Automated Response in Cyber Security SOC with Actionable Threat Intelligence

“while its biggest weakness is lack of visibility: SOCs still can’t detect

previously unknown threats, which is a consistent problem across

many other SANS surveys. The survey also found a need for more

automation across the prevention, detection and response functions “

SANS: Threat Intelligence White Paper

Source:https://www.sans.org/reading-room/whitepapers/analyst/threat-intelligence-is-effectively-37282

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.

6 | © 2015, Palo Alto Networks. Confidential and Proprietary.

AutomatedScalable

SpecializedCollaboration

EXFILTRATION

CAPTURE

DISCOVERY

INFILTRATION

RESEARCH

Market

The Challenges of the CISO and CIO

Hacking-as-a-services

DDOS-as-a-services

Malware-as-a-services

Ransomware-as-a-servicesDNS Alert

Endpoint Alert

AV Alert

SMTP Alert

AV Alert

Web Alert

Web Alert

SMTP Alert

DNS Alert

AV Alert

DNS Alert

Web Alert

Endpoint Alert

$INCIDENT RESPONSE

Firewall, IPS, Proxy, APT, SSL

DETECTION

SIEM, Manual Correlation

Endpiont, DDOS, WAF, Email

People resourceManual ResponseComplexityHigh volume incident

RegulationComplianceGovernance

CISO

Challenges & Cyber Security SOC Requirements

6 | © 2015, Palo Alto Networks. Confidential and Proprietary.

- Reduce attack surface- Prioritize critical threats

- Reduce false positive- Add attack contexts

- Accelerate incident handling workflows

and automated proactive response

VOLUME

Increased attack volume from

automated adversaries

ALERTS

Too many alerts from too many sources

without context

COMPLEXITY

Highly manual response with

complex workflows

Today’s Security Operation Center (SOC) Workflow

Firewall1,2,3,4

IPS

Proxy

APT

SIEM

3rd Threat Intel

Only IOC• IP• URL

• Domain

Endpoint

Security Log

Free community searchEg. Virus total, URL blacklist, malwaredomain

- Only some IOC provided- Less detailed

Search & QueryInvestigate

Summary Report

Security Admin

Inform Actions

Take actionsManually

Metrics for success

8 | © 2015, Palo Alto Networks. Confidential and Proprietary.

TIME TO

IDENTIFICATION

Decrease time to identify new, targeted

attack

TIME TO

ERADICATION

Speed mitigation without adding

specialized staff

How to improve security incident response operation workflow?

1. Using the global threat intelligence cloud

Malware

Signature(1Billions)

C&C/DNS

Signature(Million)

Threat Intelligence Cloud

WildFire

URL

Signature(Billion)

• Real-World attack from Wildfire, Industry’s largest

network-sandbox service.

• Cyber Threat Alliance: Sharing threat information

• 3rd party feed, closed and open-source intel

• Palo Alto Network Global Passive DNS Network

• Unit 42, TI and Research team

>15,000, WildFire global enterprise customersMalware/APT Feeds

3rd party

Passive DNS

Network

Threat Intelligence: Detecting the unknown… at scale

150M

samples/month

WildFire delivers over 100K new protections to customers per day

AutoFocus contains over 2 B files and over 500B artifacts (and growing)

Over 1000 AutoFocus tags add human-curated intelligence to over 80% of yearly malware incidents Known good files = Reduce FP

Known bad files = Reduce FN

Enriched Information

Demo: Context from Autofocus

12 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Context:

• Malware families

• Attack campaigns

• Exploits

• Malicious behavior

• Threat actors

Context:

• My org, My industry

and Global view

• Top Malware

• Top application

malware

• Top Src, Dst, Country

Context:

• Malware Dynamic &

Static analysis

• Malware behavior

• Indicator of attack and

compromise

• Top attack source,

destination and country- IP: 185.127.25.176

- Domain:iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

- URphil-army.gotdns.org/4c4f4f50/archive/512321505.html

Using Large Global Threat Intelligence Source

Firewall 1,2,3,4

IPS

Proxy

APT

SIEM

3rd Threat Intel feed

Only IOC• IP• URL

• Domain

Endpoint

Security Log

Provided Deep Info for Investigation- Threat actors- Malware Family- Adversary campaign

- Target Industries- Prioritize alerts- Malicious Behavior- Exploits techniques- Contexts: IP, Connectivity, Domain,

URL, Passive DNS, etc.

Search & Query

• Accurate Summary Report• More actionable actions

Security Admin

Inform & provide actionable controls

Take actionsManually

Threat Intelligence Feeds

Private Feeds

Threat Intelligence Platforms

Network Enforcers

End Point Enforcers

SIEM

• Aggregate and correlate TI feeds

• Automated enforcement of prevention-based control

2. Orchestrate Threat Intelligence and Enforce Preventions-based Control Automatically

Threat Intel Aggregator Architecture

Input: Threat Feeds

• OSINT• Commercial• Organization (CERT,

ISAC)• Autofocus

Processors

• IPv4/IPv6 aggregator• URL aggregator• Domain aggregator

Outputs

• JSON• STIX/TAXII• External

Dynamic List (EDL)

• Elastic Logstash

End Point Enforcers

Network EnforcersFW, IPS

SIEM

Reduce the False Positive by Correlating TI

IP____________

_______________

DNS____________

______________

URL____________

_____________

3’rd party Threat Intel

Cross check& Correlation

Export IOC

End Point Enforcers

Network EnforcersFW, IPS

SIEM

Orchestrate TI and Automated Enforce Prevention-based Control

Firewall 1,2,3,4

IPS

Proxy

APT

SIEM

Endpoint

Security Log

Provided Deep Info for Investigation- Threat actors- Malware Family- Adversary campaign

- Target Industries- Prioritize alerts- Malicious Behavior- Exploits techniques- Contexts: IP, Connectivity, Domain,

URL, Passive DNS, etc.

Search & Query

• Accurate Summary Report• More actionable actions

Security Admin

IP_____

__________

__________

__

DNS_____

__________

__________

_

URL_____

__________

__________

3’rd party Threat Intel

IOC FeedJSON, STIX

Cross Check &IOC Export

Automated poll IOC for prevention

Watchlist&

Traceback

API Call

JSON, STIX

How it Works

On Premise

Cloud

End Point SIEM Firewall Proxies Local MineMeld

MineMeld

TIConsolidator

AutoFocus

3rd Party TI FeedThreat Intelligence

SamplesContextMatch

Cross CheckSearch

Indicator Store

WildFireThreat Big Data

Automated prevention control

ActionableThreat IntelExport

Legacy AV controls

Intrusion prevention

Sandboxing

SIEM

Workflow complexity

Next-generation

Security Platform

FULL VISIBILITY

ALL LOCATION

PREVENT ZERO-DAY THREATS

SPEED SECURITY ANALYSIS

WORKFLOWSFirewall

Stateful inspection

Legacy AV controls

Firewall

Stateful inspection

Web Security

Gateway (Proxy)

Intrusion prevention

Legacy AV controls

Firewall

Stateful inspection

Web Security

Gateway (Proxy)

Legacy security responses increase complexityWhy Do We Need Security Platform?

Key Benefits

2. Reduce complexity

3. Decrease numbers of event per second

5. Reduce false positive events

4. Reduce log storage

1. Provide full visibility and prevention on all risk locations

7. Accelerate incident handling & response workflow

6. Improve detection, response & forensic times