SlideShare ist ein Scribd-Unternehmen logo
1 von 22
Downloaden Sie, um offline zu lesen
Automation: Embracing the
Future of SecOps
IBM Security / © 2019 IBM Corporation 2
Introducing our Speakers
Ted Julian, VP Product Management
& Co-Founder, IBM Resilient
Mike Rothman
President & Analyst, Securosis
The Future of
Security Operations
Mike Rothman, President
@securityincite
‣ Independent analysts with backgrounds on
both the user and vendor side.
‣ Focused on deep technical and industry
expertise.
‣ Pragmatism is religion for us.
‣ We are security guys - that’s all we do.
‣ And we know a little bit about the cloud…
‣ We have been teaching cloud security
for 7 years
‣ We wrote the CSA 4.0 guidance
About Securosis
Automation: Embracing the Future of SecOps
‣ SecOps is getting harder:
‣ Adversary innovation
‣ Infrastructure complexity
‣ Skills gap
It’s not going to get better
(itself)…
https://flic.kr/p/bBJYYK
‣ Get smarter. Make better decisions
‣ Analytics
‣ Threat Intelligence
‣ Alerts appeared ahead of most
major breaches
‣ Someone still has to do
something!
Actionable Alerts (not the answer)
SOARing
‣ Security Orchestration, Automation
and Response.
‣ Work smarter. Not harder.
‣ Find leverage in operational
motions.
‣ Orchestrate different controls into a
cohesive whole
‣ Automate the playbooks
https://flic.kr/p/FAEhM
The Rise of the Architects
Building and maintaining policies and turning them into playbooks is one of
the critical skills to have moving forward.
Automation Use
Cases
IBM Security / © 2019 IBM Corporation 10
Phishing Enrichment
This use case determines what items are present in
an email, such as: links, files, IPs, domains, etc.
The automation enriches those items using threat
intelligence databases, searches across the
environment for relevant files and creates a
summary report.
1. Trigger the playbook when suspicious emails
are forwarded to the phishing-triage inbox
2. Enrich links and other information from an email
3. If present, detonate file attachments in a
sandbox
4. Hunt for files across the environment
5. Summarize and report
Manual Automated
26:10 min 1:25 min
Capability Example Platform
Threat Intel Recorded Future
Virus Total
X-Force Exchange
Malware Analysis
Sandbox
Cuckoo
Endpoint File
Detection
CB Response
IP Geolocation MaxMind
Alerting Email
Endpoint Event Enrichment
This use case speeds up the investigation by
presenting the analyst with a summarized report
containing the details of the event, user affected,
system information and an environment-wide scan
for related files.
1. Trigger the playbook on CrowdStrike endpoint
alerts for potentially malicious files
2. Use Virus Total to check if the file hash is
widely known,
3. If not give the option to detonate the file,
4. If so give the option to search the environment
for the file
5. Query the domain to obtain the system and
user information from AD
6. Query the endpoint to capture the running
processes, network connections and logged on
users.
Manual Automated
30:50 min 0:55 min
Capability Example Platform
Threat Intel Virus Total
Malware Analysis
Sandbox
Cuckoo
Endpoint Security CrowdStrike
Directory Services AD/LDAP
Host
Instrumentation
Windows Remote
Management
MITRE ATT&CK™ framework enrichment
This use case leverages the MITRE ATTACK tactics
and techniques to assist the analyst in prioritizing
their workload and understanding the potential
severity and risk of an incident.
1. Ingest Offense data from QRadar & generate
incident with malware playbook in Resilient.
2. Send IoCs to MISP & map with MITRE
techniques
3. Detonate the malware sample in Hybrid
Analysis & extract the MITRE techniques
4. Enrich incident record with MITRE Tactics &
Techniques data to guide analyst follow-up &
generate additional tasks to mitigate these
specific threats
Manual Automated
60:180 min 5:00 min
Capability Example Platform
Threat Intel MISP
Malware Analysis
Sandbox
Hybrid Analysis
Endpoint Security CrowdStrike
SIEM QRadar
http://ibm.biz/BdzqAf
MITRE ATT&CK™ Framework enrichment
IBM Security / © 2019 IBM Corporation 14
‣ Set policies to ensure automations don’t go “outside the lines”
‣ Provides a safety net so you don’t go splat if something doesn’t
work as intended.
‣ Examples:
‣ Privilege escalation: Trigger is an escalation of a privileged
account. Guardrail revokes additional privileges by making
API call to directory.
‣ Rogue device: Quarantine an unauthorized device by
shutting it down at the network switch.
‣ Deploy new threat detections: Based on trusted threat intel,
deploy blocking rules on ingress devices to stop traffic from a
questionable domain.
Drill Down on Guardrails
How do we retool people and
processes for automation?
‣ What is success for SOAR?
‣ The continuum of automation
‣ Quantifying staff efficiency
‣ Trustable Automation
‣ Tread carefully and built trust in
both the triggers and the actions
‣ Iterate through human approval,
automation with logging,
automation with guardrails
Defining Success and Avoiding
Pitfalls
Apply machine learning to historical
data to inform:
• Categorization
• Prioritization
• Assignment
• Time to resolve prediction
• Solution recommendation
• Intelligent automation
Purposes
Machine Learning in SOAR
Incident Response Maturity Model
‣ Blog
‣ http://securosis.com/blog
‣ Research
‣ http://securosis.com/research
‣ We publish (almost) everything for free
‣ Contribute. Make it better.
Read our stuff
20
© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for
informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of
direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives.
IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines
Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention,
detection and response to improper access from within and outside your enterprise. Improper access can result in
information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be considered completely secure and no single
product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM
does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the
malicious or illegal conduct of any party.
Follow us on:
ibm.com/security
securityintelligence.com
ibm.com/security/community
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
Thank you
Automation: Embracing the Future of SecOps

