Prac%cal'Security' 
Automa%on 
Jason&Chan 
Data$Theorem$Advisory$Board 
12/5/2014
Visibility 
Knowing'the'Environment
Discover
Discover 
Inventory
Discover 
Inventory 
Test
Discover 
Inventory 
Test 
Report
Knowing'the'Environment'/'Takeaways 
Tailor'discovery'to'rate'of'change 
Think&about&normaliza0on&of&discovery&data
Visibility 
Risk%Priori)za)on
Risk%Priori)za)on%-%Takeaways 
What%is%measurable?%(objec3vely) 
Use$as$an$input,$not$law
Visibility 
Mul$%Layer+Security+Tes$ng
Deconstruc*ng,security,tes*ng
Integrated)tes+ng)for)CI/CD
Mul$%Layer+Security+Tes$ng+%+Takeaways 
What%conversa-ons%can%you%avoid? 
Is#there#a#pyramid#you#can#leverage?
Visibility 
Configura)on*Monitoring
Security)Monkey
Configura)on*Monitoring*.*Takeaways 
Config&changes&have&a&con-nuum&of&safety 
Find%ways%to%observe%and%differen1ate
Visibility 
Intelligence)Discovery)and)Disposi3on
Goals 
Find%Ne(lix+relevant%security%intelligence 
Do#something#(ideally,#via#automa4on)
Intelligence)Discovery)and)Disposi3on)4) 
Takeaways 
Develop'and'priori-ze'an'intel'taxonomy
Visibility 
Signal'Refinement'and'Response
Key$Ques(ons 
What%alerts%require%response? 
How$quickly? 
What%ac'ons%do%you%take?
Goal 
Reduce&'me&to: 
detect/triage/contain/eradicate
Step%1 
Alert&is&generated&and&sent&to&FIDO 
(Cyphort,*Carbon*Black/Bit9,*Sophos,*PAN,*Aruba,*etc.)
Step%2 
Gather'data 
(on$issue,$target,$machine,$etc.)
Step%3 
Score&the&issue 
(user,'machine,'threat,'trust)
Step%4 
Take%ac'on 
(ignore,)remediate,)etc.)
Signal'Refinement'and'Response'1'Takeaways 
Start%small 
API$as$build/buy$criteria
Thank&you! 
chan@ne'lix.com.:.@chanjbs

Practical Security Automation