don’t be a siemingly soar loser… · soar should be helping drive your successful business...
TRANSCRIPT
Don’t be a SIEMinglySOAR Loser…@SOCologize
Rob Gresham
October 8, 2019
Abstract
Why Security Orchestration Automation and Response?
To integrate or to not?
ROI, the mystery to SOAR metrics
Case management, Service Catalogs or Digital workflows, Oh My?
How do I start to get my SOC to SOAR?
What do you use for best practices, or what is everyone else using?
What’s in it for me?
A barrier of excellence was the reported absence of skilled staff
at 58% 2019 SANS SOC SurveyAbsence of SOAR
Absence of Effective Automation &
Orchestration was 50%
Tools not integrated at 43%
Lack of Management Support at 37%
Lack of processes or playbooks at 37%
50%
ATAR Labs, Ayehu, Cyberbit, CyberSponse, D3 Security,
Demisto, DFLabs, EclecticIQ, IBM, Splunk, Rapid7,
Resolve, ServiceNow, Siemplify, Swimlane, Syncurity,
ThreatConnect, and ThreatQuotient.
Courtesy of Gartner Market Guides:
https://www.gartner.com/en/research/methodologies/mark
et-guide
Hours Saved
Dollars Saved FTE Gained
Playbooks Run Actions Run
Incoming Events
Cyber Security Salary Guide:
What Does Today’s Cyber Security Workforce Make?
https://digitalguardian.com/blog/cyber-security-salary-guide-what-does-todays-cyber-security-workforce-make
Calculating SOAR ROI
Investment breaks even in 8 months with only 9 playbooks.
This customer had ~556 events a day
Average customer builds approximately 15-40 playbooks
0
200000
400000
600000
800000
1000000
1200000
Ap
r
Ma
y
Ju
n
Ju
l
Au
g
Sep
Oct
No
v
De
c
Jan
Feb
Ma
r
Ap
r
Ma
y
Ju
n
Ju
l
Au
g
Sep
2018 2019
SOAR ROI for 9 playbooks over time
TCO Earned Value (15m) Earned Value (30m)
Do you know when your investment breaks even?
Meh-trics anyone?
20 Days
4 Integrations and 9 Playbooks
3 Months
9 Playbooks585 Events a day
$851,725 to date
$7701 Support, License, Maintenance
Mean Build Time
Mean Time to Production
Technology / Human Cost
Break even on Feb 23, 2019 at
$612,964.12
ROI Value
SOAR ROI done right…
$ 612,964.12 $ 612,964.12
Integrations
Case Management Processing
Headless Operation
Which integration is best for our team?
Operations FractalPeople, Process and Technology
Monitor
Discover
RespondMeasure
Automate
Transform
Learn
Meh-trics
Measure:
Time to Alert Analyst
(New Event/Alert)
Mean Time to Detect
Measure:
Time for Analyst to Pickup
(New to Open Status)
Mean Time To Respond
Measure:
Time for Analyst to Contain
(Time to Task Contain)
Mean Time To Contain
Measure:
Re-image validation
Mean Time To Recovery
Measure:
Closing Dispositions
Mean Time To Close
Just the basics, Start Macro move to Micro
Hacking your SOEL
Suspicious
REVIEW BODY AND
HEADER INFO
QUERY
RECIPIENTS
HUNT FILE
HUNT URL
FILE / URL
REPUTATION
FILE ASSESSMENTREMOVE EMAIL
REVIEW EMAIL
https://www.youtube.com/watch?v=_mnxZ1iSUGg
WHAT IS SOEL?Security Operations Events Lifecycle
Traditional Security Operation Actions
INGESTION OR
ALERTING
EXTERNAL
VALIDATION
INTERNAL
HUNTING
CHANGE /
MONITORING
RUN JOBS NOTIFICATIONS
Hacking your SOEL
Email FILE / URL
REPUTATION
DETONATE
UNKNOWN URL / FILE
HUNT FILE
HUNT URL
TASK ANALYST
PHISH / HOST
ASSESSMENTREMOVE EMAIL
INGEST EMAIL
PARSE FILES, URLS,
EMAIL HEADERS
Playbook Methodology
Compact playbooks that quickly perform common independent functions
INTERACTION INPUT
ACTION ARTIFACTS
Source(s) Event, Process,
Information expected
The transformation, duties, actions to
be performed by a person, tool,
analysis or correlation to a function
The expected output of
actions performed by the
process or function
Owner, Actioner, Supporter, Consulted,
Involved/Informed (OASCI) between
teams, technology, or events
Phishing Use Case Analysis Build a utility playbooks to complete the process
ACTIONS:
Block file
File Rep w/ rate limit
Block IP
Block Domain
Block URL
URL Rep
Domain Rep
Get File
Detonate File
Prompt Analyst
Change Severity
Change Sensitivity
Send Email
Quarantine Host
Get Approval
Hunt file
Hunt URL
Promote Case
Cache Hash
Store File
Analyze File
Task Forensics
Block Process
Get customer info
Get system info
Check white/black lists
Get BU info
Run query
Lookup info (Threat Intel)
INPUT: Receive a hash and/or file
INTERACTIONS:
VirusTotal, ThreatConnect, CarbonBlack,
Falcon Sandbox, Analyst, SMTP, CB
Response, Palo Alto, Zscaler, ThreatCrowd
ARTIFACTS:P1: Analyze, Prompt, Block Known malware
P2: Analyze, Sandbox, (De)Escalate
P3: Cache Results, Display Report, Manual
Analysis
Phishing Use Case Analysis Build a utility playbooks to complete the process
ACTIONS:Block file
File Rep
Block IP
Block Domain
Block URL
URL Rep
Domain Rep
Detonate File
Prompt Analyst
Change Severity
Change Sensitivity
Send Email
Quarantine Host
Create Ticket (re-image)
Add Note/Comment
Get Approval
Hunt file
Hunt URL
Promote Case
Analyze File
Task Forensics
Block Process
Get customer info
Get system info
Check white/black lists
Create Ticket (delete email)
Get BU info
Run query (other emails)
Lookup info (Threat Intel)
INPUT: Receive and email with a url or file
INTERACTIONS: VirusTotal,
ThreatConnect, CarbonBlack, Falcon
Sandbox, Analyst, SMTP, Splunk, CB
Response, Palo Alto, Zscaler, ThreatCrowd
ARTIFACTS:P1: Analyze, Block Known malware,
Remove Email, Prompt
P2: Analyze, Sandbox, (De)Escalate
P3: Cache Results, Display Report, Manual
Analysis
Eradicate
Recovery
Lessons Learn
4
5
6
Prepare
Investigate
Contain
2
3
1
3
1
2
6
1
1
2
2
2
2
3
3
3
3
22
1
2
2
2
2
4
4
4
3 2
2
4
5
5
4
Summary answers
SOAR should be helping drive your successful business metrics
Look to solutions integrate between solutions & integrate your processes
Your ROI should calculate the business value and
Case management (human augmentation) and integrated digital workflows for the whole
Get started on the simple task – Death by a thousand cuts
Use methodologies that work for your team, we use the Operations fractal, SOEL and I2A2
Automation should be metrics driven
Train
Automate
Integrate
Process
Observe
Support
Is your organization up to it?
Next Steps
Thank You
© 2 0 1 9 S P L U N K I N C .