Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration

622 views

Published on

To keep pace with cyberattacks, organizations have long sought ways to operationalize security and respond faster to threats. But with increasingly complex IT environments and a growing skills shortage, doing so is easier said than done.



That’s where Intelligent Orchestration can help. Intelligent Orchestration integrates your existing security tools and guides SOC analysts through a fast and laser-focused response by combining case management, human and cyber intelligence, and incident response orchestration and automation.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration

  1. 1. How to Build a Faster and Laser-Sharp SOC with Intelligent Orchestration
  2. 2. 2 Agenda  Future of Security Operations  What is Intelligent Orchestration  Intelligent Orchestration in Action: Use Case  Q&A
  3. 3. 3 The Market Leader in Incident Response Next-Generation IR Platform with Intelligent Orchestration Largest and most trusted IRP install base in the world Only incident response platform with built-in intelligent orchestration Part of the largest enterprise security organization in the world More than 300 customers globally Customers in more than 30 countries IBM Resilient Partner Ecosystem delivered through IBM Security App Exchange Technology-agnostic platform delivers enterprise-grade integrations with IT and security tools Includes orchestration and automation capabilities Resilient is the hub of IBM Security’s Immune System Expanding customer support and services resources
  4. 4. 4 About Our Speakers Mike Rothman, Analyst & President Securosis Ted Julian, VP of Product Management and Co-Founder IBM Resilient
  5. 5. The Future of Security Operations Mike Rothman, President @securityincite
  6. 6. ‣ Independent analysts with backgrounds on both the user and vendor side. ‣ Focused on deep technical and industry expertise. ‣ Pragmatism is religion for us. ‣ We are security guys - that’s all we do. ‣ And we know a little bit about the cloud… ‣ We have been teaching cloud security for 7 years ‣ We wrote the CSA 4.0 guidance About Securosis
  7. 7. ‣ SecOps is getting harder: ‣ Adversary innovation ‣ Infrastructure complexity ‣ More devices, more places ‣ Hunters find stuff (which you have to fix…) ‣ Skills gap ‣ You are on your own. It’s not going to get better (itself)… https://flic.kr/p/bBJYYK
  8. 8. ‣ Get smarter. Make better decisions ‣ Analytics ‣ Threat Intelligence ‣ Alerts appeared ahead of most major breaches ‣ Someone still has to do something! ‣ Documenting best practices and response in runbooks Areas of Focus
  9. 9. Leverage Humans more effectively ‣ Humans focus on what they are good at… ‣ Design proper controls ‣ Evolve policies ‣ Tune runbooks ‣ Have the cycles to handle exceptions https://flic.kr/p/KGNBT
  10. 10. Embrace the machines ‣ Orchestrate different controls into a cohesive whole ‣ Automate the runbooks ‣ Build trust. Slowly, but surely.
  11. 11. ‣ Where to start? ‣ Best use cases ‣ Defining success ‣ Avoiding pitfalls ‣ Key capabilities of an orchestration/automation platform ‣ Integration with security monitoring/SIEM ‣ Customer success stories Discussion
  12. 12. ‣ Blog ‣ http://securosis.com/blog ‣ Research ‣ http://securosis.com/research ‣ We publish (almost) everything for free ‣ Contribute. Make it better. Read our stuff
  13. 13. mrothman@securosis.com http://securosis.com/blog Twitter: @securityincite MikeRothman Securosis LLC
  14. 14. Poll Question
  15. 15. 16 Poll Question What is your top goal for incident response orchestration? • Faster alert triage • Better leverage threat intelligence to make smarter decisions • Develop documented and repeatable runbooks • Other
  16. 16. What is Intelligent Orchestration
  17. 17. 18 Intelligent Orchestration empowers security teams by combining human and machine-based intelligence with automation. It enables organizations to create a powerful, fully integrated incident response hub. What is Intelligent Orchestration?
  18. 18. 19 What Intelligent Orchestration Provides A force multiplier for security analysts Automation of repetitive tasksIntelligence and expertise throughout the incident lifecycle Greater visibility into use of existing security and IT tools
  19. 19. Intelligent Orchestration in Action
  20. 20. Intelligent Orchestration in Action Resilient PhishMe ThreatGrid Active Directory Carbon Black Cisco ServiceNow 1. PhishMe Reporter opens a phishing incident in the Resilient platform. • Automatically attaches suspicious URLs and sender IP address. 2. Resilient automatically checks attached artifacts against integrated threat intelligence feeds. 3. ThreatGrid returns a hit, showing that both the URLs and IP address are likely malicious. Automated Incident Creation and Triage PhishMe Resilient ThreatGrid Time savings: 20 minutes
  21. 21. Intelligent Orchestration in Action 4. Analyst calls out to Cisco web gateway to determine which employees have visited the malicious URLs. • Cisco populates a data table in Resilient with user IDs. 5. Resilient automatically uses Active Directory to populate the data table with full user profiles. 6. Active Directory shows that the company’s Legal Counsel clicked the link. • Resilient Dynamic Playbooks automatically raises the severity of the incident and updates the playbook, directing the analyst to notify the legal team. Incident Enrichment Resilient PhishMe ThreatGrid Active Directory Carbon Black Cisco ServiceNow Cisco Resilient Active Directory Time savings: 45 minutes
  22. 22. Intelligent Orchestration in Action 7. Analyst blocks URLs and IP address in Cisco email gateway 8. Analysts uses Carbon Black to check machines for malware. Scan returns clean. 9. Analyst directs IT team to reset the credentials of the involved users. 10. Analyst uses Resilient email connector to send involved users a notification about the phishing attack. Incident Remediation Resilient PhishMe ThreatGrid Active Directory Carbon Black Cisco ServiceNow Cisco Resilient Carbon Black ServiceNow Total time savings: 65 minutes
  23. 23. Intelligent Orchestration in Action 11. Resilient dashboard shows that the majority of effected users were part of a new team recently onboarded in Europe. • The CISO leverages this information to get budget for anti-phishing training in this region, mitigating the risk of future attacks. Mitigation Resilient PhishMe ThreatGrid Active Directory Carbon Black Cisco ServiceNow Resilient
  24. 24. 25 The SOC team can leverage automation and the intelligence of other systems to quickly investigate and remediate the attack. Impact of Intelligent Orchestration All parties know exactly what to do, when to do it, and how, leading to a fast and effective response.
  25. 25. 26 Hold an incident response planning workshop How to infuse your orchestration efforts with greater intelligence Establish ways to deliver data to your team quickly • Include your security analysts, MSSP experts, and experts from other units like HR, marketing, and legal • Use a business-process perspective that focuses on human decision-making points • Define, refine, and measure your IR processes • Run simulations • Integrate data sources, such as SIEM, Threat Intelligence, and EDR. • Apply automation to repetitive and time- consuming workflows. Test to ensure fidelity, and expand to additional use cases. • Focus on automation up to a human decision point, and the steps to be taken after decision point
  26. 26. 75 Binney Street Cambridge, MA 02142 WWW.RESILIENTSYSTEMS.COM 888.426.4968 Thank you. Questions?

×