Difenda Incident Response

Additional Info

CompanyDifenda Inc.
Websitehttps://www.difenda.com/services/remote-incident-response/
Company size (employees)100 to 499
Headquarters RegionNorth America

Overview

Difenda’s Remote Incident Response program protects businesses with Digital Forensics and Incident Response services designed to enable successful resolution to cyber breaches. Our expert Remote Incident Response team identifies and eliminates the root cause of cyber breaches, so you never have to worry about the incident recurring.

Over the past year, Difenda has been working with the Microsoft Security AI team for Security Product Team as part of the partner design program. Our team is testing the product, providing feedback on core MSSP use cases, and continues to ideate on the integration of Microsoft Security AI and Difenda AIRO to benefit our customers and our internal SOC team. As part of this process, Difenda has developed 4 incident response custom skills to streamline the RIR process including: SOC Invoke, Case Management, Artifact Collection and RIR Chatbot. These skills now layer onto and enhance Difenda five fased approach to Remote Incident Response.

Difenda’s five-phase approach to incident response ensures the successful design, deployment and management of the RIR program. The process includes Scope, Triage, Neutralize, Report, and Monitor. The Scope phase involves the review of customer incidents and environment details. Establishing goals, expectations, and desired outcomes for incident response. In the Triage phase, Difenda’s team will initiate “remote collections” of logs to aid in the identification of the incident. The Neutralize phase involves identifying and eliminating the root cause of the breach. This may include removing malware, patching vulnerable systems, and more. In the Report phase, the customer’s network is monitored for indicators of persistent access while formalizing the final report. Finally, in the Monitor phase, we conduct a lessons learned session and ensure continuous monitoring of the customer’s environment for 30 days.

This process typically takes 3 hours to execute. With Microsoft Security AI, this process can take less than 10 minutes.

Key Capabilities / Features

1 hour response: All Remote Incident Response engagement requests will be acknowledged, and customers will be contacted within 1 hour of the initial request.


Designated Incident Commander / Communications Lead per case: Each Remote Incident Response engagement will have a designated Incident Commander and Communications


Continuous Monitoring: The Remote Incident Response team will work directly with the C3 operations team to designate an analyst “Difender” to provide continuous monitoring of the customer environment for 30 days following the phase change from neutralize to reporting.


Lessons learned session: The Incident Commander or Communications Lead will perform a Lessons Learnt session with the customer’s team.


Detailed Recommendations Report: If requested by the customer, a separate detailed recommendations report will be included in addition to the standard final Incident report. This report will include incident-specific recommendations, and a brief step-by-step guide to implement.


Remediation & Recovery Support: Difenda will assign resources to provide remediation and recovery support.


Incident-specific alerting: The Remote Incident Response team will implement incident-specific custom alerting to supported SIEMs and EDR’s to provide early warnings of re-infection or persistence based on the incident findings.


Threat Intelligence Report: The Remote Incident Response team will work closely with the Cyber Threat Intelligence team to create a Threat Intelligence report surrounding the indicators discovered during the concluded incident response engagement.


Annual Threat Intelligence Brief: Difenda’s Cyber Threat Intelligence team will present a yearly report of methodologies, vulnerabilities, and advanced persistence threats tracked and investigated during the previous year.


Malware Analysis: Customers can request malware analysis be conducted on up to 10 samples per year. Each analysis includes a report of findings.


Annual Tabletop exercises


How we are different

Working with the Microsoft Security AI team, Difenda developed four custom skills that streamline incident response, enhance forensic investigations, and empower our team to mitigate threats effectively:


SOC Invoke: Automate incident summary generation, providing quick access to high-level information crucial for rapid decision-making during multi-stage incidents. By leveraging Microsoft Security AI, analysts can swiftly assess incidents and initiate appropriate response actions.


Case Management Setup: Simplify the setup of case infrastructure. Automate the creation of case folders and associated tasks within your case management platform.


Artifact Collection: Facilitate the collection of crucial digital artifacts essential for forensic investigations. Microsoft Security AI orchestrates the deployment of collection agents, ensuring comprehensive data gathering while seamlessly integrating with Sentinel and your case management platform for streamlined documentation and analysis.


RIR Chatbot: Enable intuitive communication and collaboration with AI during incident response. By leveraging this custom Microsoft Security AI skill your team can efficiently address inquiries, access critical information, and make informed decisions in real-time.