Security Operations 2018: What is Working? What is Not.

Similar documents
Managed Endpoint Defense

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Reducing the Cost of Incident Response

Cloud and Cyber Security Expo 2019

Security. Made Smarter.

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

PULLING OUR SOCS UP VODAFONE GROUP AT RSAC Emma Smith. Andy Talbot. Group Technology Security Director Vodafone Group Plc

Incident Response Agility: Leverage the Past and Present into the Future

THE ACCENTURE CYBER DEFENSE SOLUTION

Readiness, Response & Resilence:

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

Qualys Indication of Compromise

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Popular SIEM vs aisiem

BUILDING AND MAINTAINING SOC

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

NEXT GENERATION SECURITY OPERATIONS CENTER

Microsoft Security Management

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Operationalizing the Three Principles of Advanced Threat Detection

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

empow s Security Platform The SIEM that Gives SIEM a Good Name

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

CERT Development EFFECTIVE RESPONSE

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Improved C&C Traffic Detection Using Multidimensional Model and Network Timeline Analysis

Make IR Effective with Risk Evaluation and Reporting

Un SOC avanzato per una efficace risposta al cybercrime

Getting Security Operations Right with TTP0

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

An Aflac Case Study: Moving a Security Program from Defense to Offense

BUILD A NEXT-GENERATION SECURITY OPERATIONS CENTER

Sustainable Security Operations

McAfee Endpoint Threat Defense and Response Family

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

Burning Down the Haystack. Tim Frazier Senior Security Engineer

The Rise of the Purple Team

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Security Automation Best Practices

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

IBM Proventia Management SiteProtector Sample Reports

The Resilient Incident Response Platform

Global Manufacturer MAUSER Realizes Dream of Interconnected, Adaptive Security a Reality

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

THE EVOLUTION OF SIEM

Traditional Security Solutions Have Reached Their Limit

Resolving Security s Biggest Productivity Killer

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

RSA IT Security Risk Management

Mastering The Endpoint

MITIGATE CYBER ATTACK RISK

Defending Against Unkown Automation is the Key. Rajesh Kumar Juniper Networks

SIEMLESS THREAT DETECTION FOR AWS

SIEM Solutions from McAfee

Designing and Building a Cybersecurity Program

RELEVANT IMPACT: Building a Successful Threat Management Program. NTX ISSA 3 rd Semi-Annual Cyber Security Conference

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Novetta Cyber Analytics

The Evolution of : Continuous Advanced Threat Protection

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Security Operations & Analytics Services

RSA Fraud & Risk Intelligence Solutions

The Oracle Trust Fabric Securing the Cloud Journey

McAfee Advanced Threat Defense

Panda Security. Corporate Presentation. Gianluca Busco Arré Country Manager

Stop Threats Before They Stop You

Managed Security Services - Endpoint Managed Security on Cloud

esendpoint Next-gen endpoint threat detection and response

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Be effective in protecting against the cybercrime

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Aligning with the Critical Security Controls to Achieve Quick Security Wins

SOLUTION BRIEF Virtual CISO

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

CloudSOC and Security.cloud for Microsoft Office 365

RSA ADVANCED SOC SERVICES

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Cybersecurity Auditing in an Unsecure World

Compare Security Analytics Solutions

Censornet. CensorNet Unified Security Service (USS) FREEDOM. VISIBILITY. PROTECTION. Lars Gotlieb Regional Manager DACH

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

MEETING ISO STANDARDS

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Transcription:

SESSION ID: TTA-F03 Security Operations 2018: What is Working? What is Not. Kerry Matre Security Operations Strategist Palo Alto Networks

2

How did we get here? Today Short Description Q1 20YY 01 Milestone Short Description Q1 20YY 02 Milestone Short Description Q1 20YY 03 Milestone Short Description Q1 20YY Milestone Add in graphical timeline of SOC evolution 0 4 Short Description Q3 20YY 0 5 Milestone Short Description Q3 20YY Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 20YY 20YY 20YY 20YY

#1 Naming makes no difference Most Popular: Security Operations Center (SOC) Cyber Defense Center (CDC) Components: Defense Center = Protective Intelligence Center = High Caliber Analysis Threat = Risk Based Cyber = Electronic vs. Physical Fusion Center = Coordination with a NOC 4

#2 Mission Matters Yes! Identify Investigate Mitigate NO! Engineering Network Operations Forensics Incident Response Compliance Integrations/Development 5

Analyst time allocation Identify Investigate Mitigate Feeds!= Use Cases Overwhelmed by false positives Detune sensors Ignore alerts Fire-and-forget mitigation Console burnout 6

#3 Prevention-based Architectures Consistent Protection (Network, Endpoint, Cloud) Centralized Management Automated Threat Prevention Prevention Based on Users, Applications and Data 7

Ideal analyst time allocation Better outcomes Faster remediation Smart people working on smart things More job satisfaction Identify Investigate Mitigate 8

#4 Formalized Hunting Smart people looking for things missed all other ways Time to do it 2 week, goal-oriented sprints Process driven, agile Driven by piece of Intel Hunt ends with what was learned & feedback into the controls 9

How many tools do you use? 10

#5 Too many tools Average 40 tools Very small feature use Consolidation on a platform 11

Build your own? High cost Low results 12

#6 Working with the business SOC/NOC Integration Business Unit alignment IT Integration Business liaison Automation developer Operations engineer 13

#7 Metrics that matter The right metrics drive change. 14

Bad Metrics Mean Time to Resolution (MTTR) # of incidents handled # of alerts # of feeds 15

Two types of metrics Configuration Confidence Operational Confidence 16

Good Metrics Configuration Confidence Are controls running? Control changes Configured to best practices Feature use % of traffic visible Operational Confidence Events per analyst hour (EPAH) Duplicate incidents Alerts for known threats Deviation from SOC procedures 17

Actual Results: There is good news! Drastically reduced events 90% reduction in support tickets to reimage machines from malware infections Reduced threat alerts from ~20 million per day to ~1.2 million per day; nearly 80% reduction in noise Automatic blocking of 95% of events Stabilized headcount Reduced EPAH from 200 to 20 40% gain in administration efficiency Playbook and threat prevention automation Implementation of security controls based on IoCs reduced from days to minutes due to automated threat prevention. Threat intelligence processing reduced by 50% from automation EDLs turned threat response to blocks within 5 minutes 18

Apply What You Have Learned Today Next week you should: Define or clarify the mission of your SOC and get buy-in from the business. In the first three months following this presentation you should: Question your metrics. Align them to Configuration and Operational confidence. Evaluate your toolsets and usage. Enable existing features. Within six months you should: Adopt a prevention-based architecture for better protection and to reduce noise in the SOC. Create an agile, defined hunting process. Hire a business liaison; move controls closer to the business. 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback