©2019 FireEye1

Future Proof Your Security Operations

Lawrence Li 李輝

©2019 FireEye©2019 FireEye

Challenges in Security Management

Lack of visibility:

101Days it takes

to discover a breach

Too many tools:

85Average number

of security tools used by a single company

Lack of context:

32Days it takes

to respond to a breach

Too many alerts:

10KSecurity alerts

occurring daily for an average company

©2019 FireEye©2019 FireEye

Current State

Using legacy SIEM technology to

centralize security operations

Lack of visibility across threat

vectors

Lack of context; inability to prioritize

threats

©2019 FireEye©2019 FireEye

Desired Outcomes

Accelerated response and

minimized impact of incidents

Holistic visibility and alert prioritization

across threat vectors

Centralized security management and

monitoring

©2019 FireEye©2019 FireEye

Required Capabilities

Automate response and perform inline

blocking

Consolidate process management,

technology and expertise

Centralize asset monitoring

Enrich alerts with contextual intelligence

©2019 FireEye

Typical Characters in the SOC

7

7

SOC Analyst

Responsibility: Triage, investigate and respond to alerts in a timely fashion.

Security Engineer

Responsibility: Supporting the SOC team with tools and scripts to help increase operational and triage efficacy.

SOC Manager

Responsibility: Implementing a security program that reduces threat exposure to the organization.

©2019 FireEye©2019 FireEye

TechnologySIEM to surface unseen threats

All major SOC use cases on a single pane of glassFireEye Helix

ProcessesAutomation of time consuming steps

Guided investigation and hunting capabilities to accelerate response

ExpertiseOrchestration playbooks that codify Mandiant’s best

practices

Integrated threat intelligence for contextual awareness

©2019 FireEye©2019 FireEye

FireEye Expertise

Mandiant Services Managed DefenseThreat Intelligence

FireEye Ecosystem

FireEye Helix Security Operations Platform

Security Information& Event Management

Orchestration& Automation

ContextualIntelligence

ComplianceReporting

Alerts / CaseManagement

Expertise On-DemandFireEye and Third Party Apps FireEye Market

FireEye Endpoint Security

Third-Party Solutions

FireEye Email Security

FireEye Network Security

©2019 FireEye©2019 FireEye

FireEye Helix in Action

Collect Match Automate Prioritize Investigate Remediate

©2019 FireEye©2019 FireEye11

▪ Real-time threat intelligence

▪ Codified expertise from FireEye

▪ Sub-Second search

▪ Single log source

▪ Guided investigations

▪ Compliance reporting

SIEM

FireEye and Third Party

Data Sources

Intelligence Rules Analytics Event index

Evidence Collector

Intelligence Endpoints FirewallsOperating Systems

©2019 FireEye©2019 FireEye12

Cloud Intelligence

VPN AccountMonitoring

Geo-InfeasibilityDetection

Credential Misuse

MisconfigurationDetection

Cloud ThreatAnalytics

Corporate Network

FireEye Network Security

FireEye Helix

Cloud Security

▪ Guard against credential abuse

▪ Single pane visibility across your

enterprise

▪ Prevent accidental misconfigurations that lead to attacker compromise

©2019 FireEye©2019 FireEye

TechnologySIEM to surface unseen threats

All major SOC use cases on a single pane of glassFireEye Helix

ProcessesAutomation of time consuming steps

Guided investigation and hunting capabilities to accelerate response

ExpertiseOrchestration playbooks that codify Mandiant’s best

practices

Integrated threat intelligence for contextual awareness

©2019 FireEye©2019 FireEye14

Security Orchestration

Other events remain in the

SIEM for reference

Hash/MD5 Analysis

Domain Analysis

URL Analysis

IP Analysis

Email Address Analysis

FireEye Validation

Analyst

Decision

Point

Higher Priority Incidents pulled

out and automatically

escalated

Endpoint containment

▪ 150+ pre-defined integration plug-ins

▪ 400+ pre-built playbooks

▪ Expertise codified by Mandiant

▪ Built-in playbook builder

▪ Role-based actions

©2019 FireEye

Typical Orchestration Use-cases

15

Orchestrate the abuse mailbox allowing for the automated analysis of suspicious emails

Check URLs, IPs, domains, emails addresses, and attachments (hashes) against intelligence sources

Alert information from FireEye MVX appliances or 3rd party sources enriched with context from iSIGHT intelligence

Often includes human-in-loop decision and integrated with ticketing system

IX GetMVX Alerts

Condition 4

Condition 2 & 3

HXContain Host

ASSIGN GROUP<GROUP>

ASKContain Host?

Assign FormNX ALERT SUMMARY

Condition 5

Condition 6

Condition 1 ASSIGN GROUP<GROUP>

Close Case Close Case

FireEye Interval Adapter:IMAP (checkMailbox)

Local CommandCREATE HASH

Condition 1

Condition 3

Condition 2

ASSIGN GROUP<GROUP>

Condition 4 & 5

Virus TotalLOOKUP URL

Conversion FunctionEXTRACT DOMAIN

Virus TotalLOOKUP DOMAIN

iSight ThreatscapeLOOKUP DOMAIN

Virus TotalLOOKUP HASH

iSight ThreatscapeLOOKUP HASH

ASSIGN GROUP<GROUP>

ASSIGN GROUP<GROUP>

Conditions:

11 & 12 & 13 & 14 & 15 & 16

Conditions: 6 or 7 or 8 or 9 or 10

Assign FormTHREAT INTEL HASH LOOKUP

Assign FormTHREAT INTEL URL LOOKUP

Assign FormTHREAT INTEL DOMAIN LOOKUP

Assign FormNOT RFC822

Assign FormNO URL AND ATTACHMENT

IMAPparseAttachmentAsEmail

Close Case

IX GetMVX Alerts

Condition 4 ExtractDOMAIN

Condition 13

iSightLOOKUP IP

iSightLOOKUP HASH

ExtractDOMAIN

ExtractDOMAIN

iSightLOOKUP DOMAIN

iSightLOOKUP DOMAIN

iSightLOOKUP DOMAIN

iSightLOOKUP DOMAIN

Condition 7

Condition 8

Condition 9

Condition 10

Condition 11

Condition 12

Assign FormEX ALERT SUMMARY

Assign FormNX ALERT SUMMARY

Condition 14

Condition 1

Condition 2

Condition 3

Condition 5

Condition 6

QUESTION 1

Condition 16

Assign Group<GROUP>

Condition 17

Assign Group<GROUP>

Assign FormTHREAT INTEL DOMAIN

Assign FormTHREAT INTEL DOMAIN

Assign FormTHREAT INTEL DOMAIN

Assign FormTHREAT INTEL DOMAIN

Assign FormTHREAT INTEL IP

Assign FormTHREAT INTEL HASH

Close Case

Automate immediate endpoint containment

Often integrated with enrichment and human-in-the-loop options

Utilize plug-ins with FireEye HX

Abuse Mailbox Alert Enrichment Endpoint Containment

©2019 FireEye©2019 FireEye

TechnologySIEM to surface unseen threats

All major SOC use cases on a single pane of glassFireEye Helix

ProcessesAutomation of time consuming steps

Guided investigation and hunting capabilities to accelerate response

ExpertiseOrchestration playbooks that codify Mandiant’s best

practices

Integrated threat intelligence for contextual awareness

©2019 FireEye©2019 FireEye

Expertise on Demand

▪ Amplify your team with side-by-side

access to proven skills and threat insight

▪ Increase situational awareness via daily news analysis, quarterly threat briefings and finished threat intelligence

▪ Advance your security program and capabilities via training and consulting services

▪ Gain a single, trusted partner with unrivaled breadth and depth of cyber

security experience and skills

©2019 FireEye©2019 FireEye18

©2019 FireEye

FireEye Security Suite

2000100 TOUSERS

$ Per User

FireEye

Security Suite

FireEye Network Security

FireEye Endpoint Security

FireEye Email Security

FireEye Helix

©2019 FireEye

2019 Security Bundle – Special offer

▪ 2019 Security promotion (per user @ year)

▪ Target 100 - 2000 User

20

TW$1500TW$3500

TW$3100 TW$1500

Thank You