Technology Innovation in the SOC - SIGS€¦ · Technology Innovation in the SOC JULY 1, 2016 ......
Transcript of Technology Innovation in the SOC - SIGS€¦ · Technology Innovation in the SOC JULY 1, 2016 ......
2
Agenda
•Current SOC pain points
and possible approaches
to address these
•Next-Generation SOC
approach
•Customer Use Case
4
Amount of Incidents increasing, too many alerts
• Too many false positives but also
false negatives
• Possible solution: Tune your
SIEM
5
Time to respond
• Attacker automize the attack,
defense needs to be automized
as well
• Possible solution: Reduce breach
exposure time through IR
Automization
6
Skill shortage
• By far not enough experts in the
Cyber Security field
• Possible solution: Augment skill
shortage through next-generation
SOC tools
7
IR to SecOps Gap
• Unrefined IR processes and
procedures
• Possible solution: Use next-
generation SOC tools
8
Data Privacy and Breach laws
• Confusing regulatory landscape
• Possible solution: Use next-
generation SOC tools
10
We need complete visibility into the threat
• Without complete and contextual
visibility into the threat, we are
BLIND TO THE BREACH!
• Comparison Physical security /
Cyber Security
• Cyber Resilience: Aligning
prevention, detection, and response
capabilities
• Provide incident enrichment
DETECTION
11
An Incident Response Platform is:
• A standardised way to collect and augment cyber incidents
while interfacing with existing, related IT infrastructure
• Enriches incident details by pulling aggregated security
telemetry so security teams can focus training and skills on
an IRP, rather than an assortment of individual point tools.
• Makes IR processes more efficient by allowing junior team
members to triage incidents and reduce the number of
incidents they escalate to more senior SOC staff.
The Rise of the Incident Response Platform (IRP)
Jon Oltsik, Enterprise Strategy Group, Aug 2015
12
The role of an IRP
INTELLIGENCE FEEDS
SIEM
EXTERNAL COMMUNICATION
CONFIGURATIONMGT
SANDBOX
ASSET DATABASEFORENSICS
CUSTOM PORTAL
TICKETING
INCIDENT RESPONSE PLATFORM
The technology needs to integrate with all existing security
systems to create a single hub for IR transforming
organisations' security posture.
• Aligns people, process, and technology across
the organisation
• Enables security teams to automate and
orchestrate their IR processes
• Ensures IR processes are consistent, intelligent,
and configured to teams’ specific needs
14
The role of an IRP cont.
• Collating and Surfacing
Contextualized Information
• Feeds from SIEM, Ticketing, Big Data,
etc…
• Leveraging Threat Intelligence &
Historical data
• Identifying relationships between
disparate data sources
• Presenting this information to the analyst
in a way that is consumable & actionable
15
The role of an IRP cont.
• Reducing Overhead on the SOC
team
• Automation of manual tasks (IoC
enrichment, CMBD & LDAP lookup)
• Orchestration of external tools
• Enabling internal/external communication
16
The role of an IRP cont.
• Increased Incident Visibility
• Ensures correlation on information from
multiple systems – SIEM, DLP, Ticketing,
external partners
• Translates security data to other
business areas – HR, Legal, C-suite
• Automated reports & dashboards reduce
impact on SOC team
17
Threat Intelligence Resources
• SOC analysts leverage a number
of tools, challenge is processing
the information in context
• Open-Source feeds – VirusTotal,
abuse.ch Zeus, SANS, Malware Patrol,
etc…
• Commercial vendors – IBM Xforce
Exchange, Symantec DeepSight, FireEye
iSight
• Industry/Regional Threat Feeds – FS-
ISAC, HITRUST, CiSP, R-CISC, ENISA
• Effectively analysing this data is a key
challenge
• STIX, TAXII & CYBOX are important
standards to consider
19
1. Centralised Hub for Incident Response – one place to manage all the
processes and technology for cybersecurity incidents throughout an
organisation.
2. Streamlining of existing processes – Reduce the time to detect and contain
incidents by automatically enriching IoCs and provided detailed context to the
IR team.
3. Technology integration – Simplify the technology stack and reduce the risk of
missing critical alerts by integrating SIEM, ticketing systems and other tools
into the IRP.
4. Cross-functional alignment – Allow other parts of the business (Legal, HR, IT)
to prepare for security incidents through simple, repeatable runbooks for
common incident types.
Summary cont.
21
Use Case (F50 customer, Financial Services)
iSIGHT
FS-ISAC
Etc. IRP
Threat
Services
Threat Info
Warehouse
Analyst
Action
Module
Remedy
CMDB
AD
QRadar Splunk
BlueCoat Tanium OpenDNS SumoLogic
Artifact
Lookup
Escalate /
Sync
Enrich
DHCP
logs
HR
Enrich