Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Similar documents
Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

THE ACCENTURE CYBER DEFENSE SOLUTION

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

CloudSOC and Security.cloud for Microsoft Office 365

RSA NetWitness Suite Respond in Minutes, Not Months

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

RSA Security Analytics

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Integrated, Intelligence driven Cyber Threat Hunting

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Compare Security Analytics Solutions

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

BUILDING AND MAINTAINING SOC

Cisco Advanced Malware Protection against WannaCry

An All-Source Approach to Threat Intelligence Using Recorded Future

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Building Resilience in a Digital Enterprise

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Threat Intelligence, Layered Security, and CIS Controls

CTI Capability Maturity Model Marco Lourenco

Qualys Indication of Compromise

Seceon s Open Threat Management software

Protecting organisations from the ever evolving Cyber Threat

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

McAfee Advanced Threat Defense

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Enhancing Threat Intelligence Data. 05/24/2017 DC416

CYBER THREAT INTEL: A STATE OF MIND. Internal Audit, Risk, Business & Technology Consulting

Symantec Ransomware Protection

Infoblox as Part of the Ecosystem

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Comprehensive datacenter protection

Security Information & Event Management (SIEM)

Designing and Building a Cybersecurity Program

Reducing the Cost of Incident Response

esendpoint Next-gen endpoint threat detection and response

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

A Comprehensive CyberSecurity Policy

Un SOC avanzato per una efficace risposta al cybercrime

An Aflac Case Study: Moving a Security Program from Defense to Offense

Qualys Cloud Platform

Security Operations 2018: What is Working? What is Not.

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Combating APTs with the Custom Defense Solution. Hans Liljedahl Peter Szendröi

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Proactive Approach to Cyber Security

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Qualys Cloud Platform

SOC AUTOMATION OF THREAT INVESTIGATION

SIEM Solutions from McAfee

RSA ECAT DETECT, ANALYZE, RESPOND!

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Stopping Advanced Persistent Threats In Cloud and DataCenters

The New Era of Cognitive Security

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Threat Intel for All: There s More to Your Data than Meets the Eye

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Upgrade your SOC with Security Analytics and Orchestration

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Cybersecurity Roadmap: Global Healthcare Security Architecture

The Cognito automated threat detection and response platform

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

AKAMAI CLOUD SECURITY SOLUTIONS

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Behavioral Analytics A Closer Look

Building a Threat-Based Cyber Team

Todays Threat Landscape Cloud / Big data / Mobile Jonathan Martin HP Enterprise Security Products

From Managed Security Services to the next evolution of CyberSoc Services

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Put an end to cyberthreats

Pedal to the Metal: Mitigating New Threats Faster with Rapid Intel and Automation

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Automating the Top 20 CIS Critical Security Controls

Sustainable Security Operations

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

Transcription:

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

while its biggest weakness is lack of visibility: SOCs still can t detect previously unknown threats, which is a consistent problem across many other SANS surveys. The survey also found a need for more automation across the prevention, detection and response functions

SANS: Threat Intelligence White Paper Threat intelligence is evidencebased knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. Source: https://www.sans.org/reading-room/whitepapers/analyst/threat-intelligence-is-effectively-37282

The Challenges of the CISO and CIO Hacking-as-a-services DDOS-as-a-services RESEARCH INFILTRATION Regulation Compliance Governance Firewall, IPS, Proxy, APT, SSL Endpiont, DDOS, WAF, Email $ DISCOVERY SIEM, Manual Correlation CAPTURE CISO DETECTION Market Malware-as-a-services Ransomware-as-a-services EXFILTRATION Automated Scalable Specialized Collaboration INCIDENT RESPONSE People resource Manual Response Complexity High volume incident DNS Alert SMTP Alert Web Alert AV Alert Endpoint Alert DNS Alert SMTP Alert AV Alert Endpoint Alert Web Alert AV Alert DNS Alert Web Alert 6 2015,Palo Alto Networks. Confidential and Proprietary.

Challenges & Cyber Security SOC Requirements VOLUME Increased attack volume from automated adversaries - Reduce attack surface - Prioritize critical threats ALERTS Too many alerts from too many sources without context - Reduce false positive - Add attack contexts COMPLEXITY Highly manual response with complex workflows - Accelerate incident handling workflows and automated proactive response 6 2015,Palo Alto Networks. Confidential and Proprietary.

Today s Security Operation Center (SOC) Workflow 3 rd Threat Intel Firewall1,2,3,4 Only IOC IP URL Domain IPS Take actions Manually Search & Query Investigate Security Log Proxy Free community search Eg. Virus total, URL blacklist, malwaredomain SIEM APT Security Admin - Only some IOC provided - Less detailed Endpoint Summary Report Inform Actions

Metrics for success TIME TO IDENTIFICATION Decrease time to identify new, targeted attack TIME TO ERADICATION Speed mitigation without adding specialized staff 8 2015,Palo Alto Networks. Confidential and Proprietary.

