AutomatingIncident

ResponseTurn months to hours

Or CohenSecurity CTO - We Ankor

In other words…

How to automate IR procedures & save

Challenges

• Many daily alerts from multiple sources.• We are able to detect – now what?• Response procedure? What response procedure? • We are understaffed.• Efficient response to every alert is not possible.• Multiple tools, tons of information.• OOTB doesn’t fit you.

Making it worse (for IR)

• The Big Data buzz.• Heavy use of algorithms & anomaly detection.• Trending analysis.• Intelligence & Reputation feeds. • The demand for magic.

They’re all great!But the outcome is more questions…

Making it worse (for IR)

0

5000

10000

15000

20000

25000

30000

DNS Usage - 2015

Making it worse (for IR)

People talk about tackling the “Unknown” threats

Yet the same people still struggle with the most common “Known” threats

State of mind

Common Solutions

Use external

consulting

Buy more products

More information

Hire more people

Harder to manage

Common Solutions

Use external

consulting

Buy more products

More information

Hire more people

Harder to manage

ALERT!Common Solutions

Common Solutions

• You know where you live.• You know what happens often.• You know what you want to ask.• You know what you want to do.• You know who you can talk to.• You know your tools & information.

Utilize your knowledge

Better Case Scenario

ALERT!

Better Case Scenario

Best Case Scenario

AV Vendor

SIEM Rule ECAT

Signature Severity Matrix

QueryDevice control

MailWeb filter

Block website/IPBlock senderMitigation

VxStream Sandbox

Report

• Agent deployment.• Running a scan.• Severity evaluation & triage.• Data enrichment.• Proactive blocking.• Mitigation.

Save time

Automated.Automated.Automated.Automated.Automated.Automated.

2 weeks – 238 files

• 196 alert in 2 weeks – AVG of 14 per day.• 238 artifacts sent.• 175 NEW AV signatures.• 266 hosts were cleaned.• 0 hours of human intervention.• From drawing board to reality - 8 days.• Same process done manually – 5h per alert.• Done manually – 5h * 196 alerts =–~122 DAYS for 1 FTE.–~41 DAYS for 1 FTE working 24/7.

Save time

• 196 alert in 2 weeks – AVG of 14 per day.• 238 artifacts sent.• 175 NEW AV signatures.• 266 hosts were cleaned.• 0 hours of human intervention.• From drawing board to reality - 8 days.• Same process done manually – 5h per alert.• Done manually – 5h * 196 alerts =–~122 DAYS for 1 FTE.–~41 DAYS for 1 FTE working 24/7.

Save time

• Better alerts coverage – quantity, SLA, multitask.• Human time used for un-scriptable cases.• Maximum utilization of existing products - API.• Tailor made for you.• Query, patch, update, install, block, delete, etc.• Orchestrators are your friends.• Raise your overall security posture.

Summary

Automate and be prepared for your “Known” threats

Have the time to handle the “Unknown” threats

Bottom line

Thank youOr Cohen

or@we-ankor.co.ilSecurity CTO - We Ankor

May 2015