SlideShare a Scribd company logo

Modern Incident Detection & Response Process Automation

NoNameCon
NoNameCon

Talk by Nazar Tymoshyk at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/GSRUTP/ Incident Detection & Response requires People - to Think, Tools - to provide data and analytics and Processes - to avoid fuckups and assure the quality. But with more alerts, the analysis takes more time, decisions and moreover - actions need to be taken immediately. Attackers actively use automation, so Defenders should also optimize their processes. In our presentation, we'd like to share with the community our lessons learned. Our focus would be on practical moments, the challenges we faced and the simple working solutions we discovered. We plan to challenge the audience with simple but vital questions that will help to establish a good communication bridge to make this delivery effective and valuable for engineers to improve their defense. We'd like to discuss also a variety of actions to be taken after the incident is confirmed. Come and take it.

Software
1 of 64
Download to read offline
Automation in modern Incident Detection & Response (IDR) process Nazar Tymoshyk (UnderDefense)
Agenda 1. About me 2. WHAT is Automation and Orchestration and Incident Response 3. WHY we talk about this? a. The problems of Modern Security Operations i. People ii. Speed iii. False Positives and Use case addiction b. The problems of Modern IR process c. Money/ROI 4. Humans vs Machines 5. HOW a. Automation b. Playbooks c. Threat Intelligence d. Orchestration e. Tools 6. ROI 7. Q&A
Key Takeaways 1. What to Measure in modern SOC 2. How Automation vs Orchestration works 3. How to improve Response efficiency 4. How to win more time to live
Personal Information Name: Nazar Tymoshyk Title: CEO of UnderDefense In Security: from 2008 Father of 1 daughter, 1 company, 1 community Email: nt@underdefense.com Founder of OWASP Lviv Building best Defensive cybersec company in Ukraine. Talant - to find best talents and develop them Addiction - Efficiency and Successful Ukraine
Everyone wanted to be a Pentest Ninja
TODAY Many wants to become a Hunters and build their own SOC/SIEM
WHY we talk about THIS?
All SOC clients ask us: “Give me all data - I want to see ALL data. CREATE MORE USE CASES”
Use case addiction
More SOC alerts - is it good or bad?
SOC vs NOC
TYPICAL CHALLENGES 1. Hybrid and Complex Security Technologies and Platforms 2. Limited Staff to Cover a Massive Scope 3. COMPLIANCE + OFFENSE + DEFENSE
What should we do with alerts we failed to process because of flood?
Orchestration How different technologies (both security-specific and non-security-specific) are integrated to work together Automation How to make machines do task-oriented "human work". Utilizing Security Product APIs to connect and run repetitive tasks faster and avoid human mistakes.
Incident management & collaboration End-to-end management of an Incidents / Cases by people MISSION CONTROL collaboration
Problems with People ● Can get Sick ● Tired/Bored ● Sometimes Lazy ● Need Motivation ● Not experienced ● Not systematic ● Have a lot of Needs ● Expensive ● SOMETIMES NOT WANT TO BE EFFICIENT
Machines ★ Fast ★ Analytically consistent ★ Not instinctive ★ Minimal bias ★ Require time for learning ★ Visual and instinctive ★ Quickly learn on new data acquiring new experience ★ Not efficient ★ A lot of biases ★ Slow ★ But Flexible ★ SMART ★ CREATIVE Humans
SPEED
TIME & COMMUNICATION = IMPACT & $$$
If you play a chess with enemy - you need to take decisions faster as they are already in
Speed can reduce Cost = more availability for IMPROVEMENTS
If you do your decisions faster => Theoretically you can go home faster and even meet friends, drink more bear, pass OSCP, OSCE, prepare a speech for DefCon 0322 Lviv
“Free people from doing repetitive and trivial tasks”
WHERE TO START?
Measure Time to Detect Time to Investigate Time to Contain Time to Respond Time to Recover Time to compile Lessons Learned and back it to the process
Incident Detection and Response (IDR) workflow Observe Incident Alert External Context Internal Context Run hunt Respond Monitor Validate Against Threat Intelligence OSINT Hunt for similar cases Check Internal, Proprietary Data Stores Assets Inventory Vulnerability situation Usernames Risk Score Look at Past Tickets Check who else have similar process / file / URL / problems / registry Isolate/Quarantine Investigate/Forensics Document/Collaborate Backup Ensure that threat was mitigated and monitor his further attempts
© Tony Lin | Sr. Security Engineer SEC1980_SecurityOrchestrationAtPriceline_Final_1538667453799001LqjE
Automate Security Operations Workflow Collect data Build Analytics Take Decision Act (Orient / Sense-making) AUTOMATED (SOC) MANUAL (IT/NOC) (currently)
Automate Security Operations Workflow AUTOMATED Automate, Enrich, add context and reaction! Collect data Analytics Decision Making Acting (Orient / Sense-making)
SOC Analyst Daily Workflow Inputs and Outputs © Rob Gresham | Security Solutions Architect | Hacking your SOEL SOC Automation and Orchestration © Splunk
Tools
What tools we recommend?
Orchestration capabilities
Orchestrations/Integrations
Threat Intelligence - ThreatConnect
Threat Intelligence - Anomali
Playbooks vs Instructions
Standard Operating Procedures (SOPs) Instructions/Guidelines Collaboration Event Management Case management Reporting & Metrics Automate investigation, data enrichments, Integrations, Response
HOW
▶ What are the most time consuming tasks? ▶ How many of them are TIER 1/2 jobs? ▶ Are there more information we could have missed? Keep It Simple
Activities Automated Select scripts run automatically. All decisions for triage, response and remediation are decided automatically Semi-Automated Select playbooks and actions run automatically. Analysts make triage, response and remediation decisions Manual Ownership -▶ Triage -▶ Analysis -▶ Disposition RISK
Observe POLL PUSH INGEST SET STATUS SET SEVERITY CREATE ARTIFACTS SAVE OBJECTS SET TAGS FILE ANALYSIS DOMAIN ANALYSIS URL ANALYSIS HOST ANALYSIS IP ANALYSIS LOGON ANALYSIS RUN QUERY GET EVENTS Get customer info Get system info Get BU info Run query Lookup info Hunt file URL Rep Domain Rep Get File Check white/black lists DISABLE USER BLOCK HASH BLOCK URL BLOCK DOMAIN BLOCK IP QUARANTINE HOST BLOCK PROCESS DISABLE VPN EMAIL SOC EMAIL LEADERSHIP CHAT IT HELP DESK EMAIL ENGINEERING PROMPT SOC TASK SOC Get Approval Promote Case Prompt Analyst Change Severity Change Sensitivity CREATE TICKET UPDATE TICKET CLOSE TICKET TRANSFER TICKET QUERY TICKETS CREATE ARTIFACTS CLOSE OBJECTS Orient On Enrichments Act (Manually/Automated) Notify Collaborate Document Knowledge base
Prioritize
Community Playbooks
ALERT Test it before Network is DOWN
ML use cases CASE 6: EXTRACTING DUPLICATE INCIDENTS CASE 4: VISUALIZING RELATED INCIDENTS CASE 3: COMMONLY USED SECURITY COMMANDS CASE 2: SECURITY EXPERT SUGGESTIONS CASE 1: INCIDENT OWNER RECOMMENDATIONS Chatbots
SLA
Estimated hours saved per month
ROI
Key Takeaways 1. Document your process and Measure where you’re losing YOUR time 2. Be careful before applying it on Production, TEST-TEST-TEST 3. Make NOC/IT your FRIENDS though SOAR 4. More Automation - more TIME, less people, ability to learn 5. By implementing automation and orchestration aiming to: -> Focus analysts time on analysis -> Focus analysts time on finding threats -> Reduce risk through speed and consistency
And remember - Tools don't matter... When you have a GUN Brain
THANK YOU Nazar Tymoshyk CEO at UnderDefense Contact: nt@underdefense.com
Modern Incident Detection & Response Process Automation

Recommended

Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
One hundred rules for nasa project managers
One hundred rules for nasa project managersOne hundred rules for nasa project managers
One hundred rules for nasa project managersAndreea Mocanu
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
CRISC Exam Questions
CRISC Exam QuestionsCRISC Exam Questions
CRISC Exam QuestionsDumpsbook
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Putting the Human Back in the Loop for Analysis
Putting the Human Back in the Loop for AnalysisPutting the Human Back in the Loop for Analysis
Putting the Human Back in the Loop for AnalysisAndy Piazza
 
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101Felipe Prado
 

Recommended

Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
One hundred rules for nasa project managers
One hundred rules for nasa project managersOne hundred rules for nasa project managers
One hundred rules for nasa project managersAndreea Mocanu
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
CRISC Exam Questions
CRISC Exam QuestionsCRISC Exam Questions
CRISC Exam QuestionsDumpsbook
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Putting the Human Back in the Loop for Analysis
Putting the Human Back in the Loop for AnalysisPutting the Human Back in the Loop for Analysis
Putting the Human Back in the Loop for AnalysisAndy Piazza
 
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101Felipe Prado
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleanerJohn Stauffacher
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
 
Cliffnotes on Blue Teaming
Cliffnotes on Blue TeamingCliffnotes on Blue Teaming
Cliffnotes on Blue TeamingRishabh Dangwal
 
YBB-NW-distribution
YBB-NW-distributionYBB-NW-distribution
YBB-NW-distributionMike Saunders
 
Assessing Your security
Assessing Your securityAssessing Your security
Assessing Your securityLegal Services National Technology Assistance Project (LSNTAP)
 
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Sean Jackson
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Bit by Bit: A Framework for Building Technological Competence as a Lawyer
Bit by Bit: A Framework for Building Technological Competence as a LawyerBit by Bit: A Framework for Building Technological Competence as a Lawyer
Bit by Bit: A Framework for Building Technological Competence as a LawyerJack Pringle
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
 
Digital Forensics Workshop
Digital Forensics WorkshopDigital Forensics Workshop
Digital Forensics WorkshopTim Fletcher
 
BSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat DetectionBSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat DetectionAlex Davies
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and YouMary Kelly Rich
 
Security crashcourse openwest_2019
Security crashcourse openwest_2019Security crashcourse openwest_2019
Security crashcourse openwest_2019Sean Jackson
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCyphort
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017zapp0
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]NoNameCon
 

More Related Content

Similar to Modern Incident Detection & Response Process Automation

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
 
Cliffnotes on Blue Teaming
Cliffnotes on Blue TeamingCliffnotes on Blue Teaming
Cliffnotes on Blue TeamingRishabh Dangwal
 
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Sean Jackson
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Bit by Bit: A Framework for Building Technological Competence as a Lawyer
Bit by Bit: A Framework for Building Technological Competence as a LawyerBit by Bit: A Framework for Building Technological Competence as a Lawyer
Bit by Bit: A Framework for Building Technological Competence as a LawyerJack Pringle
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
 
Digital Forensics Workshop
Digital Forensics WorkshopDigital Forensics Workshop
Digital Forensics WorkshopTim Fletcher
 
BSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat DetectionBSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat DetectionAlex Davies
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and YouMary Kelly Rich
 
Security crashcourse openwest_2019
Security crashcourse openwest_2019Security crashcourse openwest_2019
Security crashcourse openwest_2019Sean Jackson
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCyphort
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017zapp0
 

Similar to Modern Incident Detection & Response Process Automation (20)

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
 
Cliffnotes on Blue Teaming
Cliffnotes on Blue TeamingCliffnotes on Blue Teaming
Cliffnotes on Blue Teaming
 
YBB-NW-distribution
YBB-NW-distributionYBB-NW-distribution
YBB-NW-distribution
 
Assessing Your security
Assessing Your securityAssessing Your security
Assessing Your security
 
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Bit by Bit: A Framework for Building Technological Competence as a Lawyer
Bit by Bit: A Framework for Building Technological Competence as a LawyerBit by Bit: A Framework for Building Technological Competence as a Lawyer
Bit by Bit: A Framework for Building Technological Competence as a Lawyer
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your Decision
 
Digital Forensics Workshop
Digital Forensics WorkshopDigital Forensics Workshop
Digital Forensics Workshop
 
BSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat DetectionBSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat Detection
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and You
 
Security crashcourse openwest_2019
Security crashcourse openwest_2019Security crashcourse openwest_2019
Security crashcourse openwest_2019
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocks
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
 

More from NoNameCon

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]NoNameCon
 
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]NoNameCon
 
Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] NoNameCon
 
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографіїRuslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографіїNoNameCon
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...NoNameCon
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
 
Oksana Safronova - Will you detect it or not? How to check if security team i...
Oksana Safronova - Will you detect it or not? How to check if security team i...Oksana Safronova - Will you detect it or not? How to check if security team i...
Oksana Safronova - Will you detect it or not? How to check if security team i...NoNameCon
 
