How to
Allison Averill
Apr 2018

How to Respond to Incident Alerts in the New Barkly

Barkly-portal-grey-background

Learn how new features in Barkly's Endpoint Protection Platform can help you respond to every security incident faster and with more confidence.

In the old days of endpoint security, when you were using signature-based AV, incident alerts were clear cut. If your AV quarantined a file, you could be sure it was malicious because your AV directly matched it to known malware. With modern endpoint protection like Barkly, it’s not always so black and white.

Instead of signature matching, Barkly analyzes attributes and behaviors in real-time to identify malware. The upside of this more sophisticated approach is huge: Barkly can block never-before-seen file-based, exploit-based, and script-based attacks that AV can’t. The catch? Without a direct match, it sometimes takes more investigation to understand exactly what an incident is and how it happened. Luckily, Barkly is making this investigation process easier than ever.

We’re excited to help our customers close the loop on every Barkly incident alert with a new set of tools to triage, contain, investigate, and take action on incidents wherever you are — even with a few clicks from your phone. 

In this blog post, we’ll cover best practices for using these features so you can confidently respond to every incident.

barkly-mobile-portal-1

Step 1: Triage

Incidents can happen anytime, whether you’re at the office or not. When you see an incident alert from Barkly on your desktop or smartphone, your first question might be, “Do I need to respond to this right now?” We’ve made this easier by allowing you to tag certain endpoints as priority endpoints.

Incident groups that affect priority endpoints will have a star next to them in the portal, so you can more quickly identify and respond to them. Servers are automatically treated as priority, and you can tag any other endpoints you want, such as your CEO’s laptop or other business critical systems.

Step 2: Contain

When protection is on, Barkly automatically contains every incident by blocking the malicious process, preventing the attack from executing. Now, we’re introducing two additional ways to ensure that attacks are fully contained — not only does Barkly block malicious processes, it also enables you to automatically quarantine malicious executables and isolate any endpoints involved.

Barkly-View-Quarantine

Automatic quarantine prevents end users from tampering with or making further attempts to run a malicious file by moving the file to a quarantine folder and encrypting it. As a Barkly admin, you can view quarantined files from the Incident Detail page of the portal by selecting Quarantine. You can easily release files from quarantine by applying an Incident Override. You can enable Automatic Quarantine from the Protection page in settings to start using it today.

Barkly-Manage-Endpoint-Isolation

Isolating endpoints offers an additional safeguard to ensure that a potential attack is contained. Isolating an endpoint cuts off that endpoint’s network connections to everything except the Barkly service. If you’re not sure what caused an incident, you can isolate the endpoint while you perform your investigation to prevent the end user from downloading additional malware or from sending malicious executables to other devices. Once your investigation and any remediation actions are complete, you can easily bring the endpoint back online from the Barkly portal.

Step 3: Investigate

Before you can determine the appropriate response actions for an incident, you need to understand what it is and how it happened. Barkly’s incident detail page is designed to deliver answers. Here are a few key features and how they help you:

VirusTotal Lookup

If you don’t recognize the process name associated with the incident, you can use the shortcut link to look up the hash in VirusTotal. The VirusTotal results will show you if this sample has been seen before, and whether other antivirus engines have predicted that it is malicious or benign. If the incident is benign, you can apply an override. If it is malicious, you can investigate further to determine the root cause of the incident.

Barkly-VirusTotal-Lookup

Reported User Feedback

When Barkly blocks something on a device, the end user sees a popup. You can now opt to include a questionnaire in the popup (configurable via the Notifications page in settings), that asks the end user to provide context about what they were doing at the time of the incident. The user’s response automatically appears on the Incident Detail page as Reported User Feedback. You can use this information to assess the root cause of an incident.

For example, if the user reports that he or she was “Opening an email attachment,” as in the example below, it is likely that the incident started as a phishing email.

Barkly-Reported-User-Feedback

Incident Path Visualization

The Incident Path Visualization graphically displays running processes on the system at the time of the incident, and traces the path of the potentially malicious process back to its origins. You can use this information to formulate a hypothesis to the root cause of the incident or cross-validate reported user feedback.

For example, if the visualization shows a Microsoft Office document with the parent process outlook.exe, you could confirm whether the incident stemmed from a phishing attack.

Barkly-Incident-Path-Visualization

Step 4: Act

Once your investigation is complete, Barkly allows you to take action on incidents. If your investigation confirms that a quarantined file is malicious, you can permanently delete that file from the endpoints. If you are certain that the incident is benign, you can easily apply an override to release files from quarantine and prevent Barkly from blocking it in the future. You can also apply any learnings from the investigation to improve your own security policies for the future. To use the phishing example again, you might invest in additional user training to train users to recognize and avoid potential phishing attacks.  

Start Using These Features Today

These features are now live in the Barkly portal for current Barkly customers on versions 2.11.1 and higher. If you’re not currently a Barkly customer and would like to learn more about these features, sign up for a demo and a member of our team will be in touch.

Allison Averill

Allison Averill

Allison works on the product team at Barkly. She writes about the latest tech trends and how they impact endpoint security.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.