Organizations continuously look to drive more value with less resources for their security operations. The deluge of data and lack of skilled security professionals highlight the critical need for automation to help manage today’s sophisticated attacks, but is it feasible to automate everything? HPE Security will discuss the potential for security automation and where a human can’t be replaced.
(Source: RSA Conference USA 2017)
2. #RSAC
Agenda
2
• Introduction . . .
• The need for automation
– Staff shortages / workload increase
• Case study of failed automation
• Reality
• Next Steps
4. #RSAC
HuntReal-time Monitoring Investigation
Intelligent Security Operations
Real-time monitoring with deep analytics for investigation and hunt
– Foundation for any security operation
– Visibility across environment & stack
– Real-time correlation to detect known
threats
– Investigation via workbench and
interactive dashboards that allow
search, data exploration and entity
profiling
– Understand abnormal activity and
assess blast radius of attack
– Hunting via behavioral analysis,
machine learning and graph
visualization to traverse relationships
and derive new insights
– Ability to discover the unknown
threats through pattern discovery and
anomaly detection
4
5. #RSAC
An effective security operations has tight design
integration across people, process and technologies
Technology Process
Incident
Handler
People
Data Lake
Analytics, KPIs & ROI
Proxy
Firewall
Network
Threat Intel
SIEM
DB /OS / Web
IAM
IR
Governance
Risk
Compliance
eDiscovery
Scanning
Forensics
BCDR
Patching
Business
Hunt
Level 1 Level 2
Engineer
5
6. #RSAC
Modern SOC Architecture
6
Investigation
Search Entity
Profiling
Hunt
Linked Data
Analytics
Intelligent Queue
SIEM
Alerts
User
Behavior
Analytics
DNS
Malware
Analytics
App
Defender
Analytics
Other
Analytics
Data Collectors
Event Streams
Event Broker
Dashboards | Reports | Workflow | Case Mgmt | Runbooks
Analytics
Engines
& Investigation
modules
Use Case Library
WORKBENCHCORRELATION
&ANALYTICSSVSVISIBILITY
Response
3rd Party
Integration
IT OT IoT Physical
Data Lakes /
Repositories
(i.e. Hadoop)
External
Information
Data Sources
(Structured & Unstructured)
+ Control points
Security Operations
(On-premise & Managed)
Users
Cloud
Apps
Servers &
Workloads
Network
Endpoints
Security Analysts
Level 1
Security Analysts
Level 2
Hunt Team
Ticketing & Workflow
Identity & Configuration
Intelligence Feeds
Threat Central
3rd Party Feeds
Active Directory
Config Mgmt
DB
IT Operations
& Management
Systems
Real-time
Correlation
engine
12. #RSAC
Typical manual incident action
12SharePoint is a US registered trademark of the Microsoft group of companies.
Post-it
Manual
operation
Tribal
knowledge
Manual
operation
Manual
operation
Knowledge
base
Create Ticket ®
Collect Information
Route to Contact
Take Action Delay between
hours and days
for every manual
hand-off
13. #RSAC
E2E service requests
using workflows
Automatic actions to
implement change
Complete reports
Requests
fulfilled at
the click of
a button
Rapid service fulfillment with HPE Orchestration
13
Complete audit trail
Reports and ROI
Knowledge captured in
process automations
Create Ticket ®
Collect Information
Route to Contact
Take Action
14. #RSAC
Problems with script-based automation
14
• Scripts integrate poorly with other tools
• Audit-tracing logs can be easily
overwritten, causing audit data loss
• Cross-server coordination is difficult,
especially across disparate platforms
Limitations in scope
• Target environment changes require
manual updates for each script
• Policies that are hard coded require
manual updates when policies change
• Key assumption changes require
manual script updates on each
target server
Lots of maintenance
Lack of standardization
• Scripts reflect the author’s style,
making uniformity difficult
• Scripts depend on tribal knowledge
– the script author is the only one who
can maintain it
15. #RSAC
2017 State of Security Operations
4th annual report
15Read the full report at hpe.com/software/StateOfSecOps
North America: 1.52
South America: 1.89
DACH: 1.47
UK: 1.26
Nordics: 1.33
Asia: 1.37
Oceania: 1.00
MEMA: 1.09
BeNeLux: 1.79
Europe: 1.30
82%
of organizations are
not meeting their
business goals
27%
of SOCs are failing to
achieve minimum security
monitoring capabilities
183
assessments
Top observations
Full automation
of operations is
unrealistic
Hunt-only
search & response
does not provide full
coverage and
effectiveness
Increased capabilities
come from hybrid
staffing solutions
Continuing trend
Proliferation of threat hunt programs
Emerging trend
Development of security fusion centers
Industry findings
Telecom
main concern is service
availability
Healthcare
preferred target of
ransomware
Government
struggle with
long-term maturity
Energy
Increase in physical and ISC
attacks and monitoring
Financial
plagued by SWIFT attacks
16. #RSAC
How to start
16
• Clearly understand SOC objectives and Use Cases
• Adopt process improvement methodologies to ensure mature process foundation for automation
• Leverage commercial off the shelf Orchestration and/or Incident workflow tools if possible
• Identify risks associated with automation
• Create process for taking Automation from inception through guided execution through autonomous
action.
• Prioritize Use Cases for automation
• Leverage experts while designing and implementing
• Measure performance
• Rinse and Repeat