Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Automation and Orchestration

2,283 views

Published on

Optimizing SAO with Open Source Tools. A deep dive into the Phishing Intelligence Engine (PIE) and how users can leverage infrastructure and open source to automate and respond to threats.

Published in: Technology
  • Be the first to comment

Security Automation and Orchestration

  1. 1. SECURITY AUTOMATION AND ORCHESTRATION OPTIMIZING SAO WITH OPEN SOURCE TOOLS
  2. 2. Company Confidential Automatingwith LogRhythm Phishing IntelligenceEngine - Overview PIE – Architectureand Integrations PIE – Integration,Automation,and Use Cases Security Automationand Orchestration Agenda 2 1 2 3 4 5
  3. 3. # whoami • Greg Foss • Head of Global Security Operations • OSCP, GAWN, GPEN, GWAPT, GCIH, CEH
  4. 4. Company Confidential Security Automation and Orchestration 4
  5. 5. Unified Threat Lifecycle Management • Enterprise Visibility • Answer questions quickly and definitively • Ability to detect and respond to threats immediately • Event or series of events instead of incident or breach • Don’t just tell me about a threat; tell me what you are going to do about it • Reduced operational expense • Staffing requirements • Single platform vs. series of technologies • Security and compliance need all in one • Demonstrate and Measure Success ForensicData Collection InvestigateQualifyDiscover RecoverNeutralize
  6. 6. Security Automation and Orchestration • Streamline Threat Detection and Response • Automate traditionally slow and manual processes • Reduce the need for manual analyst intervention https://logrhythm.com/pdfs/solution-briefs/lr-security-automation-and-orchestration-solution-brief.pdf
  7. 7. Security Automation and Orchestration • Let the machine work for you • Leverage threat intelligence as a source for initial investigation OR a step in validation • Intelligently and automatically make decisions and take actions • Use runbooksto dynamically take action • Close loop communication • Measure and report success • Reduce time to detect and respond to seconds
  8. 8. First steps… • Understandwhat processes your team is repeating often • Determine the feasibility of automation • Develop a solution that provides the most value8
  9. 9. Company Confidential Automation w/ LogRhythm SmartResponse
  10. 10. What is a SmartResponse and how do they work? 10
  11. 11. and many more…
  12. 12. Automation Across All Verticals Domain Tools Passive Total VirusTotal Cisco AMP ThreatGRID Netflow / IDS Firewalls Proxy / DNS Endpoint SIEM API Integration SecOps Infrastructure
  13. 13. Use Cases – Carbon Black • Visualize, Alert, and Report • Command Line Logging • Hash Stacking • File Stacking • Application Stacking • Process Stacking • CB Threat Lists • Custom Watch Lists • Smart Response Automation • Investigation • Containment • Remediation • Updating Case • Other Workflows14
  14. 14. Use Cases – Audible and Visual Alerting 15 https://github.com/gfoss/Invoke-Hue
  15. 15. Company Confidential Office 365 Integration and Automation Automatethe boring stuff – focus on the interestingand complex 16
  16. 16. Fully Automated End-to-End SAO Use Case
  17. 17. PIE – Phishing Intelligence Engine • Integrations • Office 365 • ThreatIntelligenceFeeds • Creation and utilization of Dynamic ThreatLists • Link and File Sandboxing • Domain and Sender analytics • Automated Actions • Email Response • Case Generation and Updating • Evidence folder creation • Deep email analysis • Dynamic analytic-based actions • Quarantine mail • Reset passwords • Block senders • Metrics and Accountability 19
  18. 18. Simple and effective mechanisms to report phishing Commercial software available to do this, but why buy more things to manage? 23
  19. 19. Example Response Keep it generic and to the point Offer details if requested
  20. 20. • Office 365 Provides great PowerShell Integration Options! • You can scrape message trace logs, extract / quarantine mail, block senders, and more. • One problem – the default use cases are Slow and Cumbersome!
  21. 21. • Instead of opening each mailbox and looking for the message… • Use a pre-defined‘Phishing Inbox’ to gather quarantined/ extracted mail • Scrape the message trace logs to find valid recipients • Performtargetedactions on each inbox • Gather and reporton Metrics for all attacks and recipients • Track attackers and block them in the future • Reduce your organization’s Mean Time To Detect and Respond!
  22. 22. Semi-AutomatedAnalysis and Response
  23. 23. Meat of the PIE
  24. 24. First things first… 31
  25. 25. Deploy the PIE files & Understand Logging Configuration
  26. 26. Configure Access and Third-Party Integrations • Set cronjob to run Invoke-O365Trace.ps1 every 5-10 minutes… • Configure Third-Party API Integrations: 33
  27. 27. Alarming and Threat Intelligence
  28. 28. Automated Response via SmartResponse • Remember O365 Ninja? • All actions can be integrated and automatedwith the SIEM! 38
  29. 29. Get Creative! 39 SmartResponse Chaining
  30. 30. 40
  31. 31. Automated Case Management and Metrics Attack Trending and Dynamic Case Metrics based on Tags 42
  32. 32. Event Tracking and Automated Analysis
  33. 33. Deep Dive into the Analysis Phase PIE can take action based on threat scores from third- party API integrations 44
  34. 34. 45
  35. 35. Company Confidential https://github.com/LogRhythm-Labs/PIE Full Source Code – Coming Soon! 49
  36. 36. www.logrhythm.com/freemium LogRhythm Rule Your Network Contest Now through August 31 • No Purchase Necessary! • Use Network Monitor Freemium • Big Prizes! • $5,000 for first place • $1,000 for second place • Three Categories! • Novel Threat Detection • Best Security Hunting Dashboardor Use Case • Best IT Operations Use Case • Run by DevPost! • Official rules and contest management • Lots of training support logrhythm.devpost.com
  37. 37. Claim your Pi Zero! https://github.com/LogRhythm-labs/PIE
  38. 38. Thank You! Questions? Greg . Foss [at] logrhythm . com @heinzarelli https://github.com/LogRhythm-Labs/PIE

×