Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

Similar documents
Integrated, Intelligence driven Cyber Threat Hunting

Security by Default: Enabling Transformation Through Cyber Resilience

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

IBM services and technology solutions for supporting GDPR program

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

BUILDING AND MAINTAINING SOC

Trend Micro and IBM Security QRadar SIEM

The Resilient Incident Response Platform

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Building Resilience in a Digital Enterprise

External Supplier Control Obligations. Cyber Security

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Security Information & Event Management (SIEM)

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

INTEGRATION BRIEF DFLabs and Jira: Streamline Incident Management and Issue Tracking.

Speed Up Incident Response with Actionable Forensic Analytics

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Incident Play Book: Phishing

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

locuz.com SOC Services

Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017

Cyber Resilience - Protecting your Business 1

Combating APTs with the Custom Defense Solution. Hans Liljedahl Peter Szendröi

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Global Response Centre (GRC) & CIRT Lite. Regional Cyber security Forum 2009, Hyderabad, India 23 rd to 25 th September 2009

Trend Micro Deep Discovery Training for Certified Professionals

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

RSA Security Analytics

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Un SOC avanzato per una efficace risposta al cybercrime

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

CYBER RESILIENCE & INCIDENT RESPONSE

Proactive Approach to Cyber Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

भ रत य ररज़र व ब क. Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

Cloud and Cyber Security Expo 2019

SOLUTION BRIEF DFLabs IncMan SOAR - The Security Orchestration, Automation and Response Platform for SOCs.

ARIA SDS. Application

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

RSA IT Security Risk Management

Compare Security Analytics Solutions

IBM Security Vaš digitalni imuni sistem. Dejan Vuković Security BU Leader South East Europe IBM Security

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

Designing and Building a Cybersecurity Program

Synchronized Security

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Security. Made Smarter.

CloudSOC and Security.cloud for Microsoft Office 365

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Are we breached? Deloitte's Cyber Threat Hunting

Novetta Cyber Analytics

Managed Endpoint Defense

Automating the Top 20 CIS Critical Security Controls

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

THE ACCENTURE CYBER DEFENSE SOLUTION

Models HP Security Management System XL Appliance with 500-IPS System License

CyberArk Privileged Threat Analytics

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

MITIGATE CYBER ATTACK RISK

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

May the (IBM) X-Force Be With You

SIEM Solutions from McAfee

Automated Context and Incident Response

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Imperva Incapsula Website Security

Checklist for Evaluating Deception Platforms

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

Stopping Advanced Persistent Threats In Cloud and DataCenters

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

One Hospital s Cybersecurity Journey

Fabrizio Patriarca. Come creare valore dalla GDPR

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Cyber Resilience. Think18. Felicity March IBM Corporation

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Trend Micro Deep Discovery Training Advanced Threat Detection 2.0 for Certified. Professionals Course Description

Reducing the Cost of Incident Response

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

Transcription:

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

Response Automation SOCAutomation is an information security automation and orchestration platform that transforms incident response. It enables organisations to clearly define what constitutes an incident and then clearly communicates the process to handle it throughout the company and if necessary, across third parties. It uses a methodology based on the SANS 6 steps to incident response. Orchestration Instrumentation of existing security investment auto-detection and generation of out-of-the-box SANS best-practice Run-Book procedures that are superimposed back to the business. Automation Fully automate, semi-automate, or control automate some, most or all of the orchestration procedures. FlowLanes Overview Using the data collected from your infrastructure and security solutions combined with an extensive knowledgebase, SOCAutomation is able to issue relevant Run-Books to all stakeholders when an incident has been detected. These Run-Books are then generated and graphically represented to the relevant stakeholders using our advanced FlowLanes engine. With the information provided by these Run-Books, stakeholders know how best to deal with any incident related to them, or assets they own. It also allows security teams to track incident response from start to finish by offering a visualised workflow detailing every step in the remediation process. The following is a simplified outline of how we generate these Run-Books: Alert comes in - incident automatically generated in SOCAutomation platform. In parallel, an incident Run-Book is automatically generated s are assigned to the necessary stakeholders, based on incident type, asset, department, customer, etc. Within these automatically assigned Run-Books, each person/department has their own lane Each cell within FlowLanes contain specific tasks, due dates, and knowledgebase articles detailing how to respond to the incident An email-based alerting system is able to send incident and task updates to all the people involved FlowLanes Automation SOCAutomation uses a unique state based automation engine that gives users full control over the level of automation in each Run-Book generated. Not only are you able to automate SOCAutomation tasks, you are also able to automate tasks performed by other security products on your network. Each cell can create automation tasks and workflows, all tightly controlled and state mapped. An example of task automation is shown on the right. Helpdesk ticket generated Adds context to enrich alert Context: - Type of attack - Devices affected - Owner/administrator of device(s) - Business importance of device(s) - Severity and escalation - Knowledgebase/links Architectural Overview Automation is utilised throughout the platform in 4 areas: Response Automation Run-Book tracking Point automation State change tracking Audit tracking Ticketing integration Remediation Automation Call-out to 3rd party remediation Fully customisable Building block library Status and stream support Triage Automation detection Analysis and normalisation False positive and filtering Severity and escalation Context Automation Asset mapping Stakeholders and assignments Business context Security context Run-Book generation

