specific alarms being triggered. The MDR SOC is looking at specific use cases to implement automated playbooks for customers and will conduct further testing before incorporating these playbooks into their workflow. Please work with the ForCE team if you have questions about this new feature.

Checking the “Is it an Automated Playbook?” option in the playbook creation menu will automatically run any alarm that is checked in the Alarm Rules Assignment list. When creating a fully automated playbook, customers will have to specify every detail of the associated response action. Therefore, you will find more pull-down menus in the Action boxes to specify these details.

Note: Automation is only appropriate for alarms where there is a clear response to be taken, and the necessary information is included in the log.

For example, an IDS system might detect a command-and-control connection. Since the local host always reaches out to the internet destination for these types of connections, the address that needs to be blocked will always be the destination address. This is easy to automate in the system. However, a more generic “intrusion detection” alarm from the same system could require blocking either the source or the destination address. This type of alarm should be triaged by an analyst, so traffic is not blocked in the wrong direction. Therefore, this alarm probably isn’t a good one to automatically respond to.

We are in the process of testing each of our response actions to ensure they work correctly with automated playbooks. Many of the actions for our 13 most popular applications, including SentinelOne, Office 365, Qualys, Zscaler, and Workspace, have already been tested. The remainder of the actions will be tested over the next several months. Once tested, they will show up in the menu of available actions. You can also see which response actions can be automated by checking the new column in the “Actions” tab for each application.

To understand what has happened with an automated playbook, it is necessary to check the history for playbooks under the history tab and look for “in progress” playbooks. Clicking on them will bring up a view of which steps were completed, and which steps were not. All app actions are recorded under the “history” for each app.

The current feature triggers based on an alarm rule and cannot be initiated any other way. For now, manual playbooks are the only option for analyst-run remediation. In the future, customers will have the ability to initiate fully automated playbooks from alarms.

For more information, please visit here.

New features are available within our refreshed Investigations UI. Additionally, Investigations are now viewable within USM Central, allowing users to view all investigations from within a single pane rather than clicking into individual instances to review.

Some changes to the USM Anywhere Investigations UI include:

· Text formatting

· Bold, italicized, and underlined

· Bullet points

· Numbered bullet points

· Font differentiators, e.g., heading versus body

· Text alignment

· Hyperlink

· Add image

· Code snippet

· “Last Modified by” will display the full name of the person

Investigations API

A new public API has been made available to interact with Investigations and has replaced the existing USM Anywhere feature. This reduces the need for API calls within the control node and allows for increased performance.

For a full list of the investigation APIs by region, please go here.

This past quarter, we have refreshed all our existing compliance reports to ensure compliance with current industry standards.

Additionally, we have added the following new compliance templates:

In addition to some of these major updates, we have released several enhancements across the platform.

For full details on these enhancements, please visit here.

Mimecast – The Mimecast advanced BlueApp is used for log collection from the Mimecast cloud. The app does not contain any response actions but allows customers using Mimecast email security to ingest events via API.

Cisco Firepower Manager – This BlueApp allows customers to use response actions to control their entire fleet of Cisco Firepower next-generation firewalls. As a device manager, the Firepower manager doesn’t collect log messages, so logs are input via our existing BlueApp for Cisco Firepower firewalls. The app ships with eight response actions. Note however that we are actively working with Cisco to fix an issue with the external block list feature. Once the issue has been remedied, this feature will be supported. The app will stay in early access until the feature is confirmed as working.

SpyCloud – A new SpyCloud advanced BlueApp is now in early access and will soon be available for general access. The Advanced BlueApp for Dark Web Monitoring leverages SpyCloud technology to monitor the dark web for stolen user credentials, such as email addresses, usernames, and passwords. If stolen credentials are detected, USM Anywhere will provide alerts so that users can respond swiftly to the compromise. The app will include log collection and a response action to get historical breach records for verified watchlist domains and emails.

Proofpoint on Demand – This BlueApp will be focused only on events collection.

Crowdstrike Falcon – We are improving this BlueApp to include integration across the vendor’s various license tiers.

In Q1, we released six threat feed updates that include 76 defects fixed, 81 improvements, and 111 new elements.

Here are a few examples of improvements made and new elements created:

Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.

LevelBlue Labs Open Threat Exchange (OTX) is among the largest open threat intelligence communities in the world. We have more than 200,000 members who contribute near-real-time threat intelligence to OTX, which is then enriched by LevelBlue Labs. You can go here to find out more about the new pulses or to sign up to be part of the community.

To have Release Notes emailed to you automatically, follow these steps:

1. Log in to the LevelBlue Success Center.

2. Click on the announcement for the product you wish to follow.

3. Select the “Follow” button on the right-hand side.

4. Select the drop-down menu on the right-hand side and choose “Every Post” to enable receiving emails from leading security and IT tools.