Join Mike Rothman, Analyst & President of Securosis and Ted Julian, VP of Product Management and co-founder of IBM Resilient, for a webinar on common automation use cases for the Security Operations Center (SOC).
Security Orchestration, Automation and Response (SOAR) tools are garnering interest in enterprise security teams due to tangible short-term benefits.
Watch the recording: https://event.on24.com/wcc/r/2007717/385A881A097E8EFCE493981972303416?partnerref=LI
4. ‣ Independent analysts with backgrounds on
both the user and vendor side.
‣ Focused on deep technical and industry
expertise.
‣ Pragmatism is religion for us.
‣ We are security guys - that’s all we do.
‣ And we know a little bit about the cloud…
‣ We have been teaching cloud security
for 7 years
‣ We wrote the CSA 4.0 guidance
About Securosis
6. ‣ SecOps is getting harder:
‣ Adversary innovation
‣ Infrastructure complexity
‣ Skills gap
It’s not going to get better
(itself)…
https://flic.kr/p/bBJYYK
7. ‣ Get smarter. Make better decisions
‣ Analytics
‣ Threat Intelligence
‣ Alerts appeared ahead of most
major breaches
‣ Someone still has to do
something!
Actionable Alerts (not the answer)
8. SOARing
‣ Security Orchestration, Automation
and Response.
‣ Work smarter. Not harder.
‣ Find leverage in operational
motions.
‣ Orchestrate different controls into a
cohesive whole
‣ Automate the playbooks
https://flic.kr/p/FAEhM
9. The Rise of the Architects
Building and maintaining policies and turning them into playbooks is one of
the critical skills to have moving forward.
11. Phishing Enrichment
This use case determines what items are present in
an email, such as: links, files, IPs, domains, etc.
The automation enriches those items using threat
intelligence databases, searches across the
environment for relevant files and creates a
summary report.
1. Trigger the playbook when suspicious emails
are forwarded to the phishing-triage inbox
2. Enrich links and other information from an email
3. If present, detonate file attachments in a
sandbox
4. Hunt for files across the environment
5. Summarize and report
Manual Automated
26:10 min 1:25 min
Capability Example Platform
Threat Intel Recorded Future
Virus Total
X-Force Exchange
Malware Analysis
Sandbox
Cuckoo
Endpoint File
Detection
CB Response
IP Geolocation MaxMind
Alerting Email
12. Endpoint Event Enrichment
This use case speeds up the investigation by
presenting the analyst with a summarized report
containing the details of the event, user affected,
system information and an environment-wide scan
for related files.
1. Trigger the playbook on CrowdStrike endpoint
alerts for potentially malicious files
2. Use Virus Total to check if the file hash is
widely known,
3. If not give the option to detonate the file,
4. If so give the option to search the environment
for the file
5. Query the domain to obtain the system and
user information from AD
6. Query the endpoint to capture the running
processes, network connections and logged on
users.
Manual Automated
30:50 min 0:55 min
Capability Example Platform
Threat Intel Virus Total
Malware Analysis
Sandbox
Cuckoo
Endpoint Security CrowdStrike
Directory Services AD/LDAP
Host
Instrumentation
Windows Remote
Management
13. MITRE ATT&CK™ framework enrichment
This use case leverages the MITRE ATTACK tactics
and techniques to assist the analyst in prioritizing
their workload and understanding the potential
severity and risk of an incident.
1. Ingest Offense data from QRadar & generate
incident with malware playbook in Resilient.
2. Send IoCs to MISP & map with MITRE
techniques
3. Detonate the malware sample in Hybrid
Analysis & extract the MITRE techniques
4. Enrich incident record with MITRE Tactics &
Techniques data to guide analyst follow-up &
generate additional tasks to mitigate these
specific threats
Manual Automated
60:180 min 5:00 min
Capability Example Platform
Threat Intel MISP
Malware Analysis
Sandbox
Hybrid Analysis
Endpoint Security CrowdStrike
SIEM QRadar
http://ibm.biz/BdzqAf
15. ‣ Set policies to ensure automations don’t go “outside the lines”
‣ Provides a safety net so you don’t go splat if something doesn’t
work as intended.
‣ Examples:
‣ Privilege escalation: Trigger is an escalation of a privileged
account. Guardrail revokes additional privileges by making
API call to directory.
‣ Rogue device: Quarantine an unauthorized device by
shutting it down at the network switch.
‣ Deploy new threat detections: Based on trusted threat intel,
deploy blocking rules on ingress devices to stop traffic from a
questionable domain.
Drill Down on Guardrails
16. How do we retool people and
processes for automation?
17. ‣ What is success for SOAR?
‣ The continuum of automation
‣ Quantifying staff efficiency
‣ Trustable Automation
‣ Tread carefully and built trust in
both the triggers and the actions
‣ Iterate through human approval,
automation with logging,
automation with guardrails
Defining Success and Avoiding
Pitfalls
18. Apply machine learning to historical
data to inform:
• Categorization
• Prioritization
• Assignment
• Time to resolve prediction
• Solution recommendation
• Intelligent automation
Purposes
Machine Learning in SOAR
20. ‣ Blog
‣ http://securosis.com/blog
‣ Research
‣ http://securosis.com/research
‣ We publish (almost) everything for free
‣ Contribute. Make it better.
Read our stuff
20
Do not place photos or images on cover pages.
Please remove this information box before using this cover page.
It is a Resilient-circuits based integration, similar to the functions Pfizer is using now. There are two components. The web component is used to build a machine learning model. It reads incidents from a Resilient server and uses them as samples. Once a model is built, it is saved locally. To use the model, the user creates a new incident, and the click Predict. Then the Resilient server is going to send the incident to the Function component. The function component reads the saved model, and do a prediction. The result is sent back to the Resilient server.