FCSS_ADA_AR-6.7 Conditions and Remediation

Conditions and Remediation Detailed Explanation

This section explains how conditions define when to respond to potential threats and how remediation executes actions to handle those threats.

Conditions

Definition:

• A condition is a rule or criterion that determines when to trigger a security response.
• Example: “If traffic from an untrusted IP address is detected, raise an alert.”

Types of Conditions

1. Static Conditions:

   • These are fixed and predefined conditions that don’t change dynamically.
   • Example:
     • Block any traffic from a specific blacklisted IP.
     • Alert if a user named "admin" logs in from an unusual location.

2. Dynamic Conditions:

   • These are real-time conditions based on continuous analysis and changing patterns.
   • Example:
     • Flag if there is a sudden surge in traffic (e.g., 1000% above baseline).
     • Detect unusual user behavior, such as a login from a new country followed by sensitive file downloads.

Steps to Build Conditions

1. Identify Key Activities or Metrics to Monitor:

   • Choose what’s important to track, such as:
     • Login attempts.
     • Data transfers.
     • Network traffic.

2. Define Parameters for the Conditions:

   • Set specific triggers using:
     • Time range: E.g., “Trigger if this happens between midnight and 6 AM.”
     • Thresholds: E.g., “Alert if failed login attempts exceed 5 in 10 minutes.”
     • Data sources: Use logs, user activity, or network traffic data.

3. Test and Refine Conditions:

   • Make sure the conditions work as intended in real-world scenarios.
   • Avoid conditions that trigger too many false positives.

Remediation

Definition:

• Remediation refers to the actions taken to respond to detected threats.
• It can either be automated (handled by the system) or manual (handled by security teams).

Types of Remediation

1. Automated Remediation:

   • Actions taken instantly without human intervention to stop or limit a threat.
   • Examples:
     • Block traffic from a malicious IP.
     • Isolate an infected device to prevent it from spreading malware.
     • Automatically modify firewall rules to stop further intrusion.

2. Manual Remediation:

   • Actions taken by security teams after analyzing the incident.
   • Examples:
     • Investigating a suspicious alert to confirm if it’s a real threat.
     • Patching a software vulnerability identified during an attack.
     • Restoring systems after an incident.

Remediation Orchestration Tools

• FortiSOAR:
  • A tool that integrates various security systems (e.g., firewalls, endpoint protection tools) to automate and coordinate remediation actions.
  • How it works:
    • FortiSOAR can trigger multiple actions at once, such as:
      • Isolating an infected host.
      • Blocking malicious domains.
      • Notifying the admin team.

Example Remediation Process

1. Detect a Threat:

   • FortiSIEM identifies suspicious activity, such as unusual login behavior.

2. Determine Trigger Conditions:

   • The condition could be:
     • "If the same user logs in from two countries simultaneously, trigger remediation."

3. Execute Automated Remediation Actions:

   • The system might:
     • Block the user’s account temporarily.
     • Notify the administrator of the suspicious activity.

4. Verify the Incident:

   • Security teams review the incident to confirm if the threat is real or a false alarm.

5. Follow-Up Actions:

   • For a confirmed threat:
     • Apply permanent fixes (e.g., patch vulnerabilities or reset user credentials).
   • For a false alarm:
     • Adjust rules or conditions to avoid similar mistakes.

Analogy to Simplify Understanding

Think of conditions and remediation as the rules and responses for a building's fire alarm system:

1. Conditions:
   • A fire alarm rings only when certain conditions are met, such as detecting smoke or a sudden temperature increase.
2. Remediation:
   • Automated actions include sprinklers turning on.
   • Manual actions involve firefighters responding to the alarm.

Summary

1. Conditions:

   • Define when to trigger a security response.
   • Can be static (fixed rules) or dynamic (real-time analysis).

2. Remediation:

   • Executes actions to address threats.
   • Can be automated (blocking IPs, isolating devices) or manual (investigations, patching).

3. Example Process:

   • Detect → Trigger Condition → Execute Action → Verify → Follow-Up.

4. Tools like FortiSOAR can automate and streamline remediation, making responses faster and more effective.

Conditions and Remediation (Additional Content)

1. False Positives vs. False Negatives in FortiSIEM Conditions and Remediation

False Positives (Incorrectly Flagged Threats)

• Problem: A harmless action is mistakenly classified as a security threat.
• Example: A new employee logs in from a new device and is flagged as suspicious.
• Causes:
  • Overly strict conditions that trigger alerts on normal behavior.
  • Lack of context-awareness in rule-based detection.
  • Poorly optimized thresholds leading to excessive alerts.

False Negatives (Missed Threats)

• Problem: A real security threat is not detected because it does not meet predefined conditions.
• Example: A low-and-slow data exfiltration attack stays below detection thresholds and goes unnoticed.
• Causes:
  • Static rules that do not adapt to evolving attack techniques.
  • Isolated event analysis without considering broader attack patterns.
  • Lack of cross-platform correlation between endpoint, network, and user activities.

Optimization Strategies

1. Using Machine Learning and UEBA to Reduce False Positives

• Implement User and Entity Behavior Analytics (UEBA) to distinguish between legitimate user deviations and real threats.
• Example: Instead of flagging every new device login, FortiSIEM can analyze historical login behavior and adjust alert thresholds dynamically.

