Post on 06-Aug-2015
Incident ResponseIs there a place for AUTOMATION?
”YES, there is!!!”Presented by Jochanan Sommerfeld – CISSP/CRISC
©2015 Ayehu, Confidential and Proprietary
Number of incidents increased in
2013 by 48%
Number of breaches increased in
2014 by 23%
©2015 Ayehu, Confidential and Proprietary
Cyber Security Attacks aremore numerous and and more complex.
The Only Constant Is
Change
©2015 Ayehu, Confidential and Proprietary
.
.
.
What Is Common To Most Incidents?
©2015 Ayehu, Confidential and Proprietary
Incidents are left unhandledValidation takes too longMissing Security KnowledgeNo 24/7 team coverageNot prepared
No response simulationNo response testing
No lesson learned
No playbooksHuman errors Containment too lateNot properly documentedNot properly communicated
My Proposal
©2015 Ayehu, Confidential and Proprietary
Classical IR Automation
+ =Good and Fast Security IncidentResponse
Detection and
Analysis
©2015 Ayehu, Confidential and Proprietary
Analyze precursors and indicators
Correlate information
Enrich security intelligence
Categorize and prioritize
Communicate
Document evidence
Containment, Eradication and Recovery
©2015 Ayehu, Confidential and Proprietary
Acquire and preserve evidenceIdentify and mitigate vulnerabilities
Remove malware
Return system to operation
Post-Incident
Activity
©2015 Ayehu, Confidential and Proprietary
Vulnerability testingStatic Code Analysis
Dynamic Code Analysis
Detection and
Analysis
SIEM
IDPS
AV Software
File Integrity Checking
Security Intelligence
OS + App
Logs
Network Device Logs
Netflow
Vulnerability DB
©2011 Ayehu, Confidential and Proprietary
Example of
Integration
Use Case Example
© 2015 Ayehu, Confidential and Proprietary
• Possible Questions Is the user a valid user in AD? Is the user a member of a critical group? Does user have administrative privileges? Is the user currently locked? Did user reset his/her password recently?
• Possible actions Ask the person behind that user if he/she failed to login Lock/disable the account (if not already locked by DC policy) Send the host to a different VLAN using NAC/IPS Inform the user via SMS Report every step with a ticket in the ITSM system
Brute Force Attack
SIEM Alarm
Thank You!Jochanan Sommerfeld – CISSP/CRISCjsommerfeld@gmail.com
©2015 Ayehu, Confidential and Proprietary