Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR -...
Transcript of Confessions of a SOC Engineer - go.demisto.comWebinar] Confessions... · Life Before SOAR -...
Housekeeping• Ask questions by using text box in right hand area of the GoToWebinar
platform, as the audience will be on mute
• Everyone will receive recording and slides by Friday, September 27
• Speakers
○ Devin Johnstone, Sr. SOC Engineer
○ Ron Eddings, Customer Success Manager
Palo Alto Networks SOC
6kEMPLOYEES
20kENDPOINTS
13DATA CENTERS
● THREAT MONITORING ● THREAT HUNTING ● INCIDENT RESPONSE
OUR SERVICES
WE SUPPORT
Day in the Life of a Legacy SOC
● 90%+ Analysts’ time spent responding to alerts
Too Many Low Fidelity Alerts
Investigations are Time-consuming
Repetitive Manual Tasks
● Important threats missed● Continuous firefighting
Impact:● Large SOC teams● High analyst turnover
Life Before SOAR - Confessions● Automation was custom-coded and not scalable
● Automation was not being developed by the SOC engineers
● Focus on analysis, minimal containment and remediation
● No case management, automated correlation, de-duplication
Life with SOAR● 3 years of custom automation - migrated in 3 weeks!
● Every SOC Engineer is now a “developer”
● No more ServiceNow
● 100% automated - multiple IR workflows
● The 30% rule - analyst time spent responding to alerts
A Sampling of Alerts & PlaybooksIncident Types
1. Command and Control Alert2. Airwatch Alert3. Aperture Alert4. AWS Alert5. Okta Alert6. WinEvent Alert7. Tanium Signals Alert8. Proofpoint Alert9. Spoof Report
10. Traps/Wildfire Alert11. General Test Alert12. Redlock Playbook13. RiskIQ Playbook
Subplaybooks1. Upon Trigger
a. Calculate Severityb. Get JIRA ticket infoc. Get user detailsd. Get host details
2. Analysisa. URL Enrichmentb. Domain Enrichmentc. User Enrichmentd. Email Address Enrichmente. Host Enrichmentf. Attachment Enrichmentg. IP Enrichmenth. Related email searchi. Related log searchj. Forensic capture
k. Ask user a question
Other Support1. InfoSec Mailbox Support2. Security Disclosure Mailbox Support3. PhishMe Tests4. Hunting
3. Containmenta. Lock AD user accountb. Lock AD service accountc. EDL Block (IP/Domain/URL)d. PAN-DB re-categorizatione. Block email senderf. Quarantine emailg. Quarantine filesh. Quarantine device
4. Eradication/Remediationb. Re-image requestc. Search and destroyd. External website takedowne. Revoke physical badge accessf. Kill sessions
5. Post-Incidenta. Metrics incl. effortb. Record alert fidelityc. Timeline
Case Management - Confessions
Pre SOAR● ServiceNow developers with
long development cycle● Difficult to automate with
SOAR● Non-standard integration● Multiple screens
● Instant changes● Built-in de-duplication and correlation● Improved collaboration and tracking of
effort
With SOAR
Phishing - Confessions
**On average, 175 phishing reports/month
Pre-SOAR
● Manual tasks: confirm evil with threat intel, correlate messages in the campaign, determine impact, quarantine/delete messages, block sender, classify/block URL, classify attachments, notify user, submit re-image request, reset credentials.
● Avg 45 minutes/incident● 15 hours of phishing/month per SOC
Engineer (9 FTE)
● Manual tasks 100% automated● SOC Engineer kicks off as
needed.● Avg 0-5 minutes/incident● Improves over time with
machine learning
With SOAR
Incident Handling - Confessions
Pre SOAR● Difficult to triage incidents● No war room for analyst notes● Few opportunities to peer
review analyst efforts
● Graphical workflow for following Incident Response process
● Detailed/Enriched incident data● Improved collaboration and learning
opportunities
With SOAR
Windows Events - Confessions Manual Tasks Before SOAR
● Contact user or account owner● Attempt to identify unknown account owner● Verify change record or ticket● Correlate activity from logs (network, endpoint)● Trigger forensic image capture● Reset password● Submit-re-image request.
Confessions: Good, Bad, UglyGood
○ Far-reaching benefits
Bad○ Resistance to Change
Ugly○ Reliance on partners
Top 5 Tips1. Document your use cases & integration requirements
2. Dedicate resources
3. Engage Customer Success
4. Prioritize
5. Change Management
Other Use Cases● Red/Blue Team, Purple Team
● Hunting
● Vulnerability Management
● Governance, Risk & Compliance
● Human Resources
Additional Resources● Dummies Guide
https://go.demisto.com/your-guide-to-security-orchestration
● Gartner SOAR Market Guide
https://go.demisto.com/the-hitchhikers-guide-to-soar-2019
● Free Edition
https://go.demisto.com/sign-up-for-demisto-free-edition
● Coming Soon...
5.0 Product Release Early October