2. Refining Threshold-Based Conditions

• Use adaptive baselines to prevent false alarms from temporary behavior changes.
• Example: A user accessing twice as many files as usual should not immediately trigger an alert unless other suspicious factors are present.

3. Leveraging Correlation Analysis to Reduce False Negatives

• Single events may not indicate an attack, but a combination of behaviors might.
• Example:
  • A single failed login attempt is normal.
  • Five failed logins + a new IP address + access to sensitive files = high-risk alert.

4. Baseline Analysis for Anomaly Detection

• Baseline monitoring can detect slow-growing threats that single-event rules might miss.
• Example: If a user's data transfers increase by 5% daily for a month, it may indicate data exfiltration.

2. Condition Execution Prioritization in FortiSIEM

Why Prioritization Matters

In a complex SOC environment, multiple conditions may be triggered at the same time. Prioritizing execution ensures:

• Critical threats receive immediate action.
• Lower-priority violations do not overload security teams.
• Automated actions do not interfere with ongoing investigations.

How FortiSIEM Prioritizes Conditions

• Severity-Based Execution

  • FortiSIEM allows security teams to assign severity levels to conditions:
    • High Priority: Network intrusion attempts, privilege escalation, malware execution.
    • Medium Priority: Multiple failed logins, sensitive file access anomalies.
    • Low Priority: Policy violations (e.g., USB device connection, failed authentication outside work hours).

• Example Prioritization Strategy

  Priority Level	Example Condition	Action Taken
  Critical (High)	DDoS attack detected	Immediate firewall block
  High	Suspicious privileged access	Auto-lock user account
  Medium	Multiple failed logins from different locations	Generate alert, send to SOC
  Low	Unauthorized USB drive usage	Log event, no immediate action

• Best Practices

  • Assign higher priority to network-level threats that require instant mitigation.
  • Optimize detection rules to prevent too many conflicting alerts.
  • Use risk scoring mechanisms to dynamically adjust priorities.

3. Security Incident Lifecycle in FortiSIEM

To ensure effective remediation, security teams follow a structured approach known as the Incident Response Lifecycle.

1. Detection

• Identify suspicious activity using FortiSIEM’s rule-based detection, UEBA, and threat intelligence feeds.
• Example: A sudden increase in failed login attempts is detected.

2. Analysis

• Assess the severity and impact of the event.
• Correlate multiple data sources (network logs, endpoint activity) to determine whether it is a legitimate threat.
• Example: A user logging in from two countries simultaneously may indicate account compromise.

3. Containment

• Limit the impact of the attack by applying temporary security controls.
• Automated containment actions may include:
  • Blocking malicious IPs.
  • Disabling compromised user accounts.
  • Quarantining infected endpoints.

4. Eradication

• Identify the root cause of the attack and eliminate it from the environment.
• Actions may include:
  • Patching vulnerabilities.
  • Removing malware.
  • Revoking compromised credentials.

5. Recovery

• Restore systems to normal operation.
• Validate that no further threats exist.
• Example: A compromised server is restored from a clean backup.

6. Lessons Learned

• Review the attack path and update FortiSIEM rules to prevent similar attacks.
• Train SOC analysts on new attack techniques and response strategies.

4. FortiSIEM and FortiSOAR Integration for Automated Response

Why Integrate FortiSIEM with FortiSOAR?

• FortiSIEM detects and alerts on threats.
• FortiSOAR orchestrates and automates the response process.
• Together, they create a closed-loop security system.

Use Cases of FortiSIEM + FortiSOAR

1. Automated Threat Containment

• FortiSIEM detects a suspicious IP attempting multiple failed logins.
• FortiSOAR automatically blocks the IP in the firewall.

2. Incident Response Playbooks

• FortiSIEM detects a ransomware infection.
• FortiSOAR executes a playbook:
  • Isolates infected endpoints.
  • Notifies the security team.
  • Blocks further suspicious activity.

3. Reducing Incident Response Time

• Without automation, SOC teams must manually review alerts.
• With FortiSOAR:
  • Low-priority alerts are auto-resolved.
  • Critical threats receive instant action.

Example Workflow:

Step	Action	Tool Used
1. Detection	FortiSIEM detects malware on endpoint	FortiSIEM
2. Correlation	Correlates with firewall and user behavior logs	FortiSIEM
3. Decision	Determines threat severity and response action	FortiSOAR
4. Response	Blocks malicious IP, isolates endpoint, and resets credentials	FortiSOAR
5. Review	SOC team verifies actions and adjusts rules if needed	FortiSIEM + FortiSOAR

Conclusion

1. False Positives & False Negatives

• Machine learning and UEBA-based behavior analysis reduce false positives.
• Baseline analysis and correlation help prevent false negatives.

2. Prioritization of Conditions

• Assign priority levels to security conditions.
• Automate critical threat containment while logging lower-priority events.

3. Incident Response Lifecycle

• Follow a structured response process: Detect → Analyze → Contain → Eradicate → Recover → Improve.
• Ensure rapid recovery and long-term security improvements.

4. FortiSIEM + FortiSOAR Integration

• FortiSIEM detects, while FortiSOAR automates response.
• Reduces SOC workload and accelerates response time.