Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017

Similar documents
SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

RSA IT Security Risk Management

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Security Automation Best Practices

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Simplify, Streamline and Empower Security with ISecOps

MITIGATE CYBER ATTACK RISK

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

Integrated, Intelligence driven Cyber Threat Hunting

Cisco Network Assurance Engine with ServiceNow Cisco Network Assurance Engine, the industry s first SDN-ready intent assurance suite, integrates with

A Practical Guide to Efficient Security Response

The Evolution of : Continuous Advanced Threat Protection

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

The Common Controls Framework BY ADOBE

Carbon Black PCI Compliance Mapping Checklist

CloudSOC and Security.cloud for Microsoft Office 365

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

What It Takes to be a CISO in 2017

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

How to construct a sustainable vulnerability management program

RSA ADVANCED SOC SERVICES

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

Security Diagnostics for IAM

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Traditional Security Solutions Have Reached Their Limit

SIEMLESS THREAT MANAGEMENT

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

4/13/2018. Certified Analyst Program Infosheet

Datacenter Security: Protection Beyond OS LifeCycle

State of Security Operations

Proactive Approach to Cyber Security

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

ANATOMY OF AN ATTACK!

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

Adaptive & Unified Approach to Risk Management and Compliance via CCF

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

MANAGED DETECTION AND RESPONSE

Endpoint Security for DeltaV Systems

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

SOLUTION BRIEF Virtual CISO

How Breaches Really Happen

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

White Paper. How to Write an MSSP RFP

AT&T Endpoint Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Compliance Audit Readiness. Bob Kral Tenable Network Security

Threat Centric Vulnerability Management

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Building Resilience in a Digital Enterprise

Securing Digital Transformation

Burning Down the Haystack. Tim Frazier Senior Security Engineer

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

SecOps : Security Operations. Saurav Sinha Head of Presales India

SIGS AFTERWORK EVENT. Security: which operational model for which scenario. Hotel Warwick - Geneva

Enabling Security Controls, Supporting Business Results

THE ACCENTURE CYBER DEFENSE SOLUTION

May the (IBM) X-Force Be With You

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

The Resilient Incident Response Platform

Qualys Indication of Compromise

Department of Management Services REQUEST FOR INFORMATION

SYMANTEC DATA CENTER SECURITY

CYBER THREAT INTEL: A STATE OF MIND. Internal Audit, Risk, Business & Technology Consulting

Cyber Protections: First Step, Risk Assessment

Aligning with the Critical Security Controls to Achieve Quick Security Wins

The New Era of Cognitive Security

Sandboxing and the SOC

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

ArcSight Activate Framework

locuz.com SOC Services

Symantec Security Monitoring Services

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Security-as-a-Service: The Future of Security Management

Cybersecurity The Evolving Landscape

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

The Convergence of Security and Compliance

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Novetta Cyber Analytics

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Transcription:

Security Automation & Orchestration That Won t Get You Fired Syra Arif Advisory Security Solutions Architect ServiceNow @syraarif November 2017 1

Speaker Introduction NAME: Syra Arif TITLE: Advisory Security Solutions Architect FUNCTION: Security COMPANY: ServiceNow EXPERIENCE: Diverse technical background including Governance, Risk & Compliance, Identity & Access Management, Security Operations EXPERTISE: Bridging the gap between security & agility and focusing on the customer experience CURRENT PROJECTS: ServiceNow Security Operations & Governance, Risk, and Compliance 2

One in ~32 million definitions 3

Only ~521K for Orchestration 4

Truth or Fiction Security and Risk Automation All runbooks must be defined in advance Our team, tools and processes are good enough Automation is too hard Automation will make my security team into robots Workflow and Automation will solve everything This is just a passing fad 5

Is it Risky? Automate and/or die Anton Chuvakin Yes! But you are probably doing it today 6

Most Widely KNOWN Automation Intrusion Prevention Systems Anti-virus and signature updating The auto-blocking tools vendors warn that if you don t automate you will make the cover of the NY Times These were poorly designed automation tools built with the best of intentions 7

Crawl, Walk, Run, Robot! 8

Soo.What Can You Automate in the SOC? (Without Getting Fired*) Start with something simple, repetitive, important - and something that is going to save your analysts time A typical phishing investigation can take about 20-30 minutes and requires a lot of manual steps When not followed up on it can lead to large and costs infection When following up you may miss other pressing issues Initial (triage) research does not require a particular set of skills * if you are fired for doing everything I outline here you have my sympathy but I surely am not to blame 9

Start Passively Automate Process Lookups Explode Malware in Sandbox Pull Asset Records Threat Lookups What is running? Is this normal? What is normal? Is there any reason for a human to be involved? Just report the results so an analyst can take action Who owns it? Where is it? Have I seen this before? Has someone else seen it? 10

Gate your automation as you mature Disable Account: Only when confirmed to be compromised Block on Firewall: Only block known infected systems Reset passwords Delete phishing email(s) Push button automation 11

Go Active (after significant testing) Blocking Disabling Accounts Auditing Everything Do More With the Same Can be disruptive but can also be undone quickly Can keep you out of the headlines Create change records for every automated task Automation allows your analysts to operate faster Measure & Refine 12

Security Incident Response 13

An Example: The Typical Incident Investigation Process Security Incident Generated Analyst Prioritizes, Assigns & Categorizes Incident Analyst identifies & extracts IPs, hashes & IoCs Analyst runs reputational lookups via threat intel indicators Analyst gets running processes from target machine Analysts gets network connections from target machine Analyst runs hashes on all running processes Analyst runs threat intel lookups on all processes and network connections Analyst confirms threat Analyst begins remediation process 14

An Example: The Incident Investigation Process with Automation Security Incident Generated Analyst Prioritizes, Assigns & Categorizes Incident Analyst identifies & extracts IPs, hashes & IoCs Analyst runs reputational lookups via threat intel indicators Analyst gets running processes from target machine Analysts gets network connections from target machine Analyst runs hashes on all running processes Analyst runs threat intel lookups on all processes and network connections Analyst confirms threat Analyst begins remediation process Red Boxes = Data Enrichment Activities 15

Vulnerability Response 16

How do I Automate Vulnerability Response? A key part of vulnerability response is Change Management Identifying & tracking the vulnerability lifecycle is tedious When not followed up on it can lead to large issues later Too many players across multiple teams Knowing who is doing what is difficult when IT is responsible Automated Patch Management sounds awesome, but difficult when IT owns Change Management 17

An Example: The Typical Vulnerability Response Process Vulnerability Scan Kicked Off Very Large Spreadsheet Downloaded Analyst identifies key stakeholders Application & Asset Owners Engaged Remediation Plan Identified Work Order Submitted for Patching & Config Change Black Hole Black Hole Black Hole Vulnerability is Closed 18

An Example: The Incident Investigation Process with Automation Vulnerability Scan Results Populated Very Large Spreadsheet Downloaded Analyst identifies key stakeholders Application & Asset Owners Engaged Remediation Plan Identified Work Order Submitted for Patching & Config Change Black Hole Black Hole Black Hole Vulnerability is Closed Red Boxes = Spreadsheet Lookups & Black Holes with Limited Visibility into Change Management 19

Takeaways 1 2 3 Start passively Grow to gated automation Move to active (albeit carefully) 20

Visit ServiceNow at Booth #608 https://www.servicenow.com/sec-ops @syraarif 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback