17
SESSION ID: SESSION ID: #RSAC Yaniv Bar-Dayan Tripling incident response volume with SOC orchestration GPS-R08B Cybersecurity Evangelist Cyberbit @ybardayan
SESSION ID:SESSION ID:
#RSAC
Yaniv Bar-Dayan
Tripling incident response volumewith SOC orchestration
GPS-R08B
Cybersecurity EvangelistCyberbit@ybardayan
#RSAC
About The Customer
2
• Tier-1 bank
• 24/7 SOC
• 6 analysts per shift X 3 shifts/day
#RSAC
Challenges
33
Over 200 alerts/day
Only 30% of incidentsopened during a shift
were closed during the same shift
Manual incident response process
Slow and inefficient
Over 20 security systems in the SOC: SIEM, DLP, WAF, IPS, EDR, A/V, Threat Intel,
Active Directory…
Lack of Visibility Could not access data from the various security, IT and
non IT systems
investigation Challenges Hard to synthesize data from disparate sources and generate insights
Skill shortageLack of staff, inexperienced staff, lack of tier-2 analysts,
no option to recruit
#RSAC
4
End Results | Percentage of incidents closed within one shift
Q1 2017Q4 2016Q3 2016Q2 20160
10
20
30
40
50
60
70
80
90
© 2016 by CYBERBIT │ CYBERBIT Proprietary 5
The Project
#RSAC
Project Goals
6
Increase efficiency Accelerate incident respond Reduce SOC team workload
Reduce escalations to tier 2
Increase KPI measurability
Improve prioritization & business alignment Improve visibility
Focus on business-critical incidents
Keep executive level informed
Engage the entire organization
Faster access to data from all IT SOC sources for investigation
Better insights and data correlation
#RSAC
7
Selected Approach
Orchestration• IR workflow management • Workflows• Prioritization by business
context • Response – single pane of glass
Automation• Workflows• Data enrichment• Response• Must be selective depending on
case
Investigation• Synthesizing data sources to
expose insights• Big-data platform (scale and
flexibility)• Search data for hunting and
investigation• Visibility into historical SOC data
Selected Approach
#RSAC
8
ALERTS
SIEM
Ticketing
CRM
Helpdesk
EDR
UBA
RESPONSE TOOLS
IPS
EDR
WAF
Active Directory
NAC
Memory Dump
Threat Intel CMDB
HR Systems GRC
Compliance Vulnerability Assessment
ENRICHMENT
Adding a SOC Hub
SOC
Big-Data
API’sAPI’s
© 2016 by CYBERBIT │ CYBERBIT Proprietary 9
Results
#RSAC
Pre-Automation: Manual Incident Response
10
Manual Preparation: 15 minutes
New Malware Alert
Run MemoryDump Utility
Isolate HostUsing NAC API
Alert IT toReplace User
Host
Check AssetCriticality
XCritical Process
Check BISOContact
Alert CISO & BISO
CollectAdditionalRaw Data
XSend
recommendations and Summary
reportInvestigate
Escalate toTier 2
2 minutes 2 minutes
3 minutes
2 minutes 2 minutes 2 minutes 2 minutes
#RSAC
11
Automated decision making
Automated data enrichment
Automated response
Post-Automation: 15 Minutes Saved Per-Incident
New Malware Alert
Run MemoryDump Utility
Alert IT toReplace User
Host
XCritical Process
Check BISOContact
Alert Ciso & BISO
CollectAdditionalRaw Data (e.g. TI)
XSend
recommendations and Summary
reportInvestigate
Escalate toTier 2
Isolate HostUsing NAC API
Check AssetCriticality
Start Here
#RSAC
12
The Impact On TTR and TCO
Average number of stages per incident 6
Average time saved by SOC 3D per stage 2 minutes
Total time saved by SOC 3D per incident 12 minutes
Number of daily incidents 100
Time saved by SOC 3D every day 20 hours
TCO saving per day $2000
TCO saving per month $44,000
#RSAC
13
Goals Achieved
Business alignment From 30% to 80% incidents closed per shift
Managing the entire set of tools from a single screen
Improved visibility Flexible access to data and dashboards for monitoring
business-critical areas
No change in workforce
#RSAC
14
End Results | Percentage of incidents closed within one shift
Q1 2017Q4 2016Q3 2016Q2 20160
10
20
30
40
50
60
70
80
90
#RSAC
Triple Incident Respond Volume in Your Organization
15
Educate + Learn = Apply
How to Apply this in the office:Use the information from this session to revisit IR processes
and technologies for faster and more efficient incident
response
Your Role as a StudentEducate your Security
Operations organization on new Incident Respond
approaches
My Role as Instructor:Provide you with practical
incident response optimization actions based
on a real-life case study
#RSAC
Apply SOC Orchestration
16
Next week you should:Revisit IR processes and technologies within your organization
In the first three months following this presentation you should:Understand what are the bottlenecks and the missing methodologies ,workflows , dashboardsDefine security and non-security systems to integrate with, automatic respond level, dashboard for situational awareness
Within six months you should:Select a security operation management system which allows you to work efficiently, Investigate easily and respond fast to alerts and security threatsDrive an implementation project to mechanize and utilize your SOC
