Colin Gibbens Director, Product Management

Similar documents
WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Reducing the Cost of Incident Response

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

The Resilient Incident Response Platform

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Introduction to Threat Deception for Modern Cyber Warfare

RSA Security Analytics

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Building a Threat-Based Cyber Team

Simplify, Streamline and Empower Security with ISecOps

Microsoft Advance Threat Analytics (ATA) at LLNL NLIT Summit 2018

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Security. Made Smarter.

Managed Endpoint Defense

4/13/2018. Certified Analyst Program Infosheet

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Building Resilience in a Digital Enterprise

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Incident Scale

One Hospital s Cybersecurity Journey

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

ForeScout Extended Module for Splunk

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Attackers Process. Compromise the Root of the Domain Network: Active Directory

SOLUTION BRIEF DFLabs IncMan SOAR - The Security Orchestration, Automation and Response Platform for SOCs.

INTEGRATION BRIEF DFLabs and Jira: Streamline Incident Management and Issue Tracking.

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

SIEMLESS THREAT DETECTION FOR AWS

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

Why Are We Still Being Breached?

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

10 FOCUS AREAS FOR BREACH PREVENTION

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

Novetta Cyber Analytics

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

RSA NetWitness Suite Respond in Minutes, Not Months

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

NEXT GENERATION SECURITY OPERATIONS CENTER

CyberArk Privileged Threat Analytics

SYMANTEC DATA CENTER SECURITY

esendpoint Next-gen endpoint threat detection and response

A Risk Management Platform

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

ForeScout ControlFabric TM Architecture

Checklist for Evaluating Deception Platforms

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

ForeScout Extended Module for Carbon Black

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

Integrated, Intelligence driven Cyber Threat Hunting

USE CASE IN ACTION Splunk + Komand

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

ICS Security Monitoring

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Driving more value from your Security Operations Center (SOC) Platform. James Hanlon Director, Splunk Security Markets Specialization, EMEA

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

Advanced Threat Hunting:

Imperva CounterBreach

Security. Risk Management. Compliance.

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Traditional Security Solutions Have Reached Their Limit

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

Combating APTs with the Custom Defense Solution. Hans Liljedahl Peter Szendröi

Qualys Indication of Compromise

Advanced Endpoint Protection

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Cyber security tips and self-assessment for business

Testing for cyber resilience tools & techniques for adversary simulation and improved defense

Critical Hygiene for Preventing Major Breaches

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

CTI Capability Maturity Model Marco Lourenco

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

The Cognito automated threat detection and response platform

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Transcription:

SOAR = Human Intelligence and Creativity at Speed of Machine Abhishek Narula EVP, Head of Product and Engineering Colin Gibbens Director, Product Management 1

2

What is Security Orchestration Why do I need it? 3

11% Analysis, Planning 25% Execution Problem: Where is the Analyst's time going? 64% Manual Processes Collecting Data Repetitive Tasks Multiple disintegrated tools 4

Problem: Can Manual Response BEAT an Automated Adversary? Threat 01 04 Response Attack 02 Bots 03 Automated Attacks Bots, Advance Threat Vectors Spread at speed of machine Manual Response Time to detect and Response are high 5

Problem: How do analysts, responders effectively collaborate? I SAY: Process Dumps is Saved at //sta/12/dumps I SAY: PCAP analysis is stored at //sta//12/pcaps I SAY: Asset Information suggests this belongs to CFO. Need urgent action I SAY: IP Repuation from multiple sources suggest its Malicious I SAY: Where are we Overall? 6

7

Gartner Defines SOAR End-to-end management of an incident by people Incident Response Platform SOAR = SOA + SIR + TIP How to make machines do taskoriented human work How different technologies (both security-specific and non-securityspecific) are integrated to work together Automation & Orchestration Threat Intelligence Platform Gain an advantage over the adversary by detecting the presence of threat actors, blockin and tackling their attacks, or degrading their infrastructure. References Gartner Innovation Insight for Security Orchestration, Automation and Response (ID: G00338719). Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30) https://en.wikipedia.org/wiki/threat_intelligence_platform 8

SOAR Deployment Architecture Actionable Data SIEM Alerts email Indicators API SysLog SNMP Manually Created Alerts Threat Intel Sources Tracking Event/Alert Type classification Meta information Automated Actions/Playbooks Enrich the context (ex, add user and asset info) Triage, Investigate, Escalate to Incident Incident Management Collaborate Collect data using integrations Take Remedial actions with human approvals Generate reports 9

10 CRAZY and not so Crazy Use Cases

Using OODA loop with Incident Reponses Colin Gibbens Director of Product Management (Symantec EDR)

