Blog

How does LinkShadow speed up Incident response time?

LinkShadow continuously analyze network traffic, extracting the metadata and ingesting into the Advanced AI-based analytics engine. Together with the network capture, LinkShadow also integrates with external third party security systems like EDR, Vulnerability managers, SIEM etc to get information on detections.
The AI-powered platform then analyzes every piece of this collective information. There are multiple checks that are applied on the traffic received, some of which can be cited as examples like traffic to known-bad destinations, abnormal protocol behaviors or even unusual types of connections reported by the internal machine learning engine.
The outcome of these checks may match a defined detection, or it may not.
When there are detection-matches, LinkShadow assigns a specific score to the detection, called as anomaly in LinkShadow terms. If the anomaly is a user-based anomaly, the score is appended to that affected user. If the anomaly is an entity-based anomaly, the score is appended to that entity. This scoring mechanism allows LinkShadow administrators to quickly point out the which internal entities or users they have to focus their investigation.
LinkShadow utilizes information received from external third-party security systems like EDR, Vulnerability scanners, SIEM, NGFW etc. mainly for two reasons:
  • Calculated Threat risk assessment of entities based on information received from the external third-party security systems.
  • Provide a single pane of glass in the investigation window that displays LinkShadow detections and detections from the external systems all in the same view, thereby allowing the SOC analyst to perform quick co-relation.
Each of these anomalies have detailed description within the investigation window about that specific anomaly. Together with the description, the platform also describes in detail what should be the ideal response for that type of anomaly.
This ideal response is annotated as Recommended Action, which can be for examples as
  • Take immediate mitigation action like isolation or block.
  • Verify with the application team about the genuineness of the detected event.
  • Verify with the system user about the genuineness of the detected event.
Using the Assets Portal and the User Identity portals to pinpoint risky threat actors
The Assets portal can list all the profiled entities that have been detected in the network. These can be laptops, servers, mobile devices, Workstations etc. Within the same portal, the SOC analyst can also view the corresponding risk scores for these entities.
One of the good features in using the Assets portal is the capability to sort the profiles entities using criteria like Mac address, ip address, hostnames, OS, as well as the threat scores and also applying a time-range of interest.
This way, the SOC analyst can quickly find out the riskiest entity in the network at a specific period of time. (for example : last 24 hours)
Using the ThreatScore Quadrant
As the Assets portal and the Identity Intelligence portal can be used to list all entities and users respectively based on highest risk scores, LinkShadow also provides a comprehensive dashboard that puts this information together and provide a “bird’s eye” view of these threat actors and where they stand in the risk lansscape.
The Threat Score Quadrant places the corporate Users (Orange dots) and the internal entities (Blue dots) into four quadrants of the Risk pane. The x axis denotes the number of anomalies detected and the y axis denotes the total score, The SOC analyst can utilize this quadrant to quickly pinpoint which threat actors he/she has to act on first in order to prevent further damage.