top 10 soar use cases, part 2 [webinar] summertime, livin ... livin is easy_slides.pdfhousekeeping...
TRANSCRIPT
[Webinar] Summertime, Livin’ is Easy!Top 10 SOAR Use Cases, Part 2
Housekeeping
• Ask questions by using text box in right hand area of the GoToWebinar platform, as the audience will be on mute
• Everyone will receive recording and slides by Friday, May 24
• Speakers
○ Jane Goh, Product Marketing
○ Pramukh Ganeshamurthy, Technical Marketing
Phish are jumpin’ and the alerts are on high
*Paraphrased,with apologies to Gershwin
”“Our response times are too long. Every lost second leads to financial and reputational damage.” ”“Our security experts are
overwhelmed with the growing number of alerts.” ”“I spend too much time switching
between products to effectively respond to incidents.”
2 million analysts shortageLack of skilled analysts
>12K alerts per weekGrowing Alerts
IR Process: no metrics/run over email
No consistent processWeeks to resolve
each detected incident
Long MTTR & Risk
- CISO - SOC Manager - IR Analyst
SOC Livin’ isn’t easy…
• Playbooks standardize IR workflows• Ingest alerts from multiple products• Manage security product stack from
central location
Orchestration
Automation
Response
Demisto is a SOAR platform that helps you orchestrate workflows, automate repeatable tasks and manage incident response across your security product stack.
• Automated scripts & tasks• Extensible product integrations• Machine learning insights based
on analyst actions
• Case management with War Room, easy querying & auto-documentation
• Customizable dashboards & reports• Interactive investigation & collaboration
What is Demisto?
Detection Sources
Ingest
Demisto
EDR
Threat Intelligence
Cloud
TicketingVuln Mgmt
FirewallDevOps
SIEM
UEBA
Enrich
Respond
How Demisto Works
Analytics and SIEM Threat Intelligence Malware Analysis Endpoint
Ticketing
Network Security
Authentication Email Gateway
Messaging Cloud
…and 100s more!
Some of our integrations…
Use Case: Impossible Traveler
Challenges
• Fraudulent behavior not easy to spot• Multiple systems to confirm malice• Repetitive tasks
9
Impossible Time Travel Playbook
Ingest• Ingest behavioral anomaly
from relevant tool.
Enrich User Information• Retrieve user and manager accounts.
Enrich IP Information• Check reputation of both previous and current
IP addresses.
Close PlaybookActive Directory
Threat Intelligence
Confirm Malice• Calculate distance between IPs.• Generate location map.• Generate event duration.
Yes
No
Containment• Change incident severity.• Disable user account.• Block malicious IP address.• Notify management team.
Active Directory
Firewall
Two IP addresses tied to same user are far apart
Demo
Use Case: Cryptojacking
Challenges
• Siloed teams, lack of security oversight• Manual monitoring impractical• Breaches = huge business impact
Cryptojacking Playbook
Demisto
Bitcoin Mining Alert
Trigger Playbook
AutoFocus
Email EC2
EC2
Need to Isolate EC2
Instance?
AWS Security
Hub
Ticketing
Ticketing
Ticketing
Compile Alert Details• Get AWS Security Hub
alert details• Open ticket
Enrich Context• Check EC2 security
group• Get indicator details
Quarantine Instance• Take EC2 volume snapshot• Create Tag • Quarantine EC2 instance• Send email to relevant teams
Sanitize and Close• Update ticket• Send email to relevant teams
Yes
No
Demo
Use Case: Cloud Security
Challenges
• Complex incident response workflows• Multiple consoles across cloud env • Ability to respond at scale & speed
Cloud Security Incident Response Playbook
Demisto
Critical Alerts
Trigger Playbook
EmailPRISMA
Cloud Threat
Defense
RedLockTicketing
Ticketing
Get Cloud Security Alerts• Get policy ID• Open ticket
Perform Checks• Conditional checks on
policy ID• Get indicator details
Process Auto Remediation• Trigger corresponding playbooks for auto
response
EC2
Demo
Use Case: Incident Response Lifecycle Processes
Challenges
• Disjointed, siloed security tools• Lack of standardized processes • MTTR (Mean time to respond)
IR Lifecycle Processes Playbook
Demisto
Critical Alerts
Trigger Playbook
and Engage• Assign incident to Analyst
using DBot suggestion• Get critical threat alerts,
social app traffic and files
Extract, Check Indicators• Retrieve sample
analysis• Check file reputation
AutoFocus
Respond to malicious IP• Notify change manager for approval• Block IP at Palo Alto Networks firewall
• Auto-generate incident investigation report in Demisto
Respond to malicious file hash• Search and block malicious hashes• Notify analyst for review• Update tickets in Demisto
WildFire
IP
Manual
Hash
Cortex Data Lake
Cortex
Panorama
Check for Malice
Malice Found
Demo
Use Case: Vulnerability Management
WestJet• Vulnerability platform that scans 100s of
assets, 1000s of desktops• Assets have different criticalities to
business and different compliance requirements
• Determine which teams owns which vulnerable asset is manual process
• Reporting is manual
Video
REDUCED ALERT VOLUME
FASTER RESPONSE TIMES
EFFICIENT SECURITY OPERATIONS
SOAR Benefits
*Real stats from Demisto customers
Reduced weekly alerts from 10,000
to 500
Reduced MTTR from 3 DAYS to 25
MINUTES
Fully automated 30 % of incidents to save
1 FTE
Enterprise Software* Financial Services* Energy/Utilities*
Black Hat 2019!
If you’re attending Black Hat…● Catch us at Booth #1138 where you’re guaranteed to
have a ball!
● Party in Vegas! Register & join us on August 6!https://go.demisto.com/bh-1923-party
● Learn More about what we’re up tohttps://go.demisto.com/black-hat-2019
Additional Resources● In case you missed the original | Use Case Webinar Part 1:
https://www.youtube.com/watch?v=cs0qTwaEZBM
● This is what SOAR’s all about | Dummies Book: https://go.demisto.com/your-guide-to-security-orchestration
● Gartner’s take on SOAR | Gartner SOAR Market Guidehttps://go.demisto.com/the-hitchhikers-guide-to-soar-2019
● Why not play with it for a bit? | Free Editionhttps://go.demisto.com/sign-up-for-demisto-free-edition
●
Questions?