Devo Security Operations
Devo Security Operations (SecOps) is a purpose-built, context-rich application framework that automates security expertise, speeds investigation and triage, reduces required resources and magnifies response capability.
The application uses different types of sources to detect and manage security threats. For instance, events from firewalls, IDS or proxies as in any Devo domain. This information could generate alerts, but also entities. An entity is something or somebody involved in any type of threat or associated with other suspicious entities. An entity may be a source IP or a server, but also a URL or a user. SecOps stores all the entities in a graph state database and uses them to relate the alerts and get valuable information about the origin of the threat to complete an investigation.
There is another source very important for SecOps: the feeds that come from the Devo MISP system. This system searches on the internet for any suspicious security feed and recovers all of them into different files that are stored in the Devo system as lookup files.
Once the sources are prepared, we only need to configure the proper alerts to take advantage of all this information. SecOps is mainly based on a set of alerts that need to be set on Devo tables using the Devo alerting framework. These alerts have been created by following specific security rules in order to cover the highest number of attacks. For instance, looking for strange user behavior, port scanning, denials of service, wrong URLs, large and uncommon user agents or suspicious interactions with DNS servers.
Finally, Devo uses flows configured in the system to enrich data from the alerts with feeds that come from different external sources and also create automatic investigations with no need for user interaction.
With all this information coming from different sources, users can access the application and start triaging alerts, creating investigations and performing hunting to search for specific events in the whole system.
The installation is provided by Devo, so users will be ready to start using the application once they access it in the Applications area of the Devo navigation pane.
How does Security Operations classify alerts?
SecOps alerts are mainly based on real-time data uploaded to Devo union tables, although this information is usually complemented with lookup tables (files with security feeds from MISP services) and machine learning models.
As said above, alerts are based on Devo union tables, so the application only needs to take information from those tables. For instance, alerts are taken from the firewall.all.traffic union table. This table gathers information from all the firewall technologies in the platform, so any customer could share data from different firewalls (Paloalto, Sophos, Juniper…) and the Security Operations application will set the alerts (and other necessary insights) using only the union table. There are union tables for each technology: firewall, web, proxy, edr, domains, authentication…
SecOps alerts are divided into four categories:
- Detection - Detections are static definitions based on known behaviors. These are alerts that pose a critical threat and must be triaged and added to an investigation immediately. For example, an RDP session occurred between <IP> and <IP> more than ‘X’ times in ‘Y’ minutes.
- Observation - Observations refer to a change in the behavior of an entity in a specific time period. These alerts pose a low threat and should be added to an investigation depending on the circumstances and user's criteria (for example, if there is a high number of these types of alerts). For example, an entity or customer role change in the server.
- Analytic - Analytics provide expertise across raw data, and provide insight from the data itself. These alerts do not pose a threat by themselves, but might be added to certain investigations to complement them. For example, look for a specific virus hash in a hash table.
- Models - Alerts obtained by running a machine learning model. For example, a Windows program shows a high number of DLLs and it is difficult to tell if it is suspicious or not by only analyzing raw data, so it is analyzed by running a machine learning process.
Apart from these categories, each alert has a priority level defined in the Devo platform (Info, Low, Medium, High or Critical). Learn more about alerts in Devo in Alerts and notifications.
Finally, alerts are also classified following the MITRE ATT&CK definition of techniques and tactics. Each technique has several tactics and alerts are assigned the ones that best define their nature. Learn more about the MITRE ATT&CK system here.
Security Operations lookups
There are three types of lookups: local lookups, multi-lookups and dynamic lookups.
Multi-lookups are available to all domains, but users cannot modify them. Some of them are SecOps configuration files, and some others store security information that comes from MISP services. This information is periodically updated in different ways. Some are static (for example CheckBackdoorConnection), some are updated weekly (for example SuspiciousFileExtension) and some others are updated daily (for example. farsight feeds).
Dynamic lookups are not-editable files that are periodically updated. The periodicity depends on the necessities of the alerts. These lookups contain values that are calculated with real data and are constantly changing. This data is used to improve the behaviour of the alerts. For instance, we can calculate the daily or weekly average of DNS traffic detected by a firewall. This average is stored in the dynamic lookup and then we can trigger an alert when detecting peaks.
Local lookups are available only on the domain the SecOps app is installed. The installation of these files is performed by the Devo team and they could be watched and modified by Admin users. The most important lookup is SecOpsAlertDescription, which contains the list of predefined alerts used in SecOps. The following capture shows two examples of these alerts.
Devo SecOps provides customers with a set of predefined security alerts designed by experts, which are one of the basic aspects of the application. Users can tune these alerts attending to their necessities, or create new custom alerts to include them into the SecOps application.
Nor the definition of these default alerts neither the instructions to create new ones are included in this manual. Anyways, you can download the lookup file including the alerts definitions here in case you need to check it.
User roles in the Security Operations app
In order to use the Security Operations app, you only need to be given access to the domain by the domain Admin. Once a user is given access to use SecOps, he or she could access the whole app without any restriction (this fact could change in future releases). The difference with other Devo vertical apps is that in SecOps, all actions could be persistent. This is very important when the app is deployed to run in a Security Operation Center environment (SOC).
Users in a SOC could be divided into operators and analysts. Although the Devo role to use SecOps may be the same to all, the way of using the app is clearly different depending on the type of user, and all of them have to share the actions and investigations done with the others when they finish the work shift. You could also have different levels of analysts; some of them may only take a quick look at the Overview Dashboard, open investigations, and write notes defining a suspicious event that needs to be investigated. Then, they may share the investigation with an operator to do a much deeper analysis or hunting.
Navigating the application
The area you first see when you access the Security Operations application is the Overview Dashboard, which offers at-a-glance monitoring information. The green top bar at the top area includes 4 icons to navigate through the different areas of the application, explained in detail in the following articles.
You can also check the items you have chosen to be added to an investigation by clicking the paper clip icon at the top right corner, and configure the application settings by clicking the gear icon next to it.
The Security Operations application has three main purposes: alerts triage, users investigations and threat hunting. All these activities are summarized in an Overview Dashboard, which is the entrance point of the app.
- Overview Dashboard - This is the first area you see when you enter the application, and offers a general overview of the system condition through a series of default widgets.
- Triage - This area allows analysts to filter and pivot both alerts and investigations by different parameters (type, name, keywords...)
- Investigations - Create and manage investigations based on suspicious alerts and assign them to the required users.
- Threat Hunting - This area allows users to perform a global search in order to identify suspicious events.
Click this iconat the top right corner of the application to access the following groups of configuration options:
GreyNoise, MISP, Cortex, Enigma, VirusTotal, Viper, Sighting, DomainTools, Blueliv, CrowdStrike, CarbonBlack, ThreatConnect
The Security Operations application is automatically enriched by different threat platforms to get the data required to analyze and label the alerts. However, if you have your own account in one of the available platforms, you can switch off its Use default toggle and specify your URL to get data from your service.
Click Save to apply any modifications.
File artifact storage
READ from, WRITE to
Switch off the Use default toggle if you want to specify the location where you want to store the files attached to investigations. Learn more in Investigations.
Click Save to apply any modifications.
List of DNS (comma separated)
The application resolves names using default DNS. Add server names here if you want to use custom DNS.
Click Save to apply any modifications.
This is a view of the location lookup used to resolve locations and geolocations from IP addresses.