Orchestrating and Automating IBM QRadar and Trend Micro TippingPoint Product Overview Fully featured SIEM solution from IBM Rich data correlation events, flows, packet data, threat intelligence, vulnerability data and patch data Extensive threat library powered by IBM XForce Unequalled implementation, support and training services Multi-tenanted, highly scalable and resilient Product Overview Next generation IPS and ATP solution from Trend Micro Monitors malware in a safe, controlled and sandboxed environment In the case of malware penetrating and successfully infiltrating the network, the detection technology identifies the suspicious behaviour and informs the user Comprehensive threat intelligence Protection for current and zero-day vulnerabilities and exploits IBM QRadar is the Gartner leading SIEM solution and enables organisations to monitor sophisticated cyber attacks in real-time. When combined with SOCAutomation, QRadar becomes an automated Security Operation Centre, making SOC operations delivery a reality. SOCAutomation utilises QRadar's API's covering offenses, asset data, vulnerability data and X-Force threat intelligence feeds. QRadar offenses typically give: Severity, IP address(es) of targeted device, short description (e.g. excessive firewall denies) and offense category. Context we add includes: IBM QRadar Integration Mapping Offenses to Assignees: e.g. level 1 analyst for offense type X, level 2 for offense type Y etc. Stakeholder Mapping: Who needs to be included in the loop, e.g. SOC Manager Security Context: Add offense-specific knowledgebase content e.g. links to details about a given type of malware Business Context: Add business-specific knowledgebase content e.g. links to regulatory company policy on dealing with malware, DLP, phishing etc. IP Address -> Username Mapping: Shows who has been logged on to a machine leading up to a breach (uses Lexicon for this) Automated Process Initiation: e.g. kicks off a set of processes to gather more information, attempt remediation, virtual patching, ticket generation, etc. Normalised Security Process: Automatically generates the relevant Run-Book for a given offense type (e.g. malware, DDoS, etc.) which allows multiple teams/analysts to know and follow consistent security procedures Audit Tracking: Tracks incident process for evidential trail Automatic Notifications: Email notifications automatically sent to assignees/stakeholders Trend TippingPoint Integration Trend Micro TippingPoint offers a wide range of network security solutions with real-time network protection, visibility, and centralised management and analytics that are easy to use, configure, and install. SOCAutomation utilises TippingPoint s API s covering IOC, digital vaccine, virtual patch, threat intelligence, vulnerability, policy, configuration and data automation. SOCAutomation orchestrates the TippingPoint malware detection framework IPS and TippingPoint Advanced Threat Protection (ATP) working together to; Analyse suspected new malware in over 100 network protocols Once malware is detected, it s spread is qualified using TippingPoint ATP Endpoint Sensor TippingPoint then remediates by quarantining the affected devices or creating a reputation filter to block any rogue communication Risk Reduction and Patch Management Window Lengthening For vulnerability management, SOCAutomation collates all vulnerability & patch information then reports which security gaps can be automatically fixed using TippingPoint s Virtual Patching capability. Patch Tuesday now becomes Patch when we are ready! Example Run-Books SOCAutomation enables powerful orchestration and automation of these platforms as illustrated in the following sample Run-Books Run-Book 1: TippingPoint IPS/ATP (Zero Day), QRadar with Automated TippingPoint Remediation SOC Team Automation CISO Correlated SIEM / IPS / ATP alert Helpdesk ticket generated Review context rich alert Adds context to enrich alert Context: - Type of attack - Devices affected - Owner/administrator of device(s) - Business importance of device(s) - Severity and escalation - Knowledgebase/links Email Level 3 & 4 severity alerts and tracking Review and request further context - Intake packet capture - Collect flow analysis data Review and take action from menu of options - Quarantine via switch - Virtual patch - Rate limit - Blacklist - Add reputation entry Review incident Close ticket with audit trail content appended Reports 1. No. of open incidents 2. No. of closed incidents 3. Time to resolve

