RedSeal App for Incident Investigation

110247

RedSeal Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

RedSeal | Community

Makes use of the Integration Command feature within ArcSight to provide the user the ability to launch an incident investigation from any selected IP address, which pulls up detailed threat source information inside RedSeal.

65 downloads

Description

Once a threat is detected in ArcSight ESM, the incident response team begins a thorough investigation into the extent of the breach. They’ll ask five questions:

What is the compromised device?
Where is it physically and logically located?
Can it access other assets?
Can an untrusted network reach the potential threat?
What are the pathways to these assets?

RedSeal provides all the tools you need to quickly answer these questions. For example, it provides the OS, applications (services), MAC address, the device’s subnet (e.g., Finance, Sales, Engineering), and the policy group it is part of. It also gives you the switch and port number the device is connected to.

Importantly, RedSeal also provides a list of downstream assets that the compromised device can access. This list is prioritized based on the downstream target’s asset value and the severity of known vulnerabilities that can be exploited. RedSeal also shows you detailed host information for each reachable asset. In addition, you’ll be able to see detailed pathways to these downstream assets, including the firewall rule (or ACL) that is allowing access to these devices.

You’ll also want to know if the compromised host can be accessed from an untrusted network. If it can, it might be connecting to a command and control server, which could be exfiltrating confidential information. In this case, containment is a high priority and you can use RedSeal’s detailed path information to locate a firewall or ACL that can block access.