3 Ways to Speed Up Investigations with Modern DFIR

A guest post by Jessica Stanford, CMO at Cado Security

When it comes to attack containment, time is of the essence. The speed at which security teams can dive deep to determine root cause and scope is essential to fully remediating an incident before it’s at risk of escalating. Delays or hurdles that prevent a thorough investigation from occurring have significant impact and leave your organization vulnerable to future breaches.

Once malicious activity is detected, security analysts need to be able to quickly understand its impact:

  • What happened?
  • When did it happen?
  • Is this the first time it happened?
  • How many machines were involved?
  • How did the attackers get in?
  • Has data left the environment?

However, using traditional digital forensics and incident response (DFIR) approaches, it can take days to weeks to manually capture and process the data needed to answer these pressing questions. To make matters worse, due to the heavy uplift and time required, incidents often get closed without digging deep enough.

That’s where the combination of the SentinelOne Singularity XDR platform and Cado Response can help — by delivering the data and context security teams need to quickly identify the root cause of incidents and enable faster response.

The SentinelOne Singularity XDR Platform provides the broad visibility needed to detect and respond to malicious activity in real-time across user endpoints, cloud workloads and IoT. Many DFIR investigations begin with a high-severity detection – SentinelOne provides best-in-class behavioral detection with Storyline, as evidenced by the 2021 MITRE Engenuity ATT&CK evaluations. SOC teams use SentinelOne to ‘stop the bleeding’ and perform automated responses, such as killing processes, quarantine a threat or rolling back the effects of ransomware.

SentinelOne Remote Script Orchestration (RSO) takes automation within incident response a step further to enable security and IT teams to remotely execute customizable remediation and response actions and to send custom scripts to one machine, a few hundred machines, or even millions of machines concurrently.

DFIR investigations take incident response a level further by analyzing additional forensic data such as memory and disk snapshots. Joint customers can use RSO to deploy Cado Response, which provides deep forensic-level analysis, enabling DFIR teams to respond to present and future cyberattacks faster.

SentinelOne and Cado Security’s joint solution enables security teams to take a modern approach to DFIR by speeding up cyber investigations in three ways.

1. Automated Capture

A forensics analysis often requires massive amounts of data. Complicating things even further, this data can live across countless regions, systems and users. Capturing, processing, and triaging the data required to conduct a detailed investigation using traditional methods is no easy task. Fortunately, automation flips the script. By automating the most tedious parts of a forensics investigation, including data capture and processing, security teams can drastically reduce the amount of time and effort that’s required to understand the root cause and impact of an incident.

2. Leverage The Cloud

As mentioned above, when it comes to forensic investigations, speed is of the essence. Forensic investigations require complete visibility, across on-premises, hybrid, and cloud environments. Gaining access to the data is step one. Then analysts need to normalize and preserve the data for an investigation. This can require extensive time and manual effort but results in no added value until the processing is complete.

Using SentinelOne, DFIR teams can gain visibility across all environments, whether they be user endpoints or enterprise workloads, whether on-premises, hybrid or in public cloud environments like Amazon Web Services. With RSO, Cado Response automatically processes data from endpoints of interest, leveraging the cloud for rapid processing of hundreds of files and systems in parallel to drastically reduce the time it takes to begin an investigation from days to minutes. The cloud enables security analysts to get access to the information they need, when they need it.

3. Managing DFIR At Scale

Using automation, RSO enables the scale and speed of deployment of forensic tools across the entire endpoint fleet to help teams manage IR processes at scale. From within SentinelOne, teams can seamlessly deploy Cado Response, view the status of script deployment, ensuring the complete forensic capture of all affected endpoints.

Capturing and processing 100% of the data from all impacted systems is a feat in and of itself, but it’s just the beginning of an investigation. Once the data is processed, security teams need to analyze it to identify the root cause and fully remediate an incident.

The challenge here is adding context and awareness to the data. Cado Response uses the power of machine learning-driven analytics and threat intelligence to correlate all systems, users, processes, files, and more. It also creates a complete timeline of events in a single pane of glass so analysts can immediately visualize the scope very quickly and seamlessly dive into important data. This enables them to conduct an investigation in aggregate rather than analyzing systems one by one.

Preventing Future Breaches

Conducting a thorough forensics investigation post breach is critical to identifying the root cause and preventing future breaches. That’s why ourCado Response’s recently announced partnership with SentinelOne is so important, as it delivers the breadth and depth security teams need to detect, investigate, and respond to incidents with unmatched speed.

SentinelOne Remote Script Orchestration (RSO) can alleviate the SOC burden for remote forensics and incident response. RSO allows customers to remotely investigate threats on multiple endpoints across the organization and enables them to easily manage their entire fleet. It lets incident responders run scripts to collect data and remotely respond to events on endpoints. Through SentinelOne’s Remote Script Orchestration (RSO) capability, security analysts can launch Cado Response to perform an in-depth forensic investigation across their SentinelOne Singularity Platform-protected endpoints in a single click, simplifying forensic data capture and accelerating triage.

Incident Responders can collect forensic artifacts, execute complex scripts and commands, install IR tools – like Cado Response – on thousands of endpoints simultaneously — Windows, Mac, and Linux, via the SentinelOne console or API. Remote Script Orchestration includes a Script Library from SentinelOne with scripts for all platforms, PowerShell for Windows, and bash scripts for Linux and macOS.

Singularity Marketplace
Extend the power of the Singularity XDR platform with our ecosystem of bite-sized, 1-click applications for unified prevention, detection, and response.

The Cado Response platform is powered by a cloud-based architecture, which automatically scales up and down to provide rapid processing when needed and saves costs when not, drastically reducing time to evidence and time to response. The Cado Response platform simplifies investigation, enabling analysts to easily pivot across evidence items including impacted systems, users, processes, files, and more, so they can rapidly visualize incident scope.


With powerful remote script orchestration within the SentinelOne Singularity Platform and the cloud-native DFIR capabilities of Cado Response, incident responders have an effective toolset for collecting, analyzing, and actioning forensic data from across the endpoint and cloud workload fleet.

Learn more about SentinelOne and Cado Security in this upcoming webinar:

Automation Flips the Script: Augmenting Real-Time Detection with Modern DFIR.