Many companies struggle to understand malicious activity and their effects while a security incident is in progress. It eats up precious time and resources that defenders need to contain the attack and minimize damage. However, a new open-source tool built to increase visibility on suspicious activities detected by organizations aims to relieve this pain.
Detectree, developed by WithSecure (formerly known as F-Secure business), is a detection visualization tool for cyber security defense teams (also known as blue teams). According to Tom Barrow, a senior threat hunter for WithSecure’s managed detection and response service, WithSecure Countercept, finding the links between the suspicious events on an endpoint is paramount for responders.
“Visibility is always a priority, but it’s absolutely vital when responding to an incident,” explained Barrow. “Time is always working against incident responders. And looking through rows of text data and making connections between them and the suspicious activity under investigation is time spent not remediating the problem, which is a real waste when you’re under pressure to stop an attack.”
For example, if an analyst is attempting to find the cause of a suspicious process, they typically need to look through log data and manually reconstruct the chain of events. The longer the chain, the more difficult and time consuming it becomes to manage. And given the amount of security alerts blue teams with large companies can face–about 11,000 per day according to recent research–it’s a process that can overwhelm security teams and exacerbate problems like alert fatigue and burnout.
Detectree was designed to help blue teams simplify investigative work by structuring log data into a visualization that shows relationships between the suspicious activity detected and any processes, network destinations, files, or registry keys connected to that detection. Rather than manually sorting through data represented as text to reconstruct a chain of events, responders can look at the visualization to see not only the connections, but the nature of the connections, including interactions, parent-child relationships, and process injections.
Relying on the visualization lets responders quickly see the context surrounding a detection and share that data with relevant stakeholders in a simple, intuitive way to ensure the information is accessible to everyone that needs it.
“Even the most experienced, skilled blue teams need tools to help them do their jobs well. Detectree is a simple tool, but it’s addressing real pain points that make work unnecessarily difficult and time consuming for security teams,” he said.