New life in Evidence Collection and Incident Response: Binalyze AIR Patrol and TimelineIR
Recent research clearly shows that once an APT group finds a vulnerability in your system, it only takes a few hours to get what they need. Once you detect a security breach, time is no longer on your side. Every second you spend trying to figure out what's going on, you continue to lose money and reputation. That's why your analysts should be as fast as possible. Binalyze AIR is here with brand new features that will automate the workload and speed up the process. Binalyze AIR has gone one step further in the global competition thanks to the Patrol and Timeline IR features that come with the new 1.7.1 version. DFIR investigations are now up to a hundred times faster.
Patrol: From the moment the evidence is collected, anomaly detection is performed as False-Positive Free, and proactive and automatic reports are generated. In a work-from-home setup, you need to maintain dominance at the endpoints, no matter where the endpoints are and whichever network they are connected to. Simultaneous automated evidence search reporting at thousands of endpoints provides a fast and efficient way to do this.
TimelineIR: By placing all the evidence you have collected on a timeline during the collection phase, TimelineIR also allows many analysts to work at the same time. In this way, Binalyze AIR, which has already reduced your evidence collection time to minutes, greatly shortens your evidence analysis time.
This exciting release; In the light of the latest developments in the cyber world, you can watch our webinar, where we addressed the experts of the subject and answered the questions below, by discussing how KVKK and ISO27001/ISMS contribute to sustainability.
- What are the contributions of Binalyze AIR to the evidence collection process?
- What are TimelineIR and Patrol?
- What is the importance of TimelineIR and Patrol in terms of KVKK and ISO 27001?
- Can multiple analysts work on a simultaneous case?
- What is the proactive contribution of the new version to the incident response solution?
- Can devices such as SIEM, SOAR trigger Binalyze AIR?
- Can Binalyze AIR talk to SIEM?
- Where can the collected evidence be recorded?
- What is a passive agent and how much is its resource usage?
- What are the contributions of Binalyze AIR to incident response in working from home setup?
[mnky_heading title=”QUESTION-Answer” line_color=”#dd1818″]
Where is the evidence collected?
The collected evidence is kept locally, but you can create a network storage area and collect all the evidence there.
Isn't the parcel process done after collecting the evidence?
Since the evidence is parsed while it is being collected, no further parsing is carried out.
It can be triggered by SIEM, but can it be triggered anywhere by AIR?
Binalyze not only gets triggers from SIEM but also talks to SIEM. After receiving the trigger from Binalyze AIR SIEM, it sends Audit Logs to SIEM with Syslog integration.
You mentioned Active Directory Deployment, is it deployed directly from AIR to all endpoints?
In endpoint installations, you can manually deploy agents to endpoints and deploy them to the endpoints you want via Active Directory. Endpoint agents are SCCM supported.
So how can resource usage agenda be so low because all other agents are using a certain resource?
By using the passive agent method, Binalyze AIR keeps resource usage to a minimum by not monitoring anything at the endpoints unless you do an evidence gathering process. Besides, you can limit resource usage via Binalyze AIR Console to manage resource usage while you are collecting evidence.
Is it okay to enter Active Directory information into AIR?
Binalyze AIR does not require any Admin account authority on Active Directory. To increase endpoint visibility, simply create a user with normal rights on Active Directory.
Do the extracted reports have integration with Case Management like TheHive?
Hive reports integration will come automatically in future versions. Since the currently submitted reports are given in json format, manual integration can be done even now.
What exactly is Patrol?
Patrol False-Positive is a module that provides high visibility during the examination phase by detecting anomalies on the evidence collected as purified.
Can we see the rules in the Patrol and intervene?
These rules will be published and announced on the Cloud in the near future, and you can view them on Binalyze's Github account. You will soon be able to add rules that can see these rules over the cloud.
Can a collective rule be given to Patrol?
In the near future, you can give a batch rule as a "ZIP" file and then apply it on your cases.
Can we personally do a demo review?
For your personal experience of Binalyze AIR here you can get your 1-month 100 endpoint supported license.
Scheduled Acquisition appears but can it be done in Scheduled Investigation?
Currently, Scheduled Acquisition is in progress, and Scheduled Investigation will be added to TimelineIR in the near future.
How is the product's security measures taken? Does it have regular pentest and code analysis processes?
Regular pentest and code analysis processes are performed on Binalyze AIR.
[mnky_heading title=”SPEAKERS” line_color=”#dd3333″]
Moderator
Erdem Eriş
CyberArts
Founder & General Manager
Emre Tınaztepe
Binalyze
Managing Director
Oğuzhan Kanar
CyberArts
Technical Account Manager
KVKK, ISO 270001, Bilgi Güvenliği, Siber Güvenlik ve Bilgi Teknolojileri konularında destek ve teklif almak için lütfen