Bert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for CybersecurityBert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for CybersecurityNoNameCon
 
Ievgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpackingIevgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpackingNoNameCon
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...NoNameCon
 
Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?NoNameCon
 
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!NoNameCon
 
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...NoNameCon
 
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...NoNameCon
 
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameConAlexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameConNoNameCon
 
Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon WorkshopStas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon WorkshopNoNameCon
 
Serhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security BySerhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security ByNoNameCon
 
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical AccessSerhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical AccessNoNameCon
 
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...NoNameCon
 

More from NoNameCon (20)

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
 
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
 
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
 
Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop]
 
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографіїRuslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
 
Oksana Safronova - Will you detect it or not? How to check if security team i...
Oksana Safronova - Will you detect it or not? How to check if security team i...Oksana Safronova - Will you detect it or not? How to check if security team i...
Oksana Safronova - Will you detect it or not? How to check if security team i...
 
Bert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for CybersecurityBert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for Cybersecurity
 
Ievgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpackingIevgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpacking
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
 
Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?
 
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
 
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
 
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
 
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameConAlexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
 
Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon WorkshopStas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
 
Serhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security BySerhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security By
 
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical AccessSerhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
 
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
 

Recently uploaded

Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 

Recently uploaded (20)

Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 

Modern Incident Detection & Response Process Automation

  • 1. Automation in modern Incident Detection & Response (IDR) process Nazar Tymoshyk (UnderDefense)
  • 2. Agenda 1. About me 2. WHAT is Automation and Orchestration and Incident Response 3. WHY we talk about this? a. The problems of Modern Security Operations i. People ii. Speed iii. False Positives and Use case addiction b. The problems of Modern IR process c. Money/ROI 4. Humans vs Machines 5. HOW a. Automation b. Playbooks c. Threat Intelligence d. Orchestration e. Tools 6. ROI 7. Q&A
  • 3.
  • 4. Key Takeaways 1. What to Measure in modern SOC 2. How Automation vs Orchestration works 3. How to improve Response efficiency 4. How to win more time to live
  • 5. Personal Information Name: Nazar Tymoshyk Title: CEO of UnderDefense In Security: from 2008 Father of 1 daughter, 1 company, 1 community Email: nt@underdefense.com Founder of OWASP Lviv Building best Defensive cybersec company in Ukraine. Talant - to find best talents and develop them Addiction - Efficiency and Successful Ukraine
  • 6. Everyone wanted to be a Pentest Ninja
  • 7. TODAY Many wants to become a Hunters and build their own SOC/SIEM
  • 8. WHY we talk about THIS?
  • 9. All SOC clients ask us: “Give me all data - I want to see ALL data. CREATE MORE USE CASES”
  • 11. More SOC alerts - is it good or bad?
  • 13.
  • 14. TYPICAL CHALLENGES 1. Hybrid and Complex Security Technologies and Platforms 2. Limited Staff to Cover a Massive Scope 3. COMPLIANCE + OFFENSE + DEFENSE
  • 15. What should we do with alerts we failed to process because of flood?
  • 16.
