Using automation to improve the effectiveness of security operations


Published on

IA Practitioners 2014 event presentation on security automation using advanced technologies, threat intelligence, behavioural anomaly detection and incident response workflows

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

Using automation to improve the effectiveness of security operations

  1. 1. Using AutomatedTechnologies to Improve Security Efficiency Piers  Wilson   Tier-­‐3  Huntsman®  -­‐  Head  of  Product  Management  
  2. 2. Se#ng  the  Scene   2  ©    2014  Tier-­‐3  Pty  Limited.    All  rights  reserved.     •  Cyber  aBacks  conEnue  to  increase     •  Even  closed  networks  are  vulnerable     •  Every  organisaEon  is  at  risk  
  3. 3. More  for  Less   3  ©    2014  Tier-­‐3  Pty  Limited.    All  rights  reserved.     •  Increasing  drive  towards  data   assurance  &  compliance   •  More  is  being  asked  of  the  same   number  of  security  people  
  4. 4. How  can  technology  help?   4  ©    2014  Tier-­‐3  Pty  Limited.    All  rights  reserved.     AutomaEon  adds  accuracy  and  efficiency  to  the  security  operaEons  process:       •  Behavioural  Anomaly  DetecEon  to  automaEcally  detect  suspicious  acEvity  –   without  the  need  for  Eme  consuming  rules   •  Threat  Intelligence  for  faster  and  more  accurate  threat  detecEon  –     “shorten  the  window”  of  invesEgaEon   •  Standardised  process  workflows  –     for  collecEon,  analysis,  reporEng  and  response  processes  
  5. 5. Behavioural  Anomaly  DetecEon   5  ©    2014  Tier-­‐3  Pty  Limited.    All  rights  reserved.     •  Machine  learning  to  create  a  dynamic  baseline  of  system   behaviour   •  ConEnuously  updated  baseline  as  the  environment  changes   •  Real-­‐&me  alerts  on  any  acEviEes  that  diverge  from  the  “normal”   baseline  
  6. 6. Benefits  of  Behavioural  Anomaly  DetecEon   6  ©    2014  Tier-­‐3  Pty  Limited.    All  rights  reserved.     •  Alerts  can  be  invesEgated  &  remediated  as  they  are  detected   •  Removes  the  need  to  know  the  network  or  constantly  re-­‐write   rules   •  No  need  to  second  guess  the  aBack;  start  invesEgaEon  from   the  indicator  of  compromise:  incl  APTs,  zero-­‐day  &  insider   threats  -­‐  unknowables    
  7. 7. Threat  Intelligence   7  ©    2014  Tier-­‐3  Pty  Limited.    All  rights  reserved.     Referenceable  informaEon  for  situaEonal  awareness:   •  External  sources  of  known  threats  or  risks   •  Internal  risk  factors  -­‐  technical  and  non-­‐technical   •  “Correlatable”  informaEon  from  environmental,  physical,  technical,   geopoliEcal  sources  etc.  
  8. 8. Benefits  of  Threat  Intelligence   Intelligent   SIEM   “TradiEonal”   Log  Sources   Vulnerability   InformaEon   Geographic   InformaEon   Security,   Malware,   ABack   Context   External   Threat   Sources   Internal   Context   Databases  
  9. 9. Workflow  Management   9  ©    2014  Tier-­‐3  Pty  Limited.    All  rights  reserved.     •  Established  procedures  for  threat  resoluEon  (with  ad  hoc   intervenEon)   •  Integrated  sequence  of  detecEon,  analysis  &  resoluEon  processes   •  Automated  compliance  monitoring  and  reporEng  (e.g.  GPG13)  
  10. 10. Benefits  of  Workflow  Management     10  ©    2014  Tier-­‐3  Pty  Limited.    All  rights  reserved.     •  Standardised  repeatable  and  measurable  processes   •  Support  for  workflow  throughout  the  incident  lifecycle   •  Consistent  approach  to  achieving  compliance  
  11. 11. Benefits  of  AutomaEon   11  ©    2014  Tier-­‐3  Pty  Limited.    All  rights  reserved.     BeBer   detecEon   Faster,  easier   diagnosis   Improved   decision   making   Contextual   feedback   ReducEon  in   losses   Detect   Analyse   Respond   •  Real-time Behavioural Anomaly Detection •  Reduced administration through machine learning •  Faster and more accurate identification of threats •  Incorporation of Threat Intelligence •  Contextualisation for faster triage and assessment •  Shortening the window of investigation •  End-to-end workflow •  Repeatable and auditable processes •  Automated reporting and metrics
  12. 12. Copyright © Tier-3 Pty Ltd, 2014. All rights reserved. 12 Questions ? Visit theTier-3 stand Contact us at: +44 (0) 208 433 6790 More information at: