Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Automation & Orchestration

706 views

Published on

On your marks, get set GO!

Take a more in-depth look at the automation and orchestration journey and the future of SOAR.

Watch the SOCtails video here: https://www.youtube.com/watch?v=YzsGQzqaDYw&t=2s

Published in: Technology
  • Be the first to comment

Security Automation & Orchestration

  1. 1. © 2 0 1 9 S P L U N K I N C . Lessons for a fast start in Automation and Orchestration Security Breakout George Panousopoulos, Security Strategist March 16, 2020
  2. 2. During the course of this presentation, we may make forward‐looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward‐looking statements made herein. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward- Looking Statements © 2 0 1 9 S P L U N K I N C .
  3. 3. © 2 0 1 9 S P L U N K I N C . #whoarewe Global Security Strategist George Panousopoulos Senior Sales Engineer Chris Harazinski
  4. 4. © 2 0 1 9 S P L U N K I N C . - Introduction - The Automation & Orchestration journey - Case Study: Norlys - Case Study: EY - The future of SOAR is here - Epilogue Agenda
  5. 5. © 2 0 1 9 S P L U N K I N C . Cloud Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access Splunk as the Security Nerve Center Optimize People, Process and Technology Operations Analytics Data Platform
  6. 6. CUSTOMER DELIVERY Other Data Lakes CLOUDON-PREM HYBRID WITH BROKERS Platform for Machine DataPLATFORM APPLICATIONS Future Splunk Solutions 3rd Party Plug-ins SOLUTIONS Mission Control Cloud-Based Unified Security Operations + Security Operations Suite Architecture
  7. 7. I N G E S TD E T E C T P R E D I C T A U T O M AT E O R C H E S T R AT ER E C O M M E N D C O L L A B O R AT E I N V E S T I G AT E M A N A G E C A S E S R E P O R T Artificial Intelligence Content Machine Learning Placeholders Mark what the talk focuses on
  8. 8. © 2 0 1 9 S P L U N K I N C . Automation is (not) easy. And neither is Orchestration.
  9. 9. © 2 0 1 9 S P L U N K I N C .
  10. 10. © 2 0 1 9 S P L U N K I N C . Use Case Best Practices The best automation scenarios are easy to understand.  Known procedures  They are documented  The return is quantifiable and  Undocumented  White-board it out  Document in a standardized widely accepted format
  11. 11. © 2 0 1 9 S P L U N K I N C . Machine vs Human Analytically consistent – not instinctive Significantly faster – effective only when the analysis is focused Visual and instinctive - experienced Slower and prone to cognitive bias
  12. 12. © 2 0 1 9 S P L U N K I N C . Use case vs Playbook PlaybookUse Case
  13. 13. Playbook Methodology Compact playbooks that quickly perform common independent functions. Introducing utility playbooks: • Ingest alert • Collect evidence • Create ticket • Notify IR team • Investigate evidence • Scope event • Contain asset INTERACTION ACTION ARTIFACTS INPUT Source(s) Events, Process, Information Expected The expected output of actions performed by the process or function The transformation(s), duties, actions to be performed by a person, tool, analysis or correlation to a function Owner, Actioner, Supporter, Consulted, Involved/Informed between teams, technology or events
  14. 14. Ingest Ingested events are brought infrom sources and are defined by the capability of the input source rather than the asset built.
  15. 15. Notify Notify playbook is the scenario where a party is informed or notified of atask.
  16. 16. The Norlys journey. Automating 3 common use-cases at SOARing heights. https://www.slideshare.net/Splunk/splunklive-stockholm-2019-customer-presentation-norlys
  17. 17. Their Story ▶ Situation: ▶ Had to build log analytics and incident response capabilities from the ground up for a relatively big company in Denmark. ▶ Struggling with: ▶ Repetitive tasks, myriad of tools, slow webUIs, creating and maintaining internal processes ▶ Wanted: ▶ A central screen for investigations with in-depth documentation and automation capabilities. ▶ Enter Phantom: ▶ With Phantom we are now able to automate the boring tasks and document every step, it doesn’t matter if it’s automated or manual
  18. 18. Their 5 Step Journey with Splunk Phantom 1. Using Phantom for documentation and adding everything manually 2. Using applications in Phantom for semi-automated investigation processes 3. Chaining applications/actions together for creating playbooks 4. Customizing the playbooks with some custom code, if needed 5. Connecting Splunk and Phantom for more closer integration  Most notable alerts from Splunk ES are now forwarded to Phantom – automated ticket creation  Most of the tickets are automatically initiating enrichment actions – automated ticket enrichment  Advanced incident handling capabilities: Mission Control allows us to document and maintain our processes inside Phantom
  19. 19. Use Cases at Norlys Production server group containment with 4 eyes principle Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis Grab browsing history from endpoint
  20. 20. © 2 0 1 9 S P L U N K I N C . Use case 1: Production server group containment with 4 eyes principle (2018) ▶ Same analyst can actually approve the "contain" action twice ▶ No 2-factor authentication ▶ Early, but working version of a great idea
  21. 21. © 2 0 1 9 S P L U N K I N C . Use case 1: Production server group containment with 4 eyes principle (2019) ▶ Cannot bypass logical decision ▶ DUO 2FA has been introduced
  22. 22. © 2 0 1 9 S P L U N K I N C . Use case 2: Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis
  23. 23. © 2 0 1 9 S P L U N K I N C . Use case 2: Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis (2018) ▶ This playbook required too many resources and used a lot of custom code ▶ Hard to maintain and to debug, but possible ▶ Is there a better and more automated way?
  24. 24. © 2 0 1 9 S P L U N K I N C . Use case 2: Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis (2019)
  25. 25. © 2 0 1 9 S P L U N K I N C . Use case 3: Grab browsing history from endpoint (2018) ▶ Early version, lot of custom code ▶ How can we improve it?
  26. 26. © 2 0 1 9 S P L U N K I N C . Use case 3: Grab browsing history from endpoint (2019)
  27. 27. © 2 0 1 9 S P L U N K I N C . You built the easy stuff. Now what?
  28. 28. © 2 0 1 9 S P L U N K I N C . EY Case Study From "scary-slow" to "scary-fast" IOC detection and sharing. https://conf.splunk.com/files/2019/slides/SEC1280.pdf
  29. 29. Their Story
  30. 30. © 2 0 1 9 S P L U N K I N C . "How do we hunt faster and how do we take the info from this incident to help others?" Automation. Powered by Splunk>Phantom.
  31. 31. © 2 0 1 9 S P L U N K I N C .
  32. 32. © 2 0 1 9 S P L U N K I N C .
  33. 33. © 2 0 1 9 S P L U N K I N C .
  34. 34. © 2 0 1 9 S P L U N K I N C .
  35. 35. © 2 0 1 9 S P L U N K I N C .
  36. 36. © 2 0 1 9 S P L U N K I N C .
  37. 37. © 2 0 1 9 S P L U N K I N C .
  38. 38. © 2 0 1 9 S P L U N K I N C .
  39. 39. © 2 0 1 9 S P L U N K I N C .
  40. 40. © 2 0 1 9 S P L U N K I N C . Key Takeaways Orchestration for the win 1. Because with Phantom you get: • Better reporting (combining results from an endpoint and network sensor) • More robust orchestration (plugging into all the tools with one click instead of forgetting one or two) • Faster response time(from YARA/SNORT rule creation to execution in an environment and results would take days/weeks or not even be attempted) 2. Analysts did these YARA hunts in VTI in the past, now EY can do it within a customer's security data lake.
  41. 41. © 2 0 1 9 S P L U N K I N C . Mobile and beyond. IR on the mobile is no longer a movie thing.
  42. 42. © 2 0 1 9 S P L U N K I N C . Splunk Phantom on your mobile device • Phantom on Splunk Mobile brings the power of Phantom security orchestration, automation, and response (SOAR) capabilities to your mobile device. • No need to open your laptop. Orchestrate security operations from the palm of your hand. • Respond faster than ever before, because you’re reachable from anywhere. • Run playbooks, triage events, and collaborate with colleagues – all on-the-go.
  43. 43. © 2 0 1 9 S P L U N K I N C . Phantom 4.8 Python 3 support Slash Commands Zero downtime backups
  44. 44. © 2 0 1 9 S P L U N K I N C .
  45. 45. © 2 0 1 9 S P L U N K I N C . Recommended Further Reads Getting Started with Security Automation and Orchestration https://www.splunk.com/en_us/blog/security/getting-started-with-security-automation-and-orchestration.html Build Automated Decisions for Incident Response with Splunk Phantom (GE) https://conf.splunk.com/files/2019/slides/SEC1446.pdf Our Splunk Phantom Journey: Implementation, Lessons Learned, and Playbook Walkthroughs (NAB) https://conf.splunk.com/files/2019/slides/SEC1506.pdf Hacking Your SOEL: SOC Automation and Orchestration https://static.rainfocus.com/splunk/splunkconf18/sess/1522584681091001dUJr/finalPDF/SEC1233_HackingYourSOEL_Final_1538424831880001SlPY.pdf Start with Investigation in Splunk Phantom https://docs.splunk.com/Documentation/Phantom/4.8/User/MC BONUS - Cops and Robbers: Simulating the Adversary to Test Your Splunk Security Analytics https://static.rainfocus.com/splunk/splunkconf18/sess/1522696002986001hj1a/finalPDF/Simulating-the-Adversary-Test-1244_1538791048709001YJnK.pdf
  46. 46. CUSTOMER DELIVERY Other Data Lakes CLOUDON-PREM HYBRID WITH BROKERS Platform for Machine DataPLATFORM APPLICATIONS Future Splunk Solutions 3rd Party Plug-ins SOLUTIONS Mission Control Cloud-Based Unified Security Operations + Splunk technology covered in this session
  47. 47. © 2 0 1 9 S P L U N K I N C . Action Plan for next 90 days Strategy Schedule a PVP* with a Splunk security expert. Document your SOPs Identify your automation priorities Hands-On Register for free at my.phantom.us Schedule a Phantom Hands-On workshop * Prescriptive Value Path
  48. 48. Thank You © 2 0 1 9 S P L U N K I N C .

×