SACON - Incident Response Automation & Orchestration (Amit Modi)

© 2016 by CYBERBIT │ CYBERBIT Proprietary 1

Increase your SOC efficiency with SOC 3D Amit ModiRegional Sales Manager – India & [email protected]

© 2016 by CYBERBIT │ CYBERBIT Proprietary

Visualizing NextGen CyberSecurity

ITInfrastructureSecurity Application/DBSecurity

Consulting&ITGRC

VisualizingNextGen SoC4.0

SecurityControls Policy&Audit RISK&Compliance BusinessContinuity

VulnerabilityManagement

LogManagement

Access&Identity

Visibility&Compliance

SecurityAnalytics

DataProtection&Control

ITChange&EndPointMonitoring&Management

IncidentResponse

ThreatIntell.Feeds

ForensicDataCapture

ThreatDetection AppSec CMDB SoftwareAsset

Management


Challenges

• SIEM Generating Huge amount of Alerts• Incidents Getting Missed• Lack of Threat Visibility• Finding Lateral Impact• Learning from Past• Finding the RCA• Skills Shortage• Incident Based SLA Management• Incident Closures• Reporting

• Technical• Business Context• Performance Based

Expectations

• Business Context to the Investigation• Adding Analytics• Bulletin Boards to the Team• Case Management• Automating Runbook• Threat Visibility & Spread• Avoid Over Detection & False Positive• Automate Similar Incidents• Prioritization Based on Business Impact• Incident Containment as a First Step• Surgical Response for Accurate Threat

Eradication


Recommendation & Suggestions by SANS Analysis


Narrow Downing : Challenges & Expectations

• SIEM Generating Huge amount of Alerts

• Incidents Getting Missed• Lack of Threat Visibility• Finding Lateral Impact• Learning from Past• Finding the RCA• Skills Shortage• Incident Based SLA

Management• Incident Closures• Reporting

• Technical• Business Context• Performance Based

(MSSP/Internal Team)

• Business Context to the Investigation

• Adding BigData Analytics• Bulletin Boards to the Team• Case Management• Automating Runbook• Threat Visibility & Spread• Avoid Over Detection & False

Positive• Automate Similar Incidents• Prioritization Based on

Business Impact• Incident Containment as a First

Step• Surgical Response for Accurate

Threat Eradication• Practicing the Crisis Situation

• Matured Security Operation Center (SoC)

• Identifying Unknown Threats

• Incident Management• Incident Automation• Containment• Forensic Data for

Accurate Eradication• Practicing Crisis

Situation• Continuous Skills

Improvement• Runbook Automation for

Accuracy


SOC 3D: Your Gateway to the Future

© 2016 │ CYBERBIT Proprietary 8

Provides more accurate and actionable high priority alerts by ingesting and analyzing SOC feeds and external feeds

Your Single Pane of Glass for managing your entire security operations

The only SOC management platform combining automation, orchestration and big-data security analytics for real-time investigation

What Is SOC-3D


ALERTS

SIEM

Ticketing

Email

CRM

Helpdesk

EDR

UBA

RESPONSE TOOLS

IPS

EDR

WAF

Active Directory

NAC

Memory Dump

Threat Intel CMDB

HR Systems GRC

Compliance Vulnerability Assessment

Enrichment

Your SOC Hub

SOC 3D

Big-Data

API’sAPI’s


Security Analytics Visualize Anything. Investigate Freely.

Explore raw data for forensics

Real-time access via big-data platform

Real-time visualization for faster insights


SMART AUTOMATIONAccelerate analyst work across the entire IR cycle

AUTOMATE RESPONSE

Automate SOC operator and analyst response tasks

AUTOMATE DATA ENRICHMENT

Get all relevant data for investigation

AUTOMATEDECISION MAKING

By automating data collection prior to response


The Response Process: Traditional SOC

Manual Preparation: 15 minutes

New Malware Alert

Run MemoryDump Utility

Isolate HostUsing NAC API

Alert IT toReplace User

Host

Check AssetCriticality

XCritical Proccess

Check BISOContact

Alert CISO & BISO

CollectAdditionalRaw Data

XSend recommendations

and Summaryreport Investigate

Escalate toTier 2

2 minutes 2 minutes

3 minutes

2 minutes 2 minutes 2 minutes 2 minutes


Automated decision making

Automated data enrichment

Automated response

The Response Process: With SOC-3D Automation

New Malware Alert

Run MemoryDump Utility

Alert IT toReplace User

Host

XCritical Proccess

Check BISOContact

Alert Ciso & BISO

CollectAdditionalRaw Data (e.g. TI)

XSend recommendations

and Summaryreport Investigate

Escalate toTier 2

Isolate HostUsing NAC API

Check AssetCriticality

Start Here


Impact On TTR and TCO

Average number of stages per incident 6

Average time saved by SOC 3D per stage 2 minutes

Total time saved by SOC 3D per incident 12 minutes

Number of daily incidents 100

Time saved by SOC 3D every day 20 hours

TCO saving per day $2000

TCO saving per month $44,000


With SOC-3D, Your SOC is

EFFICIENTFaster to respond

Reduces SOC team workloadMeasurable

BUSINESS-DRIVENFocuses on what matters the mostKeeps executive level informedEngages the entire organization

SOC USER-CENTRICReduces the expertise barrier

Engages your teamIncreases analyst impact

Simplifies complex investigations


Deep Diving - SOC 3D


Thank You!

SACON - Incident Response Automation & Orchestration (Amit Modi)

Technology

Transcript of SACON - Incident Response Automation & Orchestration (Amit Modi)