Presentation information

TIPS#8 Incident response with an XDR

Jerome Athias (TEHTRIS)
This talk is a feedback from our CERT Team about how and why we use an XDR for responding to security incidents. We will show how it is different from traditional techniques, i.e. with a DFIR tool. A real-life example is a response after a ransomware attack against a hospital. When time is critical, using proper tools, easy to deploy and with technical functionalities, is paramount. We will explain how an XDR answers to these needs. The forensics part will be explained. This function is rarely directly implemented in open frameworks for incident response. We will demonstrate how it is used and useful. The XDR allows one unique agent to be deployed on the hosts; another advantage. With support of an integrated tactical SIEM, collecting events and logs on the hosts is fast and easier. The use of an EDR allows a vaccine to be created and deployed efficiently for malware eradication. What it is and how to configure it will be explained. It blocks malware from spreading and allows for quick return to production, one thing that traditional frameworks don't allow. It matches with victim's expectations and covers end-to-end incident response.
Jerome Athias
TEHTRIS Jerome Athias is a cybersecurity expert with 20 years of experience. He has worked for large companies around the world as a pentester, consultant and in SOCs. He his now Senior CERT Consultant for TEHTRIS. He has been a speaker at industry conferences including BlackHat and RSA.
arrow left Back

TIPS#8 Incident response with an XDR

Jerome Athias (TEHTRIS)
This talk is a feedback from our CERT Team about how and why we use an XDR for responding to security incidents. We will show how it is different from traditional techniques, i.e. with a DFIR tool. A real-life example is a response after a ransomware attack against a hospital. When time is critical, using proper tools, easy to deploy and with technical functionalities, is paramount. We will explain how an XDR answers to these needs. The forensics part will be explained. This function is rarely directly implemented in open frameworks for incident response. We will demonstrate how it is used and useful. The XDR allows one unique agent to be deployed on the hosts; another advantage. With support of an integrated tactical SIEM, collecting events and logs on the hosts is fast and easier. The use of an EDR allows a vaccine to be created and deployed efficiently for malware eradication. What it is and how to configure it will be explained. It blocks malware from spreading and allows for quick return to production, one thing that traditional frameworks don't allow. It matches with victim's expectations and covers end-to-end incident response.
Jerome Athias
TEHTRIS Jerome Athias is a cybersecurity expert with 20 years of experience. He has worked for large companies around the world as a pentester, consultant and in SOCs. He his now Senior CERT Consultant for TEHTRIS. He has been a speaker at industry conferences including BlackHat and RSA.