12

The OODA loop consists of four parts: Observe Decisions are grounded on observations of an evolving circumstance. These observations are the raw data for assessments and actions. Orient Orientation shapes the way we observe, decide and act. Orientation here could be referred to as tuning. Filtering and analyzing all the raw data according to rules assists in making decisions and taking action. Decide From the data observed and filtered, the decision-maker has to select the best possible action. Act based on your decision, execute your plan. Know when some action is better than no action. If your house is on fire, anything you do to extinguish the blaze is better and then standing and watching it burn. The same applies to a cyberattack 13

OODA Loop Decisions without action are pointless Actions without decisions are reckless Col. John Boyd 14

15 To implement the OODA Loop concept, progressive organizations are using orchestrion as an overlay to their existing security infrastructures. This approach provides the necessary aggregation, intelligence-based analysis, and automation capabilities to identify and respond to cyber threats early in the kill chain.

Blackhat Capture The Flag 15 participates 5 highly trained Adversaries (Pen testing, hacking, exploit writing, etc) 15 systems setup 3 Linux systems running vulnerable web servers 4 windows (XP, Win 7) systems running POS and ATM software no protection 8 windows (Win 7, 2016, Win 10) systems running web serves, SQL, etc endpoint protection All systems being monitored with EDR Canaries (Deceptors) deployed on half the systems Disabled user accounts Fake user accounts with passwords Fake credit card Shares Used EDR and FIM to monitor activity on systems and access to canaries Main prize $5000 (No winners) Smaller prizes based on the number of flags 16

Attacks External Blue against unprotected systems Brute force password guessing attacks SQL injection Mimikatz (Credential dump) Directory transversal Pass the Hash attacks Other exploits AD Query 17

Observe Event data I was using to observe what they were doing Windows events logs (logon, logoff, failed logins, RDP logins, etc) Endpoint protection logs (HIPS, Firewall, FIM) EDR events ( files accessed, prefetch, smb, rdp) Custom Detection Rules Monitor the use of disabled login accounts I created Monitor the access of canaries Lateral movement using RDP or SMB Detecting lateral movement and accessing canaries was the biggest key in tracking them One of the adversaries made a critical mistake 18

Orient Based on the data I observed I knew I had to act quickly Login attempts with disabled accounts Successful RDP connections to systems that had the flags Access to a canary that I had on one of the systems that had flags Execution of powershell scripts on various systems and the use of credentials Domain admin account stolen and changed Four systems compromised Attempted access to one of the main flags Compromised AD server 19

The Problem ONE compromised endpoint connected to a corporate domain jeopardizes the entire organization. Attackers can steal domain credentials and by simply querying Active Directory, effortlessly gain full access and visibility to ALL servers, applications computers and employees. No solution prevents this from happening. Traditional Active Directory security solutions don't have prevention or analysis capabilities. By the time they detect a breach, attackers have already penetrated the organization. 20

Summary 21 Report on Javelin Evaluation 21

Decide What does this mean to our organization at this time What can I do to disrupt the enemy and break his cycle Most of my systems are compromised and they have my domain credentials 22

Act Get the system that has the main flags off the network (Isolate) Disable the domain admin account Block RDP on critical systems Push out a policy to block SMB connections Push out a policy to blacklist offending IP s 23

Lessons Learned Centralize log data to make the observation and orient phase more streamlined Collect everything that can help observe what is happening in my environment Automate and Orchestrate to help deal with the alerts. Remove alerts that are being blocked Enrich the data with asset data so I know what endpoint they are on Enrich the data with user information so I know what user accounts are being accessed Enrich the network traffic with data to let me know who I am dealing with Automate and Orchestrate actions Push out actions automatically based on sounded data not just any alert Not all actions do you want to automate you might want a human element to approve 24

25 How does CyberSponse add value?

CyberSponse is an Incident Response and Automation Platform Incident Response Platform Highly Configurable Role based Access Multi-Tenant CyberSponse Orchestration & Automation Playbooks Connectors/Integrations Case Management Highly configurable platform Contextual Data Visualization Automated Playbooks Playbook Designer, Connectors, Reference Content TruMSSP Distributed Model that is truly Scalable and GDPR compliant 26

27 Role Based Dashboards

28 Automated Triage / False Positive Filtration of Alerts

29 Collaboratively Respond to Incident within SLA

30 Indicators Enrichment from Multiple Sources

31 Visual Playbooks for Manual + Automated Steps

CyberSponse integrates with diverse tools 06 01 Misc Prepare 05 02 Remediate Investigate 04 Eradicate Contain 03 200+ Connectors, 2000+ Actions List grows every 3 weeks 32

33 Let s Collaborate Abhishek@CyberSponse.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback