This document discusses intelligent orchestration for security operations centers. It begins with an overview of the challenges facing SOCs and how intelligent orchestration can help by combining human and machine intelligence with automation. It then provides an example use case of how intelligent orchestration allows a SOC to quickly investigate and remediate a phishing incident through automated tools and dynamic playbooks. The document emphasizes that intelligent orchestration acts as a force multiplier for analysts by automating repetitive tasks and providing greater visibility into security tools. It estimates the example incident response was completed in around 65 minutes faster due to intelligent orchestration capabilities.

1. How to Build a Faster and
Laser-Sharp SOC with
Intelligent Orchestration

2. 2
Agenda
 Future of Security Operations
 What is Intelligent Orchestration
 Intelligent Orchestration in Action: Use Case
 Q&A

3. 3
The Market Leader in Incident Response
Next-Generation IR Platform with Intelligent Orchestration
Largest and most trusted IRP
install base in the world
Only incident response
platform with built-in
intelligent orchestration
Part of the largest
enterprise security
organization in the world
More than 300 customers globally
Customers in more than 30 countries
IBM Resilient Partner Ecosystem delivered
through IBM Security App Exchange
Technology-agnostic platform delivers
enterprise-grade integrations with IT and
security tools
Includes orchestration and
automation capabilities
Resilient is the hub of IBM Security’s
Immune System
Expanding customer support and
services resources

4. 4
About Our Speakers
Mike Rothman, Analyst & President
Securosis
Ted Julian, VP of Product Management and Co-Founder
IBM Resilient

5. The Future of
Security Operations
Mike Rothman, President
@securityincite

6. ‣ Independent analysts with
backgrounds on both the user and
vendor side.
‣ Focused on deep technical and
industry expertise.
‣ Pragmatism is religion for us.
‣ We are security guys - that’s all we
do.
‣ And we know a little bit about the
cloud…
‣ We have been teaching cloud
security for 7 years
‣ We wrote the CSA 4.0 guidance
About Securosis

8. ‣ SecOps is getting harder:
‣ Adversary innovation
‣ Infrastructure complexity
‣ More devices, more places
‣ Hunters find stuff (which you
have to fix…)
‣ Skills gap
‣ You are on your own.
It’s not going to get better (itself)…
https://flic.kr/p/bBJYYK

9. ‣ Get smarter. Make better decisions
‣ Analytics
‣ Threat Intelligence
‣ Alerts appeared ahead of most
major breaches
‣ Someone still has to do
something!
‣ Documenting best practices and
response in runbooks
Areas of Focus

10. Leverage Humans
more effectively
‣ Humans focus on what they are good
at…
‣ Design proper controls
‣ Evolve policies
‣ Tune runbooks
‣ Have the cycles to handle exceptions
https://flic.kr/p/KGNBT

11. Embrace the
machines
‣ Orchestrate different controls into a
cohesive whole
‣ Automate the runbooks
‣ Build trust. Slowly, but surely.

12. ‣ Where to start?
‣ Best use cases
‣ Defining success
‣ Avoiding pitfalls
‣ Key capabilities of an orchestration/automation platform
‣ Integration with security monitoring/SIEM
‣ Customer success stories
Discussion

13. ‣ Blog
‣ http://securosis.com/blog
‣ Research
‣ http://securosis.com/research
‣ We publish (almost) everything for free
‣ Contribute. Make it better.
Read our stuff

14. mrothman@securosis.com
http://securosis.com/blog
Twitter: @securityincite
MikeRothman
Securosis LLC

15. Poll Question

16. 16
Poll Question
What is your top goal for incident response orchestration?
• Faster alert triage
• Better leverage threat intelligence to make smarter decisions
• Develop documented and repeatable runbooks
• Other

17. What is Intelligent
Orchestration

18. 18
Intelligent Orchestration
empowers security teams by
combining human and
machine-based intelligence
with automation. It enables
organizations to create a
powerful, fully integrated
incident response hub.
What is Intelligent Orchestration?

19. 19
What Intelligent Orchestration Provides
A force multiplier for security
analysts
Automation of repetitive tasksIntelligence and expertise
throughout the incident lifecycle
Greater visibility into use of
existing security and IT tools

20. Intelligent Orchestration
in Action

21. Intelligent Orchestration in Action
Resilient
PhishMe
ThreatGrid
Active
Directory
Carbon Black
Cisco
ServiceNow
1. PhishMe Reporter opens a phishing
incident in the Resilient platform.
• Automatically attaches suspicious
URLs and sender IP address.
2. Resilient automatically checks attached
artifacts against integrated threat
intelligence feeds.
3. ThreatGrid returns a hit, showing that
both the URLs and IP address are likely
malicious.
Automated Incident Creation
and Triage
PhishMe
Resilient
ThreatGrid
Time savings:
20 minutes

22. Intelligent Orchestration in Action
4. Analyst calls out to Cisco web gateway to
determine which employees have visited the
malicious URLs.
• Cisco populates a data table in Resilient
with user IDs.
5. Resilient automatically uses Active
Directory to populate the data table with full
user profiles.
6. Active Directory shows that the company’s
Legal Counsel clicked the link.
• Resilient Dynamic Playbooks
automatically raises the severity of the
incident and updates the playbook,
directing the analyst to notify the legal
team.
Incident Enrichment
Resilient
PhishMe
ThreatGrid
Active
Directory
Carbon Black
Cisco
ServiceNow
Cisco
Resilient
Active
Directory
Time savings:
45 minutes

23. Intelligent Orchestration in Action
7. Analyst blocks URLs and IP address in
Cisco email gateway
8. Analysts uses Carbon Black to check
machines for malware. Scan returns clean.
9. Analyst directs IT team to reset the
credentials of the involved users.
10. Analyst uses Resilient email connector to
send involved users a notification about the
phishing attack.
Incident Remediation
Resilient
PhishMe
ThreatGrid
Active
Directory
Carbon Black
Cisco
ServiceNow
Cisco
Resilient
Carbon Black
ServiceNow
Total time savings:
65 minutes

24. Intelligent Orchestration in Action
11. Resilient dashboard shows that the
majority of effected users were part of a new
team recently onboarded in Europe.
• The CISO leverages this information to
get budget for anti-phishing training in
this region, mitigating the risk of future
attacks.
Mitigation
Resilient
PhishMe
ThreatGrid
Active
Directory
Carbon Black
Cisco
ServiceNow
Resilient

25. 25
The SOC team can leverage automation and the
intelligence of other systems to quickly investigate and
remediate the attack.
Impact of Intelligent Orchestration
All parties know exactly what to do, when to do it, and
how, leading to a fast and effective response.

26. 26
Hold an incident response planning
workshop
How to infuse your orchestration efforts with greater
intelligence
Establish ways to deliver data to your
team quickly
• Include your security analysts, MSSP
experts, and experts from other units like
HR, marketing, and legal
• Use a business-process perspective that
focuses on human decision-making points
• Define, refine, and measure your IR
processes
• Run simulations
• Integrate data sources, such as SIEM,
Threat Intelligence, and EDR.
• Apply automation to repetitive and time-
consuming workflows. Test to ensure
fidelity, and expand to additional use
cases.
• Focus on automation up to a human
decision point, and the steps to be taken
after decision point

27. 75 Binney Street
Cambridge, MA 02142
WWW.RESILIENTSYSTEMS.COM
888.426.4968
Thank you.
Questions?