Date post: | 25-Jul-2015 |
Category: |
Technology |
Upload: | cohen88or |
View: | 392 times |
Download: | 1 times |
Challenges
• Many daily alerts from multiple sources.• We are able to detect – now what?• Response procedure? What response procedure? • We are understaffed.• Efficient response to every alert is not possible.• Multiple tools, tons of information.• OOTB doesn’t fit you.
Making it worse (for IR)
• The Big Data buzz.• Heavy use of algorithms & anomaly detection.• Trending analysis.• Intelligence & Reputation feeds. • The demand for magic.
They’re all great!But the outcome is more questions…
People talk about tackling the “Unknown” threats
Yet the same people still struggle with the most common “Known” threats
State of mind
Common Solutions
Use external
consulting
Buy more products
More information
Hire more people
Harder to manage
Common Solutions
Use external
consulting
Buy more products
More information
Hire more people
Harder to manage
• You know where you live.• You know what happens often.• You know what you want to ask.• You know what you want to do.• You know who you can talk to.• You know your tools & information.
Utilize your knowledge
Best Case Scenario
AV Vendor
SIEM Rule ECAT
Signature Severity Matrix
QueryDevice control
MailWeb filter
Block website/IPBlock senderMitigation
VxStream Sandbox
Report
• Agent deployment.• Running a scan.• Severity evaluation & triage.• Data enrichment.• Proactive blocking.• Mitigation.
Save time
Automated.Automated.Automated.Automated.Automated.Automated.
• 196 alert in 2 weeks – AVG of 14 per day.• 238 artifacts sent.• 175 NEW AV signatures.• 266 hosts were cleaned.• 0 hours of human intervention.• From drawing board to reality - 8 days.• Same process done manually – 5h per alert.• Done manually – 5h * 196 alerts =–~122 DAYS for 1 FTE.–~41 DAYS for 1 FTE working 24/7.
Save time
• 196 alert in 2 weeks – AVG of 14 per day.• 238 artifacts sent.• 175 NEW AV signatures.• 266 hosts were cleaned.• 0 hours of human intervention.• From drawing board to reality - 8 days.• Same process done manually – 5h per alert.• Done manually – 5h * 196 alerts =–~122 DAYS for 1 FTE.–~41 DAYS for 1 FTE working 24/7.
Save time
• Better alerts coverage – quantity, SLA, multitask.• Human time used for un-scriptable cases.• Maximum utilization of existing products - API.• Tailor made for you.• Query, patch, update, install, block, delete, etc.• Orchestrators are your friends.• Raise your overall security posture.
Summary
Automate and be prepared for your “Known” threats
Have the time to handle the “Unknown” threats
Bottom line