  • 17. Orchestration How different technologies (both security-specific and non-security-specific) are integrated to work together Automation How to make machines do task-oriented "human work". Utilizing Security Product APIs to connect and run repetitive tasks faster and avoid human mistakes.
  • 18. Incident management & collaboration End-to-end management of an Incidents / Cases by people MISSION CONTROL collaboration
  • 19.
  • 20. Problems with People ● Can get Sick ● Tired/Bored ● Sometimes Lazy ● Need Motivation ● Not experienced ● Not systematic ● Have a lot of Needs ● Expensive ● SOMETIMES NOT WANT TO BE EFFICIENT
  • 21. Machines ★ Fast ★ Analytically consistent ★ Not instinctive ★ Minimal bias ★ Require time for learning ★ Visual and instinctive ★ Quickly learn on new data acquiring new experience ★ Not efficient ★ A lot of biases ★ Slow ★ But Flexible ★ SMART ★ CREATIVE Humans
  • 22. SPEED
  • 23.
  • 25. If you play a chess with enemy - you need to take decisions faster as they are already in
  • 26. Speed can reduce Cost = more availability for IMPROVEMENTS
  • 27. If you do your decisions faster => Theoretically you can go home faster and even meet friends, drink more bear, pass OSCP, OSCE, prepare a speech for DefCon 0322 Lviv
  • 28. “Free people from doing repetitive and trivial tasks”
  • 30. Measure Time to Detect Time to Investigate Time to Contain Time to Respond Time to Recover Time to compile Lessons Learned and back it to the process
  • 31. Incident Detection and Response (IDR) workflow Observe Incident Alert External Context Internal Context Run hunt Respond Monitor Validate Against Threat Intelligence OSINT Hunt for similar cases Check Internal, Proprietary Data Stores Assets Inventory Vulnerability situation Usernames Risk Score Look at Past Tickets Check who else have similar process / file / URL / problems / registry Isolate/Quarantine Investigate/Forensics Document/Collaborate Backup Ensure that threat was mitigated and monitor his further attempts
  • 32. © Tony Lin | Sr. Security Engineer SEC1980_SecurityOrchestrationAtPriceline_Final_1538667453799001LqjE
  • 33.
  • 34. Automate Security Operations Workflow Collect data Build Analytics Take Decision Act (Orient / Sense-making) AUTOMATED (SOC) MANUAL (IT/NOC) (currently)
  • 35. Automate Security Operations Workflow AUTOMATED Automate, Enrich, add context and reaction! Collect data Analytics Decision Making Acting (Orient / Sense-making)
  • 36. SOC Analyst Daily Workflow Inputs and Outputs © Rob Gresham | Security Solutions Architect | Hacking your SOEL SOC Automation and Orchestration © Splunk
  • 37. Tools
  • 38. What tools we recommend?
  • 41. Threat Intelligence - ThreatConnect
  • 44. Standard Operating Procedures (SOPs) Instructions/Guidelines Collaboration Event Management Case management Reporting & Metrics Automate investigation, data enrichments, Integrations, Response
  • 45.
  • 46. HOW
  • 47. ▶ What are the most time consuming tasks? ▶ How many of them are TIER 1/2 jobs? ▶ Are there more information we could have missed? Keep It Simple
  • 48. Activities Automated Select scripts run automatically. All decisions for triage, response and remediation are decided automatically Semi-Automated Select playbooks and actions run automatically. Analysts make triage, response and remediation decisions Manual Ownership -▶ Triage -▶ Analysis -▶ Disposition RISK
  • 49. Observe POLL PUSH INGEST SET STATUS SET SEVERITY CREATE ARTIFACTS SAVE OBJECTS SET TAGS FILE ANALYSIS DOMAIN ANALYSIS URL ANALYSIS HOST ANALYSIS IP ANALYSIS LOGON ANALYSIS RUN QUERY GET EVENTS Get customer info Get system info Get BU info Run query Lookup info Hunt file URL Rep Domain Rep Get File Check white/black lists DISABLE USER BLOCK HASH BLOCK URL BLOCK DOMAIN BLOCK IP QUARANTINE HOST BLOCK PROCESS DISABLE VPN EMAIL SOC EMAIL LEADERSHIP CHAT IT HELP DESK EMAIL ENGINEERING PROMPT SOC TASK SOC Get Approval Promote Case Prompt Analyst Change Severity Change Sensitivity CREATE TICKET UPDATE TICKET CLOSE TICKET TRANSFER TICKET QUERY TICKETS CREATE ARTIFACTS CLOSE OBJECTS Orient On Enrichments Act (Manually/Automated) Notify Collaborate Document Knowledge base
  • 52.
  • 53.
  • 54.
  • 55.
  • 57. ML use cases CASE 6: EXTRACTING DUPLICATE INCIDENTS CASE 4: VISUALIZING RELATED INCIDENTS CASE 3: COMMONLY USED SECURITY COMMANDS CASE 2: SECURITY EXPERT SUGGESTIONS CASE 1: INCIDENT OWNER RECOMMENDATIONS Chatbots
  • 58. SLA
  • 60. ROI
  • 61. Key Takeaways 1. Document your process and Measure where you’re losing YOUR time 2. Be careful before applying it on Production, TEST-TEST-TEST 3. Make NOC/IT your FRIENDS though SOAR 4. More Automation - more TIME, less people, ability to learn 5. By implementing automation and orchestration aiming to: -> Focus analysts time on analysis -> Focus analysts time on finding threats -> Reduce risk through speed and consistency
  • 62. And remember - Tools don't matter... When you have a GUN Brain
  • 63. THANK YOU Nazar Tymoshyk CEO at UnderDefense Contact: nt@underdefense.com