Weitere ähnliche Inhalte

Was ist angesagt?

Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackIBM Security
 
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemCybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...IBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationIBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsIBM Security
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
 
Top 5 Things to Look for in an IPS Solution
Top 5 Things to Look for in an IPS SolutionTop 5 Things to Look for in an IPS Solution
Top 5 Things to Look for in an IPS SolutionIBM Security
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware IBM Security
 
The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyIBM Security
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanTripwire
 
Infographic: Mobile is growing and so are security threats
Infographic: Mobile is growing and so are security threatsInfographic: Mobile is growing and so are security threats
Infographic: Mobile is growing and so are security threatsIBM Security
 
10 Steps to Better Security Incident Detection
10 Steps to Better Security Incident Detection10 Steps to Better Security Incident Detection
10 Steps to Better Security Incident DetectionTripwire
 
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and IdeasBlack Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and IdeasTripwire
 
Life on the Endpoint Edge: Winning the Battle Against Cyber Attacks
Life on the Endpoint Edge: Winning the Battle Against Cyber AttacksLife on the Endpoint Edge: Winning the Battle Against Cyber Attacks
Life on the Endpoint Edge: Winning the Battle Against Cyber AttacksIBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...IBM Security
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017IBM Security
 
Adapt or Die: The Evolution of Endpoint Security
Adapt or Die: The Evolution of Endpoint SecurityAdapt or Die: The Evolution of Endpoint Security
Adapt or Die: The Evolution of Endpoint SecurityTripwire
 

Was ist angesagt? (20)

Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
 
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemCybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!
 
Top 5 Things to Look for in an IPS Solution
Top 5 Things to Look for in an IPS SolutionTop 5 Things to Look for in an IPS Solution
Top 5 Things to Look for in an IPS Solution
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
 
The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach Study
 
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian HonanPCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan
 
Infographic: Mobile is growing and so are security threats
Infographic: Mobile is growing and so are security threatsInfographic: Mobile is growing and so are security threats
Infographic: Mobile is growing and so are security threats
 
IBM Security Strategy
IBM Security StrategyIBM Security Strategy
IBM Security Strategy
 
10 Steps to Better Security Incident Detection
10 Steps to Better Security Incident Detection10 Steps to Better Security Incident Detection
10 Steps to Better Security Incident Detection
 
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and IdeasBlack Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
 
Life on the Endpoint Edge: Winning the Battle Against Cyber Attacks
Life on the Endpoint Edge: Winning the Battle Against Cyber AttacksLife on the Endpoint Edge: Winning the Battle Against Cyber Attacks
Life on the Endpoint Edge: Winning the Battle Against Cyber Attacks
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017
 
Adapt or Die: The Evolution of Endpoint Security
Adapt or Die: The Evolution of Endpoint SecurityAdapt or Die: The Evolution of Endpoint Security
Adapt or Die: The Evolution of Endpoint Security
 

Ähnlich wie Automation: Embracing the Future of SecOps

Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public versionIBM Sverige
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilientPrime Infoserv
 
What’s the State of Your Endpoint Security?
What’s the State of Your    Endpoint Security?What’s the State of Your    Endpoint Security?
What’s the State of Your Endpoint Security?IBM Security
 
IBM: Cognitive Security Transformation for the Enrgy Sector
IBM: Cognitive Security Transformation for the Enrgy SectorIBM: Cognitive Security Transformation for the Enrgy Sector
IBM: Cognitive Security Transformation for the Enrgy SectorFMA Summits
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 
Take your SOC Beyond SIEM
Take your SOC Beyond SIEMTake your SOC Beyond SIEM
Take your SOC Beyond SIEMThomas Springer
 
Ibm q radar_blind_references
Ibm q radar_blind_referencesIbm q radar_blind_references
Ibm q radar_blind_referencesMaarten Werff
 
Big Fix Q-Radar Ahmed Sharaf - EmbeddedSecurity.net
Big Fix Q-Radar Ahmed Sharaf - EmbeddedSecurity.netBig Fix Q-Radar Ahmed Sharaf - EmbeddedSecurity.net
Big Fix Q-Radar Ahmed Sharaf - EmbeddedSecurity.netxband
 
An Integrated, Intelligent Approach to Security
An Integrated, Intelligent Approach to SecurityAn Integrated, Intelligent Approach to Security
An Integrated, Intelligent Approach to SecurityGerard McNamee
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergdawnrk
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergdawnrk
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart ThemIBM Security
 
Cognitive Computing in Security with AI
Cognitive Computing in Security with AI Cognitive Computing in Security with AI
Cognitive Computing in Security with AI JoAnna Cheshire
 
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM Security
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM Sverige
 
QRadar-XDR-Solution.pdf
QRadar-XDR-Solution.pdfQRadar-XDR-Solution.pdf
QRadar-XDR-Solution.pdfssuserf5beb3
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentIBM Security
 

Ähnlich wie Automation: Embracing the Future of SecOps (20)

Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public version
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red Hat
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
 
What’s the State of Your Endpoint Security?
What’s the State of Your    Endpoint Security?What’s the State of Your    Endpoint Security?
What’s the State of Your Endpoint Security?
 
IBM: Cognitive Security Transformation for the Enrgy Sector
IBM: Cognitive Security Transformation for the Enrgy SectorIBM: Cognitive Security Transformation for the Enrgy Sector
IBM: Cognitive Security Transformation for the Enrgy Sector
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
 
Take your SOC Beyond SIEM
Take your SOC Beyond SIEMTake your SOC Beyond SIEM
Take your SOC Beyond SIEM
 
Ibm q radar_blind_references
Ibm q radar_blind_referencesIbm q radar_blind_references
Ibm q radar_blind_references
 
Big Fix Q-Radar Ahmed Sharaf - EmbeddedSecurity.net
Big Fix Q-Radar Ahmed Sharaf - EmbeddedSecurity.netBig Fix Q-Radar Ahmed Sharaf - EmbeddedSecurity.net
Big Fix Q-Radar Ahmed Sharaf - EmbeddedSecurity.net
 
An Integrated, Intelligent Approach to Security
An Integrated, Intelligent Approach to SecurityAn Integrated, Intelligent Approach to Security
An Integrated, Intelligent Approach to Security
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them
 
Cognitive Computing in Security with AI
Cognitive Computing in Security with AI Cognitive Computing in Security with AI
Cognitive Computing in Security with AI
 
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and Trends
 
QRadar-XDR-Solution.pdf
QRadar-XDR-Solution.pdfQRadar-XDR-Solution.pdf
QRadar-XDR-Solution.pdf
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
 

Mehr von IBM Security

Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityIBM Security
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemCybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersIBM Security
 
Compliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadCompliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadIBM Security
 

Mehr von IBM Security (11)

Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemCybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange Partners
 
Compliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadCompliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies ahead
 

Kürzlich hochgeladen

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 

Kürzlich hochgeladen (20)