How to improve security incident response operation workflow?

1. Using the global threat intelligence cloud Real-World attack from Wildfire, Industry s largest network-sandbox service. Cyber Threat Alliance: Sharing threat information 3 rd party feed, closed and open-source intel WildFire Palo Alto Network Global Passive DNS Network Unit 42, TI and Research team Malware Signature (1Billions) Threat IntelligenceCloud C&C/DNS Signature (Million) URL Signature (Billion) >15,000, WildFireglobal enterprise customers Malware/APT Feeds 3 rd party Passive DNS Network

Threat Intelligence: Detecting the unknown at scale WildFire delivers over 100K new protectionsto customers per day AutoFocus contains over 2 B files and over 500B artifacts (and growing) Enriched Information 150M samples/ month Over 1000 AutoFocus tags add human-curated intelligence to over 80% of yearly malware incidents Known good files = Reduce FP Known bad files =Reduce FN

Demo: Context from Autofocus Context: Malware families Attack campaigns Exploits Malicious behavior Threat actors Context: My org, My industry and Global view Top Malware Top application malware Top Src, Dst, Country Context: Malware Dynamic & Static analysis Malware behavior Indicator of attack and compromise Top attack source, - IP: 185.127.25.176 - Domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - URphil-army.gotdns.org/4c4f4f50/archive/512321505.html destination and country 12 2015,Palo Alto Networks. Confidential and Proprietary.

Using Large Global Threat Intelligence Source 3 rd Threat Intel feed Only IOC IP URL Domain Firewall 1,2,3,4 IPS Take actions Manually Search & Query Security Log Proxy SIEM Security Admin Provided Deep Info for Investigation - Threat actors - Malware Family - Adversary campaign - Target Industries - Prioritize alerts - Malicious Behavior - Exploits techniques - Contexts: IP, Connectivity, Domain, URL, Passive DNS, etc. Accurate Summary Report More actionable actions Inform & provide actionable controls APT Endpoint

2. Orchestrate Threat Intelligence and Enforce Preventions-based Control Automatically Aggregate and correlate TI feeds Automated enforcement of prevention-based control Threat Intelligence Feeds Private Feeds Network Enforcers SIEM Threat Intelligence Platforms End Point Enforcers

Threat Intel Aggregator Architecture End Point Enforcers SIEM Input: Threat Feeds OSINT Commercial Organization (CERT, ISAC) Autofocus Processors IPv4/IPv6 aggregator URL aggregator Domain aggregator Outputs JSON STIX/TAXII External Dynamic List (EDL) Elastic Logstash Network Enforcers FW, IPS

Reduce the False Positive by Correlating TI 3 rd party Threat Intel Cross check & Correlation IP DNS URL _ End Point Enforcers Export IOC Network Enforcers FW, IPS SIEM

Orchestrate TI and Automated Enforce Prevention-based 3 rd party Threat Intel Control IP DNS URL Cross Check & IOC Export Search & Query IOC Feed JSON, STIX Automated poll IOC for prevention Security Log Firewall 1,2,3,4 IPS Proxy Provided Deep Info for Investigation - Threat actors - Malware Family - Adversary campaign - Target Industries - Prioritize alerts - Malicious Behavior - Exploits techniques - Contexts: IP, Connectivity, Domain, URL, Passive DNS, etc. API Call JSON, STIX SIEM Accurate Summary Report More actionable actions Watchlist & Traceback APT Endpoint Security Admin

How it Works Threat Intelligence 3rd Party TI Feed AutoFocus Threat Big DataWildFire Context Samples Search Match Cross Check Indicator Store Export TI Consolidator MineMeld Actionable Threat Intel Cloud On Premise Automated prevention control End Point SIEM Firewall Proxies Local MineMeld

Why Do We Need Security Platform? Legacy security responses increase complexity SIEM FULL VISIBILITY Sandboxing ALL LOCATION Web Security Gateway (Proxy) Web Security Gateway (Proxy) PREVENT ZERO- DAY THREATS Firewall Stateful inspection Legacy AV controls Intrusion prevention Firewall Stateful inspection Legacy AV controls Intrusion prevention Firewall Stateful inspection Legacy AV controls SPEED SECURITY ANALYSIS WORKFLOWS Next-generation Security Platform Workflow complexity

Key Benefits 1. Provide full visibility and prevention on all risk locations 2. Reduce complexity 3. Decrease numbers of event per second 4. Reduce log storage 5. Reduce false positive events 6. Improve detection, response & forensic times 7. Accelerate incident handling & response workflow

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback