10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Similar documents
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Un SOC avanzato per una efficace risposta al cybercrime

Compare Security Analytics Solutions

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

Integrated, Intelligence driven Cyber Threat Hunting

Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017

Cyber Defense Operations Center

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Critical Hygiene for Preventing Major Breaches

The Resilient Incident Response Platform

Security Operations 2018: What is Working? What is Not.

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

RSA NetWitness Suite Respond in Minutes, Not Months

SIEM (Security Information Event Management)

Incident Scale

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

RSA Security Analytics

One Hospital s Cybersecurity Journey

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Power of the Threat Detection Trinity

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Maximizing value of your Threat Intelligence for Security Incident Response

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

SIEM Solutions from McAfee

Simplify, Streamline and Empower Security with ISecOps

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Popular SIEM vs aisiem

RSA IT Security Risk Management

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Snort: The World s Most Widely Deployed IPS Technology

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Sandboxing and the SOC

Sustainable Security Operations

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

THE ACCENTURE CYBER DEFENSE SOLUTION

Burning Down the Haystack. Tim Frazier Senior Security Engineer

SIEMLESS THREAT MANAGEMENT

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

SOC AUTOMATION OF THREAT INVESTIGATION

PALANTIR CYBERMESH INTRODUCTION

Building a Threat-Based Cyber Team

An All-Source Approach to Threat Intelligence Using Recorded Future

Security in AI. Alex Healing Senior Research Manager BT Applied Research. British Telecommunications plc 2019

Security Automation Best Practices

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

The Rise of the Purple Team

Novetta Cyber Analytics

empow s Security Platform The SIEM that Gives SIEM a Good Name

Colin Gibbens Director, Product Management

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

THREAT HUNTING REPORT

Reducing the Cost of Incident Response

BUILDING AND MAINTAINING SOC

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

McAfee epolicy Orchestrator

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

esendpoint Next-gen endpoint threat detection and response

The New Era of Cognitive Security

A Risk Management Platform

CloudSOC and Security.cloud for Microsoft Office 365

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Advanced Malware Protection: A Buyer s Guide

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

4/13/2018. Certified Analyst Program Infosheet

Managed Endpoint Defense

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

Automation and Analytics versus the Chaos of Cybersecurity Operations

Threat Centric Vulnerability Management

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

THREAT HUNTING REPORT

Security. Made Smarter.

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Qualys Cloud Platform

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

Security Information & Event Management (SIEM)

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

From Reactive to Proactive: How to Avoid Alert Fatigue

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Transcription:

SESSION ID: TTA-R02 10x Increase Your Team s Effectiveness by Automating the Boring Stuff Jonathan Trull Chief Cybersecurity Advisor Microsoft @jonathantrull Vidhi Agarwal Senior Program Manager Microsoft Cyber Defense Operations Center

10s of PBs of logs 300+ million active Microsoft account users 450 billion Azure Active Directory logons Detected/ reflected attacks >10,000 location-detected attacks 1.5 million compromise attempts deflected

WE HAVE A PROBLEM DETECTION Insights come from logs, support calls, core services, humans, scanners, etc. DROWNING IN DATA INTELLIGENCE TI is acquired from providers, web searches, news feeds, peers, suppliers, etc. Ingestion is difficult, untimely and ad-hoc: purchased TI is a lookup resource SIEMS Signals growing far faster than staffing; New sources welcomed with a <sigh>

WE HAVE A PROBLEM INTELLIGENCE should be part of the security framework, not just a referenced artifact DETECTION Detectors should be automated, correlated and interlinked in their findings WHERE WE NEED TO BE SIEMS Must reduce busy work of incident roll-up, response, and management

(LESS) OBVIOUS, SECOND-ORDER PROBLEMS FEEDS Orgs seek industry/geo specific intelligence to correlate against their signals INCIDENTS Software should consolidate, de-dupe, and otherwise prepare Incidents. IMPROVING OUR EFFICIENCY EVENTS ML/AI should make the data work for humans, not the other way round

Common SOC Analyst Activities SIEM Email Create Ticket Assign to Analyst Examine the alert to determine whether it warrants triage Generate a body of queries to examine the original source material and related source material Examine that source data to determine whether to continue triage efforts Continue (Yes/No) Close Ticket/Case Alert Generate a set of relational data (e.g. hosts, networks/ip addresses, users) which are related to the alert Map those relationships to the original alert Aggregate the source data and relationship data Enhance aggregate data with current and historical intelligence Make a risk determination on whether to move beyond triage to response, investigation, notification, etc. Continue (Yes/No) Close Ticket/Case Activate IR Process Begin Investigation 6

Phishing Example 7

Security Automation Start with High ROI Tasks Automate alert collection Automate alert prioritization Automate tasks and processes Target common, repetitive, and time-consuming administrative processes first Standardize processes and security controls within SOC 8

Automation in Action

SOC Event to Incident Life-cycle Event Collection Services Detection Systems Alert Management Investigations Remediation Active sensors Windows Events Network Device Events Anti-Malware Alerts DNS Logs Application Logs + Metadata Active Directory Configuration Management Database Asset Information IP address database Real-time monitoring and heuristics Billions of events per day Thousands of alerts Hundreds of investigations Time-to-detect: algorithm-driven automation and machine learning drives TTD to within minutes 10

Microsoft SOC Automation Approach SOC Workflow Automation Components to Reduce MTTD and MTTR while Increasing # of cases/soc defender Actions Activation Enable ingestion of security alerts from multiple sources to a single case management system to enable a single queue Enrichment Add contextual metadata to make alerts more actionable so SOC responders do not need to access multiple tools and systems Stacking Stack alerts into a single case based on objects and/or time window to reduce signal to noise ratio Automate actions such as send e-mail, create a ticket, reset password, disable a VM, block an IP address through scripts that initiate processes in other tools and systems