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 

Automation: Embracing the Future of SecOps

  • 2. IBM Security / © 2019 IBM Corporation 2 Introducing our Speakers Ted Julian, VP Product Management & Co-Founder, IBM Resilient Mike Rothman President & Analyst, Securosis
  • 3. The Future of Security Operations Mike Rothman, President @securityincite
  • 4. ‣ Independent analysts with backgrounds on both the user and vendor side. ‣ Focused on deep technical and industry expertise. ‣ Pragmatism is religion for us. ‣ We are security guys - that’s all we do. ‣ And we know a little bit about the cloud… ‣ We have been teaching cloud security for 7 years ‣ We wrote the CSA 4.0 guidance About Securosis
  • 6. ‣ SecOps is getting harder: ‣ Adversary innovation ‣ Infrastructure complexity ‣ Skills gap It’s not going to get better (itself)… https://flic.kr/p/bBJYYK
  • 7. ‣ Get smarter. Make better decisions ‣ Analytics ‣ Threat Intelligence ‣ Alerts appeared ahead of most major breaches ‣ Someone still has to do something! Actionable Alerts (not the answer)
  • 8. SOARing ‣ Security Orchestration, Automation and Response. ‣ Work smarter. Not harder. ‣ Find leverage in operational motions. ‣ Orchestrate different controls into a cohesive whole ‣ Automate the playbooks https://flic.kr/p/FAEhM
  • 9. The Rise of the Architects Building and maintaining policies and turning them into playbooks is one of the critical skills to have moving forward.
  • 10. Automation Use Cases IBM Security / © 2019 IBM Corporation 10
  • 11. Phishing Enrichment This use case determines what items are present in an email, such as: links, files, IPs, domains, etc. The automation enriches those items using threat intelligence databases, searches across the environment for relevant files and creates a summary report. 1. Trigger the playbook when suspicious emails are forwarded to the phishing-triage inbox 2. Enrich links and other information from an email 3. If present, detonate file attachments in a sandbox 4. Hunt for files across the environment 5. Summarize and report Manual Automated 26:10 min 1:25 min Capability Example Platform Threat Intel Recorded Future Virus Total X-Force Exchange Malware Analysis Sandbox Cuckoo Endpoint File Detection CB Response IP Geolocation MaxMind Alerting Email
  • 12. Endpoint Event Enrichment This use case speeds up the investigation by presenting the analyst with a summarized report containing the details of the event, user affected, system information and an environment-wide scan for related files. 1. Trigger the playbook on CrowdStrike endpoint alerts for potentially malicious files 2. Use Virus Total to check if the file hash is widely known, 3. If not give the option to detonate the file, 4. If so give the option to search the environment for the file 5. Query the domain to obtain the system and user information from AD 6. Query the endpoint to capture the running processes, network connections and logged on users. Manual Automated 30:50 min 0:55 min Capability Example Platform Threat Intel Virus Total Malware Analysis Sandbox Cuckoo Endpoint Security CrowdStrike Directory Services AD/LDAP Host Instrumentation Windows Remote Management
  • 13. MITRE ATT&CK™ framework enrichment This use case leverages the MITRE ATTACK tactics and techniques to assist the analyst in prioritizing their workload and understanding the potential severity and risk of an incident. 1. Ingest Offense data from QRadar & generate incident with malware playbook in Resilient. 2. Send IoCs to MISP & map with MITRE techniques 3. Detonate the malware sample in Hybrid Analysis & extract the MITRE techniques 4. Enrich incident record with MITRE Tactics & Techniques data to guide analyst follow-up & generate additional tasks to mitigate these specific threats Manual Automated 60:180 min 5:00 min Capability Example Platform Threat Intel MISP Malware Analysis Sandbox Hybrid Analysis Endpoint Security CrowdStrike SIEM QRadar http://ibm.biz/BdzqAf
  • 14. MITRE ATT&CK™ Framework enrichment IBM Security / © 2019 IBM Corporation 14
  • 15. ‣ Set policies to ensure automations don’t go “outside the lines” ‣ Provides a safety net so you don’t go splat if something doesn’t work as intended. ‣ Examples: ‣ Privilege escalation: Trigger is an escalation of a privileged account. Guardrail revokes additional privileges by making API call to directory. ‣ Rogue device: Quarantine an unauthorized device by shutting it down at the network switch. ‣ Deploy new threat detections: Based on trusted threat intel, deploy blocking rules on ingress devices to stop traffic from a questionable domain. Drill Down on Guardrails
  • 16. How do we retool people and processes for automation?
  • 17. ‣ What is success for SOAR? ‣ The continuum of automation ‣ Quantifying staff efficiency ‣ Trustable Automation ‣ Tread carefully and built trust in both the triggers and the actions ‣ Iterate through human approval, automation with logging, automation with guardrails Defining Success and Avoiding Pitfalls
  • 18. Apply machine learning to historical data to inform: • Categorization • Prioritization • Assignment • Time to resolve prediction • Solution recommendation • Intelligent automation Purposes Machine Learning in SOAR
  • 20. ‣ Blog ‣ http://securosis.com/blog ‣ Research ‣ http://securosis.com/research ‣ We publish (almost) everything for free ‣ Contribute. Make it better. Read our stuff 20
  • 21. © Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. Follow us on: ibm.com/security securityintelligence.com ibm.com/security/community xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Thank you

Hinweis der Redaktion

  1. Do not place photos or images on cover pages. Please remove this information box before using this cover page.
  2. It is a Resilient-circuits based integration, similar to the functions Pfizer is using now. There are two components. The web component is used to build a machine learning model. It reads incidents from a Resilient server and uses them as samples. Once a model is built, it is saved locally. To use the model, the user creates a new incident, and the click Predict. Then the Resilient server is going to send the incident to the Function component. The function component reads the saved model, and do a prediction. The result is sent back to the Resilient server.