© 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the...
Transcript of © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the...
![Page 1: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/1.jpg)
© 2 0 2 0 S P L U N K I N C .
Supercharge Your Operations with Orchestration and AutomationDrew Church | Cybersecurity AdvisorAFCEA Alamo Webinar Series | 28 July 2020
![Page 2: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/2.jpg)
During the course of this presentation, we may make forward-looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements made herein.
In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-LookingStatements
© 2 0 2 0 S P L U N K I N C .
![Page 3: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/3.jpg)
© 2 0 2 0 S P L U N K I N C .
Agenda
Ø Introduction
Ø Overview of Security Orchestration and Automation (SOAR)
Ø Examples of SOAR within the Public Sector
Ø Lessons Learned and Best Practice Recommendations
![Page 4: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/4.jpg)
© 2 0 2 0 S P L U N K I N C .
#whoamiSplunker Since August 2019
~10 Years working for/with DoD• CyberOps Mgr, RMF SCA/Validator• FLTCYBERCOM Action Officer• Vuln. Mgmt, System Admin, AppDev
US Navy Reservist*, 1825, ENS (O-1)
Drew Church
*Material shared here does not represent the US Navy or the Department of Defense
![Page 5: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/5.jpg)
© 2 0 2 0 S P L U N K I N C .
SOAR ConceptsOverview of what SOAR is and how it works with your stack today
![Page 6: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/6.jpg)
© 2 0 2 0 S P L U N K I N C .
Capabilities of a Best-of-Breed SOAROrchestration The machine-based coordination of complex workflows across disparate security tools should increase
the efficiency and speed of your security operations.
Automation The machine-based execution of otherwise manual, interdependent security actions using “playbooks” should allow you to execute in seconds versus hours.
Event and Alert Management
An event and alert management capability in a SOAR tool should queue and prioritize inbound security events and alerts to help analysts perform triage more efficiently
Case Management A case management component should drive a broader, cross-functional lifecycle (from creation to resolution) of a security case.
Collaboration Built-in chat and notes can facilitate communication across the security team, and thereby accelerate the resolution of security events.
Metrics and Reporting Metrics and reporting are critical to understanding the effectiveness of the SOAR tool and identifying where improvements can be made to increase ROI.
Scalability A SOAR tool should grow with you as your organization grows. As an organization adds more use cases over time, there will be additional processing load placed on the platform.
Open and Extensible A SOAR tool should easily support incorporating new security scenarios, new products, new actions and new playbooks.
Community Powered A SOAR tool must support a strong community model and make sharing of integrations and playbooks easy.
![Page 7: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/7.jpg)
© 2 0 2 0 S P L U N K I N C .
Automate Your Incident ResponsePowered by Security Orchestration, Automation, and Response (SOAR)
SECURITYANALYTICS AUTOMATION ORCHESTRATION
SIEM SOAR
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETECTION
ML-BASEDBEHAVIORALANALYTICS
UEBA+
NETWORK TRAFFIC
INTRUSION DATA
ENDPOINT
THREAT INTEL
MALWARE AUTHENTICATION
WIRE DATA
ASSETS & IDENTITIES
![Page 8: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/8.jpg)
© 2 0 2 0 S P L U N K I N C .
SOAR for Security OperationsFaster execution through the OODA loop yields better security
Decision Making Acting
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
AUTOMATED
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
ObservePoint Products
OrientAnalytics
ACTION RESULTS / FEEDBACK LOOP
AUTOMATED WITH PHANTOM
![Page 9: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/9.jpg)
© 2 0 2 0 S P L U N K I N C .
Playbook Basics
![Page 10: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/10.jpg)
© 2 0 2 0 S P L U N K I N C .
Use CasesReal Defense deployments
![Page 11: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/11.jpg)
© 2 0 2 0 S P L U N K I N C .
“What an analyst used to take six hours doing, is now done in less than three. This doubled our mission capability and increased consistency between analysts.”
-DoD Military Operations Leader
Defense - TacticalAdvanced Cyber Operations
Challenges
Rapid response and result expectations, no knowledge of the environment prior to mission
Repetitive, mundane tasksMyriad of tools and technologiesCreating and maintaining internal processes across changing environment and teams
Mission Impact
Standardized and automated process for sending data rear
Analyst rear was able to focus on 5 to 10 selectors vice 1,000
Decreased overall workflow time by 50%
![Page 12: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/12.jpg)
© 2 0 2 0 S P L U N K I N C .
Defense – Enterprise Operations Situation: Cybersecurity Ops Team (DCO) is alerted by HBSS when a rogue asset/cross domain violation is detected on the network. An analyst must perform a series of manual steps to verify the asset owner, remove it from the network, and then identify security officer. This time-consuming process was not able to scale as the number of alerts grew.
Task: DCO Team desired an automated way to execute the playbook of manual steps performed when an HBSS rogue asset alert was fired.
Action: A playbook is now triggered by alert for a cross domain violation / rogue asset on the network. Phantom looks up the asset in AD, determines if it should disable the AD account, detaches it from the network, and notifies the respective ISSO/ISSM.
Result: A manual process that consumed hours of productivity has been automated to executed in minutes improving overall efficiency and security of the network.
Multi-Level Security & Partner Environments
![Page 13: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/13.jpg)
© 2020 SPLUNK INC.
97%agree that a SOAR allowed for
increased workload maintaining the same number of staff
![Page 14: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/14.jpg)
© 2 0 2 0 S P L U N K I N C .
Lessons Learned and Best PracticesThings to do and not to do
![Page 15: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/15.jpg)
© 2 0 2 0 S P L U N K I N C .
Automating Anything
![Page 16: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/16.jpg)
© 2 0 2 0 S P L U N K I N C .
Automation Strategies – Best PracticesFirst step towards automation is identifying the scenarios•Where do you spend the bulk of your time?
–What steps are taken? In what order? Who is responsible?
Once identified…•Document and diagram
–Be sure the steps and decisions at each point match what your target-state process–As you’re walking through the whiteboard, determine the time spent for the analyst on each step–How many times is this scenario carried out on average per day?
![Page 17: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/17.jpg)
© 2 0 2 0 S P L U N K I N C .
Automation Strategies – Return on InvestmentThere’s always a relevant XKCD
Credit: Randall Munroe - https://xkcd.com/1205/
![Page 18: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/18.jpg)
© 2 0 2 0 S P L U N K I N C .
Automation Strategies – Return on InvestmentThere’s always a relevant XKCD
“Don't forget the time you spend finding the chart to look up what you save. And the time spent reading this reminder about the time spent. And the time trying to figure out if either of those actually make sense. Remember, every second counts toward your life total, including these right now.”
Credit: Randall Munroe - https://xkcd.com/1205/
![Page 19: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/19.jpg)
© 2020 SPLUNK INC.
Boring is exciting…when you can stop doing it manually
![Page 20: © 2020 SPLUNK INC. Supercharge Your Operations with ... · presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation,](https://reader033.fdocuments.us/reader033/viewer/2022050603/5faa68be578775045a15bcd7/html5/thumbnails/20.jpg)
© 2 0 2 0 S P L U N K I N C .
More Lessons Learned…
Ø Visual Development environments make it easy for non-programmers to create and edit playbooks
• Reduces development time and increases first-time quality avoiding coding errors & creating a standard for all automation engineers and security analysts to follow
Ø Combine Automation & Orchestration with end-to-end process standardization• Don’t forget about your non-cyber tasks (e.g., case logs, SITREPs, etc.)• Use “Response Templates” or “Workbooks” to combine these with automation
Ø Start small, iterate frequently• Your AppDev teams already do this, your SecOps teams can too!
Last Nickels and Dimes