This talk was presented at BSides DC 2017. It dives deep into Cyphon.io for triage of security incidents and events. I also talk about threat intel management, threat hunting and upcoming features in Cyphon.
2. What is Incident
Management?
Pre-processed
• Logs
• System Events
• Audit trail
• Netflow
• Threat Intel / Indicators
Post-processed
• Security Alarms
• Query Results (Alerts)
• Outages
• Daily Reports
• Policy Violations
First - we need to define what classifies an
“incident”
3. A sea of alerts from
hundreds of products
Alerts are actionable incidents, but
frequently false positives
How are actionable issues managed
today?
• Email
• SIEM
• Ticketing System
Average security manager is receiving
5000+ security alerts a day
Cisco 2017
4. What are the options?
SIEM tools
- Volume based pricing
- Expensive add on modules
Orchestration
- Still unproven
- Interoperability is still evolving
- Requires constant maintenance
Enterprise ITSM
- Not designed for security teams
- Few correlation capabilities
Threat Hunting tools
- Great for proactive inspection
- Can require advanced skillsets
We needed a platform for our SOC that:
• Enabled team collaboration
• Tracked accountability
• Enforced a consistent IM process
• Created a knowledge base
• Performed light orchestration
• Automated prioritization and analysis
• Connected to all varieties of source
data
5.
6. Open Source Incident
Management
• Designed for SOC
analysts to rapidly
triage security events
• Correlation and Search
• Monitoring of event
flow
• Priority Rules engine
• Open framework
• Project Maintained by
Dunbar Cybersecurity
• Community driven!
21. Latest Release
1.5.2
DataTaggers
Automatically tag alerts based on the content of the data that generated the alert. You can
even configure them to automatically create new tags based on the content of particular
fields. With autotagging, analysts can quickly understand the nature of an alert by looking at
the tags associated with it.
Articles
Articles are reference documents for particular subjects, such as port numbers or Snort
signatures. They can provide information to help analysts quickly diagnose and remediate
alerts.
Upcoming features – System wide search, front end article & link support, additional
Actions, REST and TAXII support
22. Want to learn more?
https://github.com/dunbarcyber/cyphon
https://gitter.im/cyphonproject
http://cyphon.readthedocs.io
https://www.cyphon.io