Subscribe
About
  • Home
  • /
  • Access Control
  • /
  • New open source tool connects the dots between suspicious activities during a cyber attack

New open source tool connects the dots between suspicious activities during a cyber attack

Detectree simplifies data analysis for blue teams to decrease response times, reduce alert fatigue and improve communication during a security incident.

Many companies struggle to understand malicious activity and their effects while a security incident is in progress. It eats up precious time and resources that defenders need to contain the attack and minimise damage. However, a new open-source tool built to increase visibility on suspicious activities detected by organisations aims to relieve this pain. 

Detectree, developed by WithSecure (formerly known as F-Secure business), is a detection visualization tool for cyber security defence teams (also known as blue teams). According to Tom Barrow, a senior threat hunter for WithSecure’s managed detection and response service, WithSecure Countercept, finding the links between the suspicious events on an endpoint is paramount for responders.

“Visibility is always a priority, but it’s absolutely vital when responding to an incident,” explained Barrow. “Time is always working against incident responders. And looking through rows of text data and making connections between them and the suspicious activity under investigation is time spent not remediating the problem, which is a real waste when you’re under pressure to stop an attack.”

For example, if an analyst is attempting to find the cause of a suspicious process, they typically need to look through log data and manually reconstruct the chain of events. The longer the chain, the more difficult and time consuming it becomes to manage. And given the amount of security alerts blue teams with large companies can face–about 11,000 per day according to recent research*–it’s a process that can overwhelm security teams and exacerbate problems like alert fatigue and burnout.

Detectree was designed to help blue teams simplify investigative work by structuring log data into a visualisation that shows relationships between the suspicious activity detected and any processes, network destinations, files, or registry keys connected to that detection. Rather than manually sorting through data represented as text to reconstruct a chain of events, responders can look at the visualisation to see not only the connections, but the nature of the connections, including interactions, parent-child relationships, and process injections.

Relying on the visualisation lets responders quickly see the context surrounding a detection and share that data with relevant stakeholders in a simple, intuitive way to ensure the information is accessible to everyone that needs it.

“Even the most experienced, skilled blue teams need tools to help them do their jobs well. Detectree is a simple tool, but it’s addressing real pain points that make work unnecessarily difficult and time consuming for security teams,” he said.

Detectree is now available for download on WithSecure Countercept’s Github page.

*Source: https://www.eweek.com/security/challenges-of-the-soc-decision-intelligence/

Share

WithSecure

WithSecure™, formerly F-Secure Business, is cyber security’s reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world’s most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations.

Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we’ve built our portfolio to grow with our partners through flexible commercial models.

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd. 

Editorial contacts

Adam Pilkey
WithSecure media relations
(+35) 840 637 8859