if we only had the time: how security teams can focus on what’s important

Intelligent Security Orchestration and Automation hexadite.com

If We Only Had the Time:How Security Teams Can Focus On What’s Important

Barak Klinghofer, Co-Founder and Chief Product Officer, Hexadite


Session Overview

• Background

• Example 1: Alert from C&C Connection

• Example 2: Alert from Antivirus

• The Problem: Alert Volume and Resources

• Automating the 2 Previous Examples

• What to do with Your Newly Found Time

• Wrap Up


Barak KlinghoferCURRENT

PREVIOUS

What I Did Why It Matters

My Background

Our entire reason for existing is to minimize the time to investigate and remediate.

Lead technology strategy for a company focused on going from alert to remediation in minutes at scale.

Co-Founder &Chief Product Officer, Hexadite

Cyber Solutions Architect Elbit Systems

Senior Security Consultant COMSEC

Elite Intelligence UnitIsraeli Defense Forces

Designed solutions for both public and private sectors, and trained personnel in National Cyber Security centers.

Reviewed companies’ security polices and technologies for global organizations.

Helped in building a security team from the ground up. From 0 to 100 in 4 years.

I’ve designed training systems to teach cyber analysts how to rigorously investigate and remediate cyber threats.

I understand how companies in all industries approach cybersecurity and helped them increase their security posture.

I worked hands-on to build a team to take on IR challenges with high stakes.


Example 1: Alert from

C&C Connection


Alert from FireEye (C&C)

Begin InvestigatingAlert

Accessing Endpoint Analyze InstalledServices and Drivers

Analyze Persistency Methods

10 Min.

17 Min. 1.5 Hr. 1.8 Hr.

15 Min. 28 Min. +DaysSearch for Lateral Movement

Identify Endpoint Upload ForensicsTools

Analyze RunningProcesses

33 Min.

52 Min.

Analyze OpenConnections

1.6 Hr.

Analyze RecentlyCreated Files

1.9 Hr.

Analyze InstalledCertificates

Create Firewall Block Rules

2 Hr.


Example 2: Alert from

AV


Alert from AV

Begin InvestigatingAlert

Locate malicious file Analyze InstalledServices and Drivers

Analyze Persistency Methods

10 Min.

20 Min. 1.5 Hr. 1.8 Hr.

15 Min. 21 Min. +DaysFinish Investigation

Access Endpoint Upload ForensicsTools

Analyze RunningProcesses

22 Min.

52 Min.

Analyze OpenConnections

1.6 Hr.

Analyze RecentlyCreated Files

1.9 Hr.

Search Firewall Logs

Search for Lateral Movement

2 Hr.

Email Alert

Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com

Every Day• How may of these ”easy” use cases do you see a day

within your organization?• From our experience, SMEs see about 10-20 daily• But what about all the rest?


The problem is the increase in attacks.

The problem is the increase in alerts.

Source: EMA Research

The Problem


The Problem

• One cyber analyst can handle roughly 10 alerts per day

• That’s 300 per month (…but they generally take weekends off)

• You’d need 150 cyber analysts working 8 hr shifts to keep up 7 days a week

• That’s just with current alert volume

• That won’t work

• This is what 500 alerts/day looks like

• That’s 15,000 per month

• That’s a lot


Even 5% is Too Much

• One cyber analyst can handle roughly 10 alerts per day

• You would still need 3 analysts to handle just the critical alerts

• That’s after you’ve spent time filtering, prioritizing

• Even if you’re able to filter out 95%, you’re still left with 25 critical alerts per day

• That’s 750 per month


Even 5% is Too Much

Even if 95% of alerts are commodity/benign, the 5% is still too much to handle.


DEMO: Automating the Two Examples


What to do with Your

Newly Found Time


What to Do with Your Newly Found Time

• Optimize your process and methodology • Analyze what’s falling through the cracks• Customize your detection mechanisms• Risk assessment – Go back and identify the gaps


Optimize your process and methodology

• Constant improvement• Change your mindset from reactive to proactive• When was the last time you reviewed your security

policy?• How can you get your security policy to be more

business-oriented?• What are you currently doing wrong? (We all have

things that we can and should change)


Analyze what’s falling through the cracks

• An automatic solution will never be able to do 100% of the work

• Randomly double-check the automatic process, if something is found update the process, keep improving

• Validate what was found• Hunt!


Customize your detection mechanisms

• You now have a huge team to do the work, go back review the statistics, recalibrate you detection solutions.

• Re-think prioritization, make sure it is needed• What else did you pay for and never use?


Risk assessment –Identify the gaps• It’s time to go back to the basics - Based on the results

where should we invest more, what is the right move?• Business enablement should be always on our radar


Wrap-Up


Thank You!

if we only had the time: how security teams can focus on what’s important

Technology