SOC Automation Example 1: Brute Force Attack Activation Alert from a detection system Reported Incident Invoke query on a timer on stored data SIEM alerts on Failed Log-on Event Multiple failed log-on events occurred Enrichment Contextual information from systems such as asset management, configuration management, vulnerability management and logs such as application logs, DNS and network traffic logs added Stacking Alert clustering to a single case based on Time-Window Aggregation Objects Deduplication Decision Evaluate Condition Stay on the workflow path (sequence) Invoke another workflow Asset Ownership Identified Validated Added The owner of the asset associated with the targeted destination IP was identified an, Account validated and information added to the case Stacking by Source IP or Destination IP Source IP subsequent report for the same Source IP Address can be stacked in a single case for a valid account OR Destination IP Identify the target that adversary is trying to Brute Force through a bot network Severity Reassignment and Case Designation Change severity based on volumes for queue jumping and evaluate whether it is Brute Force or DDoS for the action playbook Action Send e-mail Create a ticket Reset password Disable VM Block an IP Address Action Automated account disablement or shut off RDP for the Source IP associated with DDoS

SOC Automation Example 2: AV Alert Activation Alert from a detection system Reported Incident Invoke query on a timer on stored data AV Solution generates an alerts An AV alerts was fired Enrichment Contextual information from systems such as asset management, configuration management, vulnerability management and logs such as application logs, DNS and network traffic logs added Stacking Alert clustering to a single case based on Time-Window Aggregation Objects Deduplication Process Logs Asset Ownership Alert appended with the process logs to identify if malicious executables were running and impacting availability, integrity or confidentiality; Host ownership was determined from Asset Management System Stacking by Process Name Stacked by process name to determine the extent of AV proliferation in the environment Decision Evaluate Condition Stay on the workflow path (sequence) Invoke another workflow Action Send e-mail Create a ticket Reset password Disable VM Block an IP Address Severity Reassignment Stacking the alerts indicated 500+ hosts were infected and it is worm proliferation Action Automated patching script or account disablement or new firewall rule to quarantine the environment

SOC Automation Typical Engineering Capabilities REST API Option 1: Push A Web UI B C Actions Module Web form Case/ Ticketing System Detection System Option 2: Pull SOC Workflow Automation Detection Efficacy Alert Management E-mail Big Data Stored Data Pull other API-s / protocols Web Service Enrichment via Lookups into external systems Enrichment Plug-ins Automated Scripts Automated Response Investigation Service Architecture

SOC Metrics: Noise Reduction Signal to Noise Ratio Stacking Ratio: Indicator of alert to case compression 1- # oooo cccccccccc # oooo aaaaaaaaaaaa Target: 70-90% noise reduction feasible Pivots: Alert Source, Time Trend with Increased Automation 15

SOC Metrics: Ensure High Fidelity Signal Efficacy Confirmed - True Positive Confirmed - Benign Positive Confirmed - False Positive False Negative Service Health Definition Security Incident Security Incident Response processes are invoked and executed Suspicious behavior detected while benign does not require action and is not expected to fire repeatedly. The event was benign in nature and is expected to repeatedly happen. All FPs result in tuning/feedback to improve signal fidelity. Security Incident where no alert fired and monitoring and/or detections are needed Alerts on the service operations or security state but not necessary a security incident 16

SOC Metrics: Ensure High Fidelity Signal Detection Efficacy TP/FP Ratio: True positive to total alerts for a given detection and/or detection platform tt # oooo TTTT # oooo aaaaaaaaaaaa / tt AAAAAAAAAAAA Target: >50% Pivots: Detection Source, Time, Specific Alert ID Trend with Increased Automation 17

SOC Metrics: Speed to Remediation Mean Time to Remediate MTTR: Mean Time to Resolve is the time from case creation to case remediation MTTR AAllll CCCCCCCCCC TTTTTTTT SSSSSSSSSS CCCCCCCC CCCCCCCCCCCC CCCCCCCC CCCCCCCCCCCCCC # oooo cccccccccc Time Tier 1 Tier 3 Target: Varies by severity, complexity and level of automation Pivot: Assigned Severity, SOC Tier, Alert Source, Attack Category Trend with Increased Automation 18

SOC Metrics: SOC Efficiency Cases/Analyst: Automation enables SOC to do more with the same resources Top 10 offenders: Automating or eliminating repeat occurrences Target: Prevent and Automate top offenders Pivots: Attack Vectors or Detections or Response Playbook Trend with Increased Automation 19

SOC Automation Maturity Model # Cases/Analyst SOC Effectiveness Alert Enrichment Tier 0 Scenarios E2E Automated playbooks/ actions with no human touch Closed Loop ML Scenarios Based on TP/FP designations improve the quality of alerts and modify baselines for anomaly and behavioral detections Eliminate Administrative Tasks Open/close tickets, Send emails Reduce Noise Stacking, Deduplication, suppression Asset attribution, correlation, TI-IOC matching MTTR Level 1 Level 2 Level 3 Level 4 Level 5 20

Apply what you have heard today Within 30 days from this session you should: Identify common, repetitive and time-consuming tasks performed by SOC analysts Establish and begin measuring key SOC metrics Within 90 days from this session you should: Standardize processes and procedures for responding to common attacks and alerts Push workloads to detectors and sensors Within 180 days from this session you should: Automate alert collection, enrichment, and prioritization ensuring enterprise coverage across common attacker techniques, tactics, and procedures 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback