Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR -...
34
Confessions of a SOC Engineer
Transcript of Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR -...
![Page 1: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/1.jpg)
Confessions of a SOC Engineer
![Page 2: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/2.jpg)
Housekeeping• Ask questions by using text box in right hand area of the GoToWebinar
platform, as the audience will be on mute
• Everyone will receive recording and slides by Friday, September 27
• Speakers
○ Devin Johnstone, Sr. SOC Engineer
○ Ron Eddings, Customer Success Manager
![Page 3: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/3.jpg)
Our SOC Story
![Page 4: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/4.jpg)
Palo Alto Networks SOC
6kEMPLOYEES
20kENDPOINTS
13DATA CENTERS
● THREAT MONITORING ● THREAT HUNTING ● INCIDENT RESPONSE
OUR SERVICES
WE SUPPORT
![Page 5: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/5.jpg)
Day in the Life of a Legacy SOC
● 90%+ Analysts’ time spent responding to alerts
Too Many Low Fidelity Alerts
Investigations are Time-consuming
Repetitive Manual Tasks
● Important threats missed● Continuous firefighting
Impact:● Large SOC teams● High analyst turnover
![Page 6: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/6.jpg)
Life Before SOAR - Confessions● Automation was custom-coded and not scalable
● Automation was not being developed by the SOC engineers
● Focus on analysis, minimal containment and remediation
● No case management, automated correlation, de-duplication
![Page 7: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/7.jpg)
Life with SOAR● 3 years of custom automation - migrated in 3 weeks!
● Every SOC Engineer is now a “developer”
● No more ServiceNow
● 100% automated - multiple IR workflows
● The 30% rule - analyst time spent responding to alerts
![Page 8: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/8.jpg)
A Sampling of Alerts & PlaybooksIncident Types
1. Command and Control Alert2. Airwatch Alert3. Aperture Alert4. AWS Alert5. Okta Alert6. WinEvent Alert7. Tanium Signals Alert8. Proofpoint Alert9. Spoof Report
10. Traps/Wildfire Alert11. General Test Alert12. Redlock Playbook13. RiskIQ Playbook
Subplaybooks1. Upon Trigger
a. Calculate Severityb. Get JIRA ticket infoc. Get user detailsd. Get host details
2. Analysisa. URL Enrichmentb. Domain Enrichmentc. User Enrichmentd. Email Address Enrichmente. Host Enrichmentf. Attachment Enrichmentg. IP Enrichmenth. Related email searchi. Related log searchj. Forensic capture
k. Ask user a question
Other Support1. InfoSec Mailbox Support2. Security Disclosure Mailbox Support3. PhishMe Tests4. Hunting
3. Containmenta. Lock AD user accountb. Lock AD service accountc. EDL Block (IP/Domain/URL)d. PAN-DB re-categorizatione. Block email senderf. Quarantine emailg. Quarantine filesh. Quarantine device
4. Eradication/Remediationb. Re-image requestc. Search and destroyd. External website takedowne. Revoke physical badge accessf. Kill sessions
5. Post-Incidenta. Metrics incl. effortb. Record alert fidelityc. Timeline
![Page 9: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/9.jpg)
What We Handle in the SOC
![Page 10: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/10.jpg)
Use Case - Case Management
![Page 11: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/11.jpg)
Case Management - Confessions
Pre SOAR● ServiceNow developers with
long development cycle● Difficult to automate with
SOAR● Non-standard integration● Multiple screens
● Instant changes● Built-in de-duplication and correlation● Improved collaboration and tracking of
effort
With SOAR
![Page 12: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/12.jpg)
![Page 13: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/13.jpg)
![Page 14: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/14.jpg)
Use Case - Phishing
![Page 15: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/15.jpg)
Phishing - Confessions
**On average, 175 phishing reports/month
Pre-SOAR
● Manual tasks: confirm evil with threat intel, correlate messages in the campaign, determine impact, quarantine/delete messages, block sender, classify/block URL, classify attachments, notify user, submit re-image request, reset credentials.
● Avg 45 minutes/incident● 15 hours of phishing/month per SOC
Engineer (9 FTE)
● Manual tasks 100% automated● SOC Engineer kicks off as
needed.● Avg 0-5 minutes/incident● Improves over time with
machine learning
With SOAR
![Page 16: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/16.jpg)
Phishing - the SOAR EvolutionSOAR After 1 Month SOAR After 6 Months
![Page 17: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/17.jpg)
Phishing - Automate Common Attacks
![Page 18: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/18.jpg)
Phishing - ID Common Manual Tasks
![Page 19: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/19.jpg)
Use Case - Incident Handling
![Page 20: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/20.jpg)
Incident Handling - Confessions
Pre SOAR● Difficult to triage incidents● No war room for analyst notes● Few opportunities to peer
review analyst efforts
● Graphical workflow for following Incident Response process
● Detailed/Enriched incident data● Improved collaboration and learning
opportunities
With SOAR
![Page 21: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/21.jpg)
![Page 22: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/22.jpg)
![Page 23: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/23.jpg)
![Page 24: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/24.jpg)
Use Case - Windows Events
![Page 25: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/25.jpg)
Windows Events - Confessions Manual Tasks Before SOAR
● Contact user or account owner● Attempt to identify unknown account owner● Verify change record or ticket● Correlate activity from logs (network, endpoint)● Trigger forensic image capture● Reset password● Submit-re-image request.
![Page 26: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/26.jpg)
![Page 27: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/27.jpg)
![Page 28: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/28.jpg)
To Sum Up
![Page 29: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/29.jpg)
Confessions: Good, Bad, UglyGood
○ Far-reaching benefits
Bad○ Resistance to Change
Ugly○ Reliance on partners
![Page 30: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/30.jpg)
Top 5 Tips1. Document your use cases & integration requirements
2. Dedicate resources
3. Engage Customer Success
4. Prioritize
5. Change Management
![Page 31: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/31.jpg)
Looking Forward...
![Page 32: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/32.jpg)
Other Use Cases● Red/Blue Team, Purple Team
● Hunting
● Vulnerability Management
● Governance, Risk & Compliance
● Human Resources
![Page 33: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/33.jpg)
Additional Resources● Dummies Guide
https://go.demisto.com/your-guide-to-security-orchestration
● Gartner SOAR Market Guide
https://go.demisto.com/the-hitchhikers-guide-to-soar-2019
● Free Edition
https://go.demisto.com/sign-up-for-demisto-free-edition
● Coming Soon...
5.0 Product Release Early October
![Page 34: Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR - Confessions ... Lock AD service account c. EDL Block (IP/Domain/URL) d. PAN-DB re-categorization](https://reader030.fdocuments.in/reader030/viewer/2022040411/5edc03cdad6a402d66667f8c/html5/page/34.jpg)
Thank YouQ&A
