Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Как автоматизировать, то что находит аналитик SOC

2,576 views

Published on

Часто аналитики SOC находят новые индикаторы и их нужно как-то применить для защиты сети. Если вы делаете это вручную, то это занимает долгое время. Как это автоматизировать?

Published in: Internet
  • Be the first to comment

Как автоматизировать, то что находит аналитик SOC

  1. 1. Actionable Threat Intelligence Autofocus & Minemeld in Cyber Security SOC
  2. 2. Today’s Security Operation Center (SOC) Workflow Firewall IPS Proxy APT SIEM 3rd Threat Intel Only IOC • IP • URL • Domain Endpoint Security Log Free community search Eg. Virus total, URL blacklist - Only some IOC provided - Less detailed Search & Query Investigate Summary Report Security Admin Inform Actions Take actions Manually
  3. 3. Today’s Cyber Threat Challenges for Security Team • Highly automated, delivering increasingly sophisticated attacks in higher volume. • Security team is over-burdened to follow up on every threats, leaving little time to investigate the truly advanced attacks. • Security team couldn’t distinguish the most important threats from everyday commodity attacks, as there is not enough context around the attacks. • Complex workflow, across multiple tools, to aggregate a growing number of TI source, and drive enforcement down to local security devices.
  4. 4. How to improve security incident operation workflow? 1. Having the global threat intelligence cloud service Malware Signature (1Billions) C&C/DNS Signature (Million) Threat Intelligence Cloud WildFire URL Signature (Billion) • Real-World attack from Wildfire, Industry’s largest network-sandbox service. • Cyber Threat Alliance: Sharing threat information • 3rd party feed, closed and open-source intel • Palo Alto Network Global Passive DNS Network • Unit 42, TI and Research team >12,000, WildFire global enterprise customers Malware/APT Feeds 3rd party Passive DNS Network
  5. 5. What does Autofocus provide? • Malware families • Attack campaigns • Exploits • Malicious behavior • Threat actors
  6. 6. (Cont.) What does Autofocus provide? • Statistic of malware attack, Top used malware application, Target Industries, Source & Dest countries.
  7. 7. (Cont.) What does Autofocus provide? • File analysis by Dynamic and Static analysis • Malware Behaviors, Including IOC (URL, DNS, IP protocol and connectivity, etc..)
  8. 8. (Cont.) What does Autofocus provide? • Actionable control to prevent and remediate the attacks. (Exported IOC)
  9. 9. 1. Benefits: Having Large Global Threat Intelligence Source Firewall IPS Proxy APT SIEM 3rd Threat Intel feed Only IOC • IP • URL • Domain Endpoint Security Log Provided Deep Info for Investigation - Threat actors - Malware Family - Adversary campaign - Target Industries - Prioritize alerts - Malicious Behavior - Exploits techniques - Contexts: IP, Connectivity, Domain, URL, Passive DNS, etc. Search & Query • Accurate Summary Report • More actionable actions Security Admin Inform & provide actionable controls Take actions Manually
  10. 10. Autofocus Benefit Summary • Provide more in-depth contexts around the attacks for forensic and analysis. • Allow you to build sophisticated multi-layer searches with correlation to speed the investigation. • Provide actionable controls to mitigate and prevent the attacks • Prioritize alerts for most critical events. • Accelerate analysis, hunting and response workflow
  11. 11. How to improve security incident operation workflow? 2. Orchestrate Threat Intelligence and automated enforce prevention-based control. Threat Intelligence Feeds Private Feeds Threat Intelligence Platforms Network Enforcers End Point Enforcers SIEM • Aggregate and correlate TI feeds • Automated enforcement of prevention-based control
  12. 12. Minemeld Architecture Input: Nodes Miners • OSINT • Commercial • Organization (CERT, ISAC) Processors • IPv4/IPv6 aggregator • URL aggregator • Domain aggregator Outputs • JSON • STIX/TAXII • External Dynamic List (EDL) • Elastic Logstash
  13. 13. Sample: PANW use EDL (External Dynamic Lists) from Minemeld
  14. 14. Orchestrate TI and Automated Enforce Prevention-based Control Firewall IPS Proxy APT SIEM Endpoint Security Log Provided Deep Info for Investigation - Threat actors - Malware Family - Adversary campaign - Target Industries - Prioritize alerts - Malicious Behavior - Exploits techniques - Contexts: IP, Connectivity, Domain, URL, Passive DNS, etc. Search & Query • Accurate Summary Report • More actionable actions Security Admin IP _____ _____ _____ _____ _____ __ DNS _____ _____ _____ _____ _____ _ URL _____ _____ _____ _____ _____ 3’rd party Threat Intel IOC Feed IOC Export Automated poll IOC to prevent
  15. 15. Minemeld Benefit Summary • Allow you to aggregate TI across public, private and commercial sources. • Consolidate, unduplicated and filter metadata across all sources. • Simplify the workflow for blocking IOCs by automated enforcement for prevention-based controls to security devices.

×