Sift Security DemoDemo
Sift Security TrialTrial
Sift Security ContactContact
Sift Security
Download
Sift Security

Investigations With Sift Security

Faster response to incidents


We provide security operations teams an easier and faster way to discover, investigate and act on risks. This paper identifies 5 key challenges associated with security investigations and identifies how Sift Security’s novel approach relieves alert fatigue and highlights the activity that results from complex attacks.

Investigations Challenges

Sift Security Solutions

Alert Overload Provides better prioritization, confirmation and incident scoping
Unavailable Data Lowers cost and complexity of implementing a security data lake
Manual Investigations Presents an intuitive interface that accelerates common workflows
Inadequate Staffing Simplifies investigations and response, enabling junior analysts and an extended team
Unknown Threats Enabled proactive threat hunting, aided by advanced algorithms

Top 5 Challenges With Security Investigations

Sift Security Addresses these Investigation Challenges

Sift Security provides security operations teams an easier and faster way to discover, investigate and act on risks. Our product was built by and for security operators, with the goal of making these challenging roles easier and more enjoyable. Our technology was built from the ground up to take advantage of a relational graph data structure, which forms the foundation for our intuitive visualization and cutting edge analytics. This enables Sift Security to relieve alert fatigue and highlights the activity which might result from complex attacks.
Sift Security reduces the time to investigate from weeks to hours, or even minutes

Colin Estep
Incident Responder with experience at Netflix, Apple, FBI

Specifically, Sift Security addresses the five investigation challenges as follows:

Sift Security in Action: An Example Investigation

Consider a company targeted by a spear phishing attack, with an end goal of expropriating sensitive customer data. Here’s how Sift Security could accelerate an investigation and stop the attacker from achieving their goals.

A junior security analyst, Lance, opens up Sift Security and sees a high-priority alert from its Netflow logs showing a connection to a blacklisted IP address. Lance pulls the alert into Sift Security and starts to investigate. He soon finds additional evidence of an attack in data drawn from host logs.

  1. Connection to a blacklisted IP address, 202.116.66.35, which is identified as a command-and-control server. It turns out that a company host ws02 with IP address 10.0.0.2 had communicated with that IP yesterday.

  2. Anomalous processes on Robert’s workstation, ws02.sfitsec.com, such as processes typically associated with reconnaissance activity and possible malware.

  3. Anomalous authentication attempts by a user Robert. He had a glut of failed authentication attempts, spread over nearly 40 hosts over the course of a day. Possible evidence of malware attempting lateral movement.

Sift Security

At this point, Lance turns the investigation over to Ted, a senior incident responder. Ted continues the investigation to find the root cause and better understand the full impact of the threat. He traces the investigation back to a phishing email that exploited a vulnerability in pdfViewer to drop a remote access terminal on Robert’s workstation. He searches for other machines that contain this file and finds that ws35 is also infected. He investigates the source of the email message to find that the sender was also responsible for sending highly suspicious emails to other employees, each containing attachments.

Sift Security

Sift Security facilitated this investigation in a number of ways. First, it drew Ted’s attention to the firewall alert, emphasized because it was related to anomalous user behavior and access to sensitive data. Second, it enabled Ted to easily pivot across netflow, host, and email data sources. Third, it enabled the junior analyst (Lance) to validate the initial alert and collaborate with the senior analyst (Ted). It also helped Ted to quickly complete the root cause and impact analyses. This allowed Ted to find previously unknown threats and to identify and initiate all the actions needed to protect the enterprise and stop the infiltration before any major damage was inflicted.

Key Sift Security Advantages

About Sift Security

Sift Security provides security operations teams an easier and faster way to discover, investigate and act on risks. Sift Security was built from the ground up to take advantage of a relational graph data structure, which forms the foundation for our intuitive visualization and cutting edge analytics.