SACON - Incident Response Automation & Orchestration (Amit Modi)
1 like2,537 views
This document discusses how the SOC 3D platform from Cyberbit can help increase the efficiency of a security operations center (SOC). SOC 3D provides security analytics, automation, and orchestration capabilities to help analysts investigate incidents more quickly. It integrates data from various security tools and feeds. The platform aims to reduce the time to resolve incidents through features like automating response tasks, data enrichment, and decision making. This can lower the workload on SOC teams and help focus resources on higher priority issues. The document provides examples of how SOC 3D could automate parts of the incident response process and estimates that it may be able to save over 12 minutes per incident on average.
SACON - Incident Response Automation & Orchestration (Amit Modi)
- 1. © 2016 by CYBERBIT │ CYBERBIT Proprietary1 Increase your SOC efficiency with SOC 3D Amit Modi Regional Sales Manager – India & SAARC +91-9920660605 Amit.modi@Cyberbit.com
- 2. © 2016 by CYBERBIT │ CYBERBIT Proprietary Visualizing NextGen CyberSecurity
- 3. IT Infrastructure Security Application/DB Security Consulting & IT GRC Visualizing NextGen SoC 4.0 Security Controls Policy & Audit RISK & Compliance Business Continuity Vulnerability Management Log Management Access & Identity Visibility & Compliance Security Analytics Data Protection & Control IT Change & End Point Monitoring & Management Incident Response Threat Intell. Feeds Forensic Data Capture Threat Detection App Sec CMDB Software Asset Management
- 4. © 2017 by CYBERBIT │ CYBERBIT Proprietary 4 Challenges • SIEM Generating Huge amount of Alerts • Incidents Getting Missed • Lack of Threat Visibility • Finding Lateral Impact • Learning from Past • Finding the RCA • Skills Shortage • Incident Based SLA Management • Incident Closures • Reporting • Technical • Business Context • Performance Based Expectations • Business Context to the Investigation • Adding Analytics • Bulletin Boards to the Team • Case Management • Automating Runbook • Threat Visibility & Spread • Avoid Over Detection & False Positive • Automate Similar Incidents • Prioritization Based on Business Impact • Incident Containment as a First Step • Surgical Response for Accurate Threat Eradication
- 5. © 2017 by CYBERBIT │ CYBERBIT Proprietary 5 Recommendation & Suggestions by SANS Analysis
- 6. © 2017 by CYBERBIT │ CYBERBIT Proprietary 6 Narrow Downing : Challenges & Expectations • SIEM Generating Huge amount of Alerts • Incidents Getting Missed • Lack of Threat Visibility • Finding Lateral Impact • Learning from Past • Finding the RCA • Skills Shortage • Incident Based SLA Management • Incident Closures • Reporting • Technical • Business Context • Performance Based (MSSP/Internal Team) • Business Context to the Investigation • Adding BigData Analytics • Bulletin Boards to the Team • Case Management • Automating Runbook • Threat Visibility & Spread • Avoid Over Detection & False Positive • Automate Similar Incidents • Prioritization Based on Business Impact • Incident Containment as a First Step • Surgical Response for Accurate Threat Eradication • Practicing the Crisis Situation • Matured Security Operation Center (SoC) • Identifying Unknown Threats • Incident Management • Incident Automation • Containment • Forensic Data for Accurate Eradication • Practicing Crisis Situation • Continuous Skills Improvement • Runbook Automation for Accuracy
- 7. © 2016 by CYBERBIT │ CYBERBIT Proprietary7 SOC 3D: Your Gateway to the Future
- 8. © 2016 │ CYBERBIT Proprietary8 Provides more accurate and actionable high priority alerts by ingesting and analyzing SOC feeds and external feeds Your Single Pane of Glass for managing your entire security operations The only SOC management platform combining automation, orchestration and big-data security analytics for real-time investigation What Is SOC-3D
- 9. © 2016 by CYBERBIT │ CYBERBIT Proprietary9 ALERTS SIEM Ticketing Email CRM Helpdesk EDR UBA RESPONSE TOOLS IPS EDR WAF Active Directory NAC Memory Dump Threat Intel CMDB HR Systems GRC Compliance Vulnerability Assessment Enrichment Your SOC Hub SOC 3D Big-Data API’sAPI’s
- 10. © 2016 by CYBERBIT │ CYBERBIT Proprietary10 Security Analytics Visualize Anything. Investigate Freely. Explore raw data for forensics Real-time access via big-data platform Real-time visualization for faster insights
- 11. © 2016 by CYBERBIT │ CYBERBIT Proprietary11 SMART AUTOMATION Accelerate analyst work across the entire IR cycle AUTOMATE RESPONSE Automate SOC operator and analyst response tasks AUTOMATE DATA ENRICHMENT Get all relevant data for investigation AUTOMATE DECISION MAKING By automating data collection prior to response
- 12. © 2016 by CYBERBIT │ CYBERBIT Proprietary12 The Response Process: Traditional SOC Manual Preparation: 15 minutes New Malware Alert Run Memory Dump Utility Isolate Host Using NAC API Alert IT to Replace User Host Check Asset Criticality X Critical Proccess Check BISO Contact Alert CISO & BISO Collect Additional Raw Data X Send recommendations and Summary report Investigate Escalate to Tier 2 2 minutes 2 minutes 3 minutes 2 minutes 2 minutes 2 minutes 2 minutes
- 13. © 2016 by CYBERBIT │ CYBERBIT Proprietary13 Automated decision making Automated data enrichment Automated response The Response Process: With SOC-3D Automation New Malware Alert Run Memory Dump Utility Alert IT to Replace User Host X Critical Proccess Check BISO Contact Alert Ciso & BISO Collect Additional Raw Data (e.g. TI) X Send recommendations and Summary report Investigate Escalate to Tier 2 Isolate Host Using NAC API Check Asset Criticality Start Here
- 14. © 2016 by CYBERBIT │ CYBERBIT Proprietary14 Impact On TTR and TCO Average number of stages per incident 6 Average time saved by SOC 3D per stage 2 minutes Total time saved by SOC 3D per incident 12 minutes Number of daily incidents 100 Time saved by SOC 3D every day 20 hours TCO saving per day $2000 TCO saving per month $44,000
- 15. © 2016 by CYBERBIT │ CYBERBIT Proprietary15 With SOC-3D, Your SOC is EFFICIENT Faster to respond Reduces SOC team workload Measurable BUSINESS-DRIVEN Focuses on what matters the most Keeps executive level informed Engages the entire organization SOC USER-CENTRIC Reduces the expertise barrier Engages your team Increases analyst impact Simplifies complex investigations
- 16. © 2016 by CYBERBIT │ CYBERBIT Proprietary16 Deep Diving - SOC 3D
- 17. © 2016 by CYBERBIT │ CYBERBIT Proprietary17 Thank You!