Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts...

21
Overcoming Security Automation Roadblocks Overcoming Myths, Determining Best Practices

Transcript of Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts...

Page 1: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Overcoming Security Automation RoadblocksOvercoming Myths, Determining Best Practices

Page 2: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

About the Presenter

John Moran

• Sr. Product Manager, DFLabs

• IR Consultant

• Law Enforcement

Page 3: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Automation Myths Obscure Reality

Page 4: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Myth: Automation means fewer jobs

Page 5: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Automation should supplement, not replace

• Analysts are being inundated with alerts

• Too much time spent on mundane, repeatable tasks

• Automation should supplement, not replace

• Allow analysts to focus on tasks which require human intervention

Page 6: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Myth: Security it too complex to automate

Page 7: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Start with small, manageable bites

Page 8: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Myth: Automation is dangerous

Page 9: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks
Page 10: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks
Page 11: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Best Practices = Best Results

Page 12: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Why Automate?

• Have measurable goals in mind:

• Automate the repetitive, mundane tasks

• Decrease time to respond to an incident

• Act as a force multiplier for security teams

• Respond in a documented, repeatable manner

• Reduce risk

Page 13: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Identifying Processes to Automate

• Review all security processes and tools

• Which tools can be easily automated?

• Which processes are consistent and predictable?

• Which processes are repetitive?

• Which processes require little human intervention?

• Which processes are taking too much time?

Page 14: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Getting Started

• Small, easy to automate processes

• Well documented, well understood processes

• Quickly and easily show value

• Build out from there…

Page 15: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Human are not the Enemy!

• The goal is NOT to remove humans from the process

• Automation and analysts should complement each other

• Include human interaction at critical junctions or decisions

Page 16: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Common Use Cases

Page 17: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Phishing Email

✓Query threat data for:

• Embedded links

• Sender email

• IPs in header

✓Scan email attachments

✓Scan embedded URLs

✓Check for other instances

✓Quarantine email

✓Notify users

Page 18: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Proxy Alert - URL

✓Query threat data

✓Get domain info

✓Get A records

✓Geolocate IPs

✓WHOIS queries

✓Access URL via Sandbox

✓Query Proxy or SIEM logs

✓Block domain

Page 19: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

IDS Alert

✓Query threat data

✓Geolocate IPs

✓Reverse DNS

✓WHOIS queries

✓Traceroute

✓Query Proxy or SIEM logs

✓Simulate network traffic

✓Block IP

Page 20: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Questions?

Page 21: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks

Thanks!

John MoranSenior Product Manager, DFLabs

[email protected]


Lessons from Industry Roundtable: Regulatory Roadblocks ...

Lessons from Industry Roundtable: Regulatory Roadblocks ...

The Dirty Dozen Roadmap Roadblocks

The Dirty Dozen Roadmap Roadblocks

Situations Roadblocks Realities Facilitator Guide

Situations Roadblocks Realities Facilitator Guide

Five Roadblocks to SharePoint Search Maturity

Five Roadblocks to SharePoint Search Maturity

Roadblocks on performance highway

Roadblocks on performance highway

Roadblocks to Sustainability

Roadblocks to Sustainability

Roadblocks to Breakthrough

Roadblocks to Breakthrough

REMOVING ROADBLOCKS REDEMPTION

REMOVING ROADBLOCKS REDEMPTION

Recruitment roadblocks

Recruitment roadblocks

Collaboration Roadblocks

Collaboration Roadblocks

Hazard Map_Flooded Inundated Area in Taungtha Tsp_Sagaing

Hazard Map_Flooded Inundated Area in Taungtha Tsp_Sagaing

Pitfalls problems & roadblocks

Pitfalls problems & roadblocks

Managerial Communication Session 3 Communication Roadblocks

Managerial Communication Session 3 Communication Roadblocks

Roadblocks to Renewable Energy Integration for Mines - Dec 2-3 · Roadblocks to Renewable Energy Integration for Mines December 2018. Background S Power arrangements S Roadblocks

Roadblocks to Renewable Energy Integration for Mines - Dec 2-3 · Roadblocks to Renewable Energy Integration for Mines December 2018. Background S Power arrangements S Roadblocks

Dell-Overcoming Roadblocks to Growth

Dell-Overcoming Roadblocks to Growth

Roadblocks to Career Advancement

Roadblocks to Career Advancement

Clearing the Roadblocks to Cloud Computing

Clearing the Roadblocks to Cloud Computing

Inundated Infrastructure: Jakarta’s Failing Hydraulic ...

Inundated Infrastructure: Jakarta’s Failing Hydraulic ...

Removing Roadblocks to Obedience

Removing Roadblocks to Obedience

2G Spectrum Resale - A Few Roadblocks

2G Spectrum Resale - A Few Roadblocks