To streamline time-to-value with Perch, we provide instructions on how to complete your setup and break you out of your shell. Once complete, you should have all the skills you need to setup your business with Perch.
Perch sensors, physical or virtual, collect network traffic and log data from your environment. To get data into the platform you need to deploy a sensor. Although you will be able to see community sightings without a sensor, you would not have the ability to actively participate in the community.
Many customers handle their own installs. However, if you need assistance feel free to tag @help on Slack or email email@example.com.
Without communities, a Perch sensor is able to record all kinds of data from the environment. But with communities, the Perch sensor will begin generating alerts that are triaged by the Perch Security Operations Center (SOC). Perch provides click and subscribe content from a number of threat intelligence communities. If you would like to see a threat intelligence community added to Perch let @ideas know in Slack via #squawkbox or email firstname.lastname@example.org.
It’s common for customers to provide us with one or two contacts and perhaps a distribution list for people that should receive escalations from the Perch SOC. The Perch SOC will work with these contacts to notify your organization of security incidents and provide some remediation advice.
In order to provide you with killer threat detection, we need to know about your assets. In the monitored assets settings page, you can refine what assets and networks should be monitored by Perch.
Please note that public IP ranges need to be explicitly monitored. By default, Perch monitors RFC1918 addresses. To monitor a public IP range with a Perch sensor, you should add the public IP ranges and check the “Monitored” box. When you define a monitored asset or network of assets you can identify it with a name that will improve Perch SOC analysis and ultimately reduce the amount it takes you to respond to a security incident.
Many indicators detect software associated with past breaches. This may be benign software for your environment and represent business as usual. We are not focused on identifying every piece of software in your environment. We are focused on understanding your approved software that regularly generates alerts flagged for analysts’ review.
If it isn’t against your company’s acceptable use policy for employees, you can set it as approved software by using the settings section. Alerts will not be generated for approved software. It’s okay if you’re not sure about approved software for your organization. For more granular controls, you can suppress alerts for a single asset or network and continue receiving notifications when that software is used elsewhere. Analysts will make decisions on when to escalate future true or false positive alerts based on the approved software settings.