Downloaded 42 times
Uploaded byIBM Security
Automation: Embracing the Future of SecOps
The document discusses the challenges facing security operations, including adversary innovation and skills gaps, and emphasizes the importance of automation, orchestration, and analytics in improving security response. It outlines various use cases for automation in security processes, such as phishing enrichment and incident monitoring, and the role of tools and frameworks like MITRE ATT&CK in enhancing threat detection and response. Additionally, it highlights the need for policies and guardrails to ensure effective automation while maintaining security and trust in the system.
In this document
Powered by AI
Focuses on the future of SecOps and introduces speakers, highlighting transformation in security operations.
Discusses industry challenges like adversary innovation, infrastructure complexity, and skills gap impacting SecOps.
Highlights the need for actionable alerts and Security Orchestration, Automation, and Response (SOAR) for efficiency.
Addresses the need for architects to build and maintain security policies and playbooks for effective operations.
Describes specific automation use cases: phishing enrichment and endpoint event enrichment, focusing on time efficiency.
Explains how to leverage the MITRE ATT&CK framework for incident prioritization and enrichment.
Discusses the importance of implementing policies and guardrails to ensure secure and effective automation processes.
Focuses on adapting people and processes for automation, emphasizing trust in automation and quantifying efficiency.
Details how machine learning can enhance categorization, prioritization, and predictive capabilities in incident response.
Mentions incident response maturity model and promotes further reading and resources for ongoing learning.
Provides copyright and legal disclaimers while promoting IBM's security resources and community engagement.
More Related Content
Similar to Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
- 1. Automation: Embracing the Futureof SecOps
- 2. IBM Security /© 2019 IBM Corporation 2 Introducing our Speakers Ted Julian, VP Product Management & Co-Founder, IBM Resilient Mike Rothman President & Analyst, Securosis
- 3. The Future of SecurityOperations Mike Rothman, President @securityincite
- 4. ‣ Independent analystswith backgrounds on both the user and vendor side. ‣ Focused on deep technical and industry expertise. ‣ Pragmatism is religion for us. ‣ We are security guys - that’s all we do. ‣ And we know a little bit about the cloud… ‣ We have been teaching cloud security for 7 years ‣ We wrote the CSA 4.0 guidance About Securosis
- 6. ‣ SecOps isgetting harder: ‣ Adversary innovation ‣ Infrastructure complexity ‣ Skills gap It’s not going to get better (itself)… https://flic.kr/p/bBJYYK
- 7. ‣ Get smarter.Make better decisions ‣ Analytics ‣ Threat Intelligence ‣ Alerts appeared ahead of most major breaches ‣ Someone still has to do something! Actionable Alerts (not the answer)
- 8. SOARing ‣ Security Orchestration,Automation and Response. ‣ Work smarter. Not harder. ‣ Find leverage in operational motions. ‣ Orchestrate different controls into a cohesive whole ‣ Automate the playbooks https://flic.kr/p/FAEhM
- 9. The Rise ofthe Architects Building and maintaining policies and turning them into playbooks is one of the critical skills to have moving forward.
- 10. Automation Use Cases IBM Security/ © 2019 IBM Corporation 10
- 11. Phishing Enrichment This usecase determines what items are present in an email, such as: links, files, IPs, domains, etc. The automation enriches those items using threat intelligence databases, searches across the environment for relevant files and creates a summary report. 1. Trigger the playbook when suspicious emails are forwarded to the phishing-triage inbox 2. Enrich links and other information from an email 3. If present, detonate file attachments in a sandbox 4. Hunt for files across the environment 5. Summarize and report Manual Automated 26:10 min 1:25 min Capability Example Platform Threat Intel Recorded Future Virus Total X-Force Exchange Malware Analysis Sandbox Cuckoo Endpoint File Detection CB Response IP Geolocation MaxMind Alerting Email
- 12. Endpoint Event Enrichment Thisuse case speeds up the investigation by presenting the analyst with a summarized report containing the details of the event, user affected, system information and an environment-wide scan for related files. 1. Trigger the playbook on CrowdStrike endpoint alerts for potentially malicious files 2. Use Virus Total to check if the file hash is widely known, 3. If not give the option to detonate the file, 4. If so give the option to search the environment for the file 5. Query the domain to obtain the system and user information from AD 6. Query the endpoint to capture the running processes, network connections and logged on users. Manual Automated 30:50 min 0:55 min Capability Example Platform Threat Intel Virus Total Malware Analysis Sandbox Cuckoo Endpoint Security CrowdStrike Directory Services AD/LDAP Host Instrumentation Windows Remote Management
- 13. MITRE ATT&CK™ frameworkenrichment This use case leverages the MITRE ATTACK tactics and techniques to assist the analyst in prioritizing their workload and understanding the potential severity and risk of an incident. 1. Ingest Offense data from QRadar & generate incident with malware playbook in Resilient. 2. Send IoCs to MISP & map with MITRE techniques 3. Detonate the malware sample in Hybrid Analysis & extract the MITRE techniques 4. Enrich incident record with MITRE Tactics & Techniques data to guide analyst follow-up & generate additional tasks to mitigate these specific threats Manual Automated 60:180 min 5:00 min Capability Example Platform Threat Intel MISP Malware Analysis Sandbox Hybrid Analysis Endpoint Security CrowdStrike SIEM QRadar http://ibm.biz/BdzqAf
- 14. MITRE ATT&CK™ Frameworkenrichment IBM Security / © 2019 IBM Corporation 14
- 15. ‣ Set policiesto ensure automations don’t go “outside the lines” ‣ Provides a safety net so you don’t go splat if something doesn’t work as intended. ‣ Examples: ‣ Privilege escalation: Trigger is an escalation of a privileged account. Guardrail revokes additional privileges by making API call to directory. ‣ Rogue device: Quarantine an unauthorized device by shutting it down at the network switch. ‣ Deploy new threat detections: Based on trusted threat intel, deploy blocking rules on ingress devices to stop traffic from a questionable domain. Drill Down on Guardrails
- 16. How do weretool people and processes for automation?
- 17. ‣ What issuccess for SOAR? ‣ The continuum of automation ‣ Quantifying staff efficiency ‣ Trustable Automation ‣ Tread carefully and built trust in both the triggers and the actions ‣ Iterate through human approval, automation with logging, automation with guardrails Defining Success and Avoiding Pitfalls
- 18. Apply machine learningto historical data to inform: • Categorization • Prioritization • Assignment • Time to resolve prediction • Solution recommendation • Intelligent automation Purposes Machine Learning in SOAR
- 19.
- 20. ‣ Blog ‣ http://securosis.com/blog ‣Research ‣ http://securosis.com/research ‣ We publish (almost) everything for free ‣ Contribute. Make it better. Read our stuff 20
- 21. © Copyright IBMCorporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. Follow us on: ibm.com/security securityintelligence.com ibm.com/security/community xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Thank you
Editor's Notes
- #2 Do not place photos or images on cover pages. Please remove this information box before using this cover page.
- #19 It is a Resilient-circuits based integration, similar to the functions Pfizer is using now. There are two components. The web component is used to build a machine learning model. It reads incidents from a Resilient server and uses them as samples. Once a model is built, it is saved locally. To use the model, the user creates a new incident, and the click Predict. Then the Resilient server is going to send the incident to the Function component. The function component reads the saved model, and do a prediction. The result is sent back to the Resilient server.