Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Active Response: Overview

            Introduction

            Like the people and technology powering your business, threat actors are working around the clock trying to infiltrate, disrupt, or steal data from, organizations. While the technologies and methodologies use to protect against cyber-attacks continue to evolve, the tools and strategies in use by threat actors are evolving at the same rate. 


            Responding to every single threat “by hand” and “in time” can be difficult in a continually changing business and digital environment. While alerts bring a certain level of value, immediate action may be the difference between a secured environment and serious cyber security incident. Field Effect's Active Response gives our analysts advanced permission to respond to threats immediately, in a way that respects your organization's tolerance for risk and potential downtime.


            Your organizational tolerance for risk is communicated through the response policy (Off, Limited, Balanced, or Aggressive) you select in the MDR Portal. By default, this feature is set to the Balanced policy. This article explains response action in more detail below, as well as introduce some of our Response Actions and example scenarios.


            Table of contents


            Video - Active Response: Overview




            What is Active Response?

            Active Response gives our analysts immediate access to intervene when a threat is detected in your environment. Depending on the response policy your organization sets in the Field Effect MDR Portal, our analysts will intervene with response actions that can stop the threat or resolve the vulnerability. The more aggressive the response policy, the more aggressive the response action can be.


            A response action may involve human intervention, but if a threat is severe and clearly identified with high confidence, Field Effect MDR may initiate an automated response action. A common example of an automated response action would be an isolation, where the endpoint agent stops all network connectivity for the host except from the Field Effect MDR agent. To see example scenarios that outline how each response policy would intervene with a given threat, see Active Response: Example Scenarios.


            Active Response is also available for select cloud services (Google Workspace and Microsoft 365), which allows Field Effect MDR to monitor, and respond to, cloud accounts suspected of being compromised. A common example of a cloud response action would be to lock a compromised account.


            When Active Response performs a response action, you can choose whether the endpoint device receives a notification, which can be enabled, disabled, and customized in the Field Effect MDR Portal. If notifications are disabled, Active Response will still behave exactly as it should, but end users will have no knowledge of Active Response or its activity on the device.


            Response Policies

            By default, Active Response is enabled and set to the Balanced policy. When onboarding Field Effect MDR, be sure to review your Active Response configuration and ensure it aligns with your organization's tolerance for risk, and potential downtime.


            Since response actions can lock, isolate, or shut down a compromised asset, it may have the potential to cause downtime if a business-critical service or endpoint is impacted by a response action. To avoid these situations, we encourage you to select a response policy that suits your organization’s tolerance for risk. The more aggressive the response policy, the more aggressive the response action will be.


            Our security analysts continuously refine and expand the rulesets that power Active Response. While these high-confidence rulesets effectively prevent real-world malicious activity, you will always receive an ARO when malicious activity or vulnerabilities are discovered, regardless of your Active Response settings. It’s also important to note that Active Response operates at the endpoint device’s process and execution level.


            While setting up a response policy, you can customize it by including exclusions and modifications. If you have an endpoint device or service that is absolutely critical to your business operations, you exclude it from the policy. You can submit requests to support@fieldeffect.com to request custom more granular modifications (such as allow listing key management applications) as required.


            To learn more about our response policies, and how to edit them, see Response Policies: Overview and Configuring Active Response.


            Available Response Policies

            Selecting a response policy informs which endpoint agent policies are deployed and whether an analyst should perform a host-based response action, such as a network isolation or system shutdown. Making exclusions or modifications to a response policy could influence which policies are deployed to an endpoint. To learn more about Response Policies, see Response Policies: Overview.


            The “Off” Policy

            Field Effect MDR will passively monitor the environment and send AROs when required, but Active Response will not be triggered, and an analyst will not take host-level actions unless requested by the organization. 


            The “Limited” Policy

            This policy allows Field Effect to perform basic response actions against activity that has consistently been identified as being malicious. with a low rate of false positives. Selecting this policy also informs our analysts that they can take measured host-level actions, while considering the potential business impact on the system. 


            The “Balanced” Policy

            This policy allows Active Response and our analysts to use a larger set of response actions. While this could result in occasional blocks against legitimate activity, it is the recommended policy setting for organizations with standard risk tolerances.


            This policy is enabled by default when starting with Field Effect and it is continuously refined by our analysts to keep false positives to a minimum.


            The “Aggressive” Policy

            This policy is the same as Balanced, but will respond to, and block, activity for an even larger set of detections. This may result in occasional blocking against legitimate user and software activities but is often worthwhile for organizations with increased risk, or during the mitigation of an active incident. 


            Response Actions

            Response actions are the steps that Field Effect, or our analysts, take when eliminating an identified threat or vulnerability. Response actions include terminating processes, blocking access to domains, and isolating hosts from the network. To learn more about how we determine response actions, see Response Actions: Overview.  

            To learn about the response actions each response policy would employ across common attack scenarios, see Active Response: Example Scenarios.


            Reacting to Active Response Actions

            Clients can react to Active Response actions just as they would for any other ARO (see Working with AROs) but with the added confidence of knowing that Field Effect already took action to deal with the threat.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0