Run-Book 2: Vulnerability/Patch Management Using QRadar and Trend Micro TippingPoint with Remediation Tracking SOC Team Automation CISO Vulnerability list from QRadar Vulnerability Manager Vulnerabilities that can be auto-patched using TippingPoint virtual patching Review patch prioritisation report - Add business context - Add other risk reduction context to assist in further patch prioritisation Risk Reduction Context: - Correlations from patching tool feeds e.g. Shavlik, SCCM - Ease of exploiting attack path (using QRadar Risk Manager) - Compensating controls e.g. additional virtual patching, system reconfiguration Authorise TippingPoint digital vaccine virtual patches Helpdesk tickets generated detailing to platform teams the virtual patches applied Authorise remaining patch and fix list Helpdesk tickets generated detailing to platform teams the patches to be applied Full tracking on patching and vulnerability remediation process Monitor patch and fix workflow across all platform teams and outsourcers Patch/Vulnerability Mgt Reports 1. Patches remediated 2. Patches auto-patched 3. Patches outstanding 4. Bottlenecks 5. Mean time to fix Run-Book 3: Botnet Activity Alert from Threat Intelligence with Automated TippingPoint ATP Remediation and Forensics - Using BitSight CyberRating Threat Intelligence This Run-Book utilises data gathered from BitSight CyberRating Threat Intelligence, the following images outline the data collected Fig 1: Overall BitSight security rating for Company X

Fig 2: Overview of botnet infections at Company X compared to the industry SOC Team Automation CISO Correlated threat intelligence botnet alert Helpdesk ticket generated Adds context to enrich alert Email Level 3 & 4 severity alerts and tracking Context: - Type of attack - Devices affected - Owner/administrator of device(s) - Business importance of device(s) - Severity and escalation - Knowledgebase/links Review and request further context Further TippingPoint Analysis - ATP Sandbox Analysis - IPS Packet Capture - Flow analysis data from IPS Incoming Network Traffic Review and take action by automatically editing a policy on TippingPoint SMS New Tipping Point Policy - Quarantine via switch - Virtual patch - Rate limit - Blacklist - Add reputation entry - New ATP filter Network Traffic Analysis NCXE Network Reputation GRID Census MARS and Virtual Analyser Review incident and resolution Close ticket with audit trail content appended Reports 1. No. of open incidents 2. No. of closed incidents 3. Time to resolve 4. s with automated ticket resolution

Dashboards and Reporting SOCAutomation offers fully customisable dashboards, giving each user a personalised graphical representation of the data, as well as incidents and alerts relevant to them. Using a fully distributed and automated reporting engine, SOCAutomation is able to generate and deliver reports, graphs, tables, summaries and statistics to any number of stakeholders. Personnel from different areas of your organisation can receive specific reports relevant to their role via email. Reports are able to be automatically distributed to all stakeholders involved in an incident as soon as it is resolved. Some of the reports that can be generated are listed below: s Handled by Severity Response Timeliness Open s Closed s s Utilising Most Resources s Requiring Further Investigation Handling Satisfaction Damage From an Process Workflow General Mission Success Fire Drill Results Lessons Learned Response Performance Costs

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback