Automated Response in Cyber Security SOC with Actionable Threat Intelligence
while its biggest weakness is lack of visibility: SOCs still can t detect previously unknown threats, which is a consistent problem across many other SANS surveys. The survey also found a need for more automation across the prevention, detection and response functions
SANS: Threat Intelligence White Paper Threat intelligence is evidencebased knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. Source: https://www.sans.org/reading-room/whitepapers/analyst/threat-intelligence-is-effectively-37282
The Challenges of the CISO and CIO Hacking-as-a-services DDOS-as-a-services RESEARCH INFILTRATION Regulation Compliance Governance Firewall, IPS, Proxy, APT, SSL Endpiont, DDOS, WAF, Email $ DISCOVERY SIEM, Manual Correlation CAPTURE CISO DETECTION Market Malware-as-a-services Ransomware-as-a-services EXFILTRATION Automated Scalable Specialized Collaboration INCIDENT RESPONSE People resource Manual Response Complexity High volume incident DNS Alert SMTP Alert Web Alert AV Alert Endpoint Alert DNS Alert SMTP Alert AV Alert Endpoint Alert Web Alert AV Alert DNS Alert Web Alert 6 2015,Palo Alto Networks. Confidential and Proprietary.
Challenges & Cyber Security SOC Requirements VOLUME Increased attack volume from automated adversaries - Reduce attack surface - Prioritize critical threats ALERTS Too many alerts from too many sources without context - Reduce false positive - Add attack contexts COMPLEXITY Highly manual response with complex workflows - Accelerate incident handling workflows and automated proactive response 6 2015,Palo Alto Networks. Confidential and Proprietary.
Today s Security Operation Center (SOC) Workflow 3 rd Threat Intel Firewall1,2,3,4 Only IOC IP URL Domain IPS Take actions Manually Search & Query Investigate Security Log Proxy Free community search Eg. Virus total, URL blacklist, malwaredomain SIEM APT Security Admin - Only some IOC provided - Less detailed Endpoint Summary Report Inform Actions
Metrics for success TIME TO IDENTIFICATION Decrease time to identify new, targeted attack TIME TO ERADICATION Speed mitigation without adding specialized staff 8 2015,Palo Alto Networks. Confidential and Proprietary.
How to improve security incident response operation workflow?
1. Using the global threat intelligence cloud Real-World attack from Wildfire, Industry s largest network-sandbox service. Cyber Threat Alliance: Sharing threat information 3 rd party feed, closed and open-source intel WildFire Palo Alto Network Global Passive DNS Network Unit 42, TI and Research team Malware Signature (1Billions) Threat IntelligenceCloud C&C/DNS Signature (Million) URL Signature (Billion) >15,000, WildFireglobal enterprise customers Malware/APT Feeds 3 rd party Passive DNS Network
Threat Intelligence: Detecting the unknown at scale WildFire delivers over 100K new protectionsto customers per day AutoFocus contains over 2 B files and over 500B artifacts (and growing) Enriched Information 150M samples/ month Over 1000 AutoFocus tags add human-curated intelligence to over 80% of yearly malware incidents Known good files = Reduce FP Known bad files =Reduce FN
Demo: Context from Autofocus Context: Malware families Attack campaigns Exploits Malicious behavior Threat actors Context: My org, My industry and Global view Top Malware Top application malware Top Src, Dst, Country Context: Malware Dynamic & Static analysis Malware behavior Indicator of attack and compromise Top attack source, - IP: 185.127.25.176 - Domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - URphil-army.gotdns.org/4c4f4f50/archive/512321505.html destination and country 12 2015,Palo Alto Networks. Confidential and Proprietary.
Using Large Global Threat Intelligence Source 3 rd Threat Intel feed Only IOC IP URL Domain Firewall 1,2,3,4 IPS Take actions Manually Search & Query Security Log Proxy SIEM Security Admin Provided Deep Info for Investigation - Threat actors - Malware Family - Adversary campaign - Target Industries - Prioritize alerts - Malicious Behavior - Exploits techniques - Contexts: IP, Connectivity, Domain, URL, Passive DNS, etc. Accurate Summary Report More actionable actions Inform & provide actionable controls APT Endpoint
2. Orchestrate Threat Intelligence and Enforce Preventions-based Control Automatically Aggregate and correlate TI feeds Automated enforcement of prevention-based control Threat Intelligence Feeds Private Feeds Network Enforcers SIEM Threat Intelligence Platforms End Point Enforcers
Threat Intel Aggregator Architecture End Point Enforcers SIEM Input: Threat Feeds OSINT Commercial Organization (CERT, ISAC) Autofocus Processors IPv4/IPv6 aggregator URL aggregator Domain aggregator Outputs JSON STIX/TAXII External Dynamic List (EDL) Elastic Logstash Network Enforcers FW, IPS
Reduce the False Positive by Correlating TI 3 rd party Threat Intel Cross check & Correlation IP DNS URL _ End Point Enforcers Export IOC Network Enforcers FW, IPS SIEM
Orchestrate TI and Automated Enforce Prevention-based 3 rd party Threat Intel Control IP DNS URL Cross Check & IOC Export Search & Query IOC Feed JSON, STIX Automated poll IOC for prevention Security Log Firewall 1,2,3,4 IPS Proxy Provided Deep Info for Investigation - Threat actors - Malware Family - Adversary campaign - Target Industries - Prioritize alerts - Malicious Behavior - Exploits techniques - Contexts: IP, Connectivity, Domain, URL, Passive DNS, etc. API Call JSON, STIX SIEM Accurate Summary Report More actionable actions Watchlist & Traceback APT Endpoint Security Admin
How it Works Threat Intelligence 3rd Party TI Feed AutoFocus Threat Big DataWildFire Context Samples Search Match Cross Check Indicator Store Export TI Consolidator MineMeld Actionable Threat Intel Cloud On Premise Automated prevention control End Point SIEM Firewall Proxies Local MineMeld
Why Do We Need Security Platform? Legacy security responses increase complexity SIEM FULL VISIBILITY Sandboxing ALL LOCATION Web Security Gateway (Proxy) Web Security Gateway (Proxy) PREVENT ZERO- DAY THREATS Firewall Stateful inspection Legacy AV controls Intrusion prevention Firewall Stateful inspection Legacy AV controls Intrusion prevention Firewall Stateful inspection Legacy AV controls SPEED SECURITY ANALYSIS WORKFLOWS Next-generation Security Platform Workflow complexity
Key Benefits 1. Provide full visibility and prevention on all risk locations 2. Reduce complexity 3. Decrease numbers of event per second 4. Reduce log storage 5. Reduce false positive events 6. Improve detection, response & forensic times 7. Accelerate incident handling & response workflow