<click>
Well first, while all of an organization’s security products do a nice job of protecting and detection potential security incidents, they create A LOT of alerts. Some organizations can see hundreds or even thousands of these alerts a day. How do they tell them apart? Which ones do they work on first? The graphic on the screen is an interesting way of visualizing it. All of those alerts look pretty similar. Is the red one most important? Or the darker red or red outline? The alerts are typically missing context or how or if a particular alert will really affect an organization.
<click>
Then – once a security teams knows they have a problem, the tools they are using for resolution are typically manual. For example, many organizations take the alerts from their systems – whether they are directly from an endpoint security product, firewall or even a SIEM and put them into the best data repository they have – a spreadsheet or Microsoft Excel. And as they work on the process for resolving the problem, the processes are might be on paper as part of a policy or they need to go and speak with another security analyst or team member. And do they teams communicate? Via the same tools they use for other communications – email.
<click>
And lastly, we are finding that while security and IT teams are all part of the same larger group, they typically act in silos. They use different toolsets. These silos and toolsets are another important factor as when security teams determine what’s needed to fix a problem, it is typically IT that is required to fix the problem. This could be patching or rebooting a server. Or taking a machine off of the network. Or disabling a person’s network or AD credentials. These silos cause resolution to take longer.
“Drinking from the firehose”
So, what this demo is going to highlight is some of the investments that we’ve been making in security operations for Istanbul. It highlights integrations with strategic security vendors, automation of data enrichment to help answer those questions that the security analyst needs to ask, and orchestration and remediation.
It’s also a bit rough as we’re still putting the final touches on things, but what I’m going to demo is an integration with Palo Alto Networks, where we receive an alert from their WildFire malware system and we use that information to automatically run reputational lookups to get more information and from there we initiate an orchestration task to block a malicious network site on the Palo Alto Networks firewall.
Normally, the enrichment process would take a significant amount of time and the ability to get a change put quickly in place, but what we’re ultimately demonstrating is a compression of the time to identify and time to contain windows.
Note: Highlight why the audience should care to sit through your presentation. For example, if you want to automate your legacy processes, you’ll learn what we did and how we accomplished it. Our experience with compliance/QA challenges can save your company time and headaches.
For me automation could be many things; route a some work, do a lookup, install a patch, block a computer, disable an account, all of the above!
Explain the SN instance provisioning process
What is automation?
It isn’t the same for everyone.
Hell, it isn’t even the same across a single business
Legacy systems have little to none available
Private and Public Clouds may have a fair bit of it
Flip baby image around
17
Note: Please limit to one slide.
The step-by-step journey diagram from the corporate marketing message