Upload File

soc of the future - leveraging automation, orchestration

  • Home
  • Documents
  • SOC of the Future - Leveraging Automation, Orchestration
1
Abbreviated Capabilities Storyboard Full enterprise transparency for HW/SW for IT operations and security purposes Full transparency of assets,users & privileges, informed by business needs & calculated risk Full awareness of enterprise status & events as compared to “normal” Access to create, view, & edit playbooks plus “beyond playbook” automated system responses Reliance on automation for a majority of issues Real-time, integrated views of pre-collected data points related to suspicious activity Full enterprise transparency for instumentation and cyber hygiene P. Parker, SOC Analyst SOC/Future SOC Attack Framework Weaponize Deliver Recon Exploit Control Execute Protection Detection Response Recovery S. Burch Adversary S. Burch Adversary B. Banner Innocent Victim Rogue Device Detected Suspicious Activity Issue Analyze & Respond SIEM Security Tools Unified SOC Visibility Health | Events | Response Fusion Center DevSecOps NOC Risk Facility Ops Other Business Continuous Collaboration Automated Response Parces & Informs Align Asset Configurations and Privileges with Business Needs Align Suspicious Activities with Business Risk and Other Operations Collaborative Response Activities Prioritized by Business Implications Informs and Enables Alignment of Current and Future Responses Collaborative Continuous Improvement Actions Business Risk Dashboard Threat-Based Risk Management Mid-Event or After Action Review rootkit Compromised Asset Network Scan scanning Entire Attack Model Rogue device timestamp IP MAC address Port Host etc. Prevents or Mitigates Damage done by Malicious Actors Disconnect/VLAN jail through NAC Shut down port/USB through Sepio Shut down VMware on server Leverage an EDR (Carbon Black) to remediate device Other, business specific... Automated data analysis & retrieval for SOC review Maintain Some Response Options: Network Matter of Minutes... Auto-response 2 - Analyst has insight into ALL assets on the network, and would be alerted to a rogue device. However, quicker than the analyst can determine whether this is a problem, the SIEM is informed. 5 - Before the analyst has time to process the alerts they are seeing, the SIEM has begun correlating alert data from the UEBA and rogue device tools. This is much faster than the analyst could do on their own. 3 - While a device has been compromised, things happen so quickly that the analyst likely won’t need to respond to an alert before automated security measures have mitigated the risk... 4 - Analyst is alerted to activities that are outside of “normal,” and in this case, could see a network scanning alert as picked up by a UEBA & ML tool. At the same time, the SIEM is already integrating alert data. 6 - Quickly after the initial incidents occur (appearing as lesser, isolated alerts in yesterday’s SOC), the system leverages the SOAR to parce together the disparate data points to establish an entire attack model. 7 - Again, in a matter of minutes, and likely without any SOC analyst intervention, the attack is identified, response actions initiated, and damage prevented. 8 - The SOC analyst will mostly see the event in an automated system action, where they can review actions taken if needed. If more analysis is needed, a tool like Polarity helps gather & track multiple disparate data points. 1 - SOC Analyst leverages a unified UX to monitor instrumentation & cyber hygiene posture, as tools become more automated, ML-driven & self-directing. They collaborate with broader business teams, and focus more on strategy and business risk mitigation. 2 - Malicious actor is able to plug in a small network (rogue) device with a USB rootkit. 3 - Rogue device is able to deliver rootkit malware to a Windows 10 machine, and initiate network scanning. 4 - Network scanning activities are initiated, and flagged as anomalous behavior due to the spike in activity, activity type, and device initiating the scans. 6 - Malicious activity is identified, with corroborating evidence, likely long before SOC analyst would put the pieces together. 7 - Before too much damage is done, the rogue device is disabled or quarantined. The adversary is not able to maintain their presence. 1 - Malicious actor performs recon activities, and due to lax physical security, is able to gain brief access to a network asset. Instrumentation Posture & Cyber Hygiene Monitor/Manage 38 44 82 -0.2 0 -1.3 rogue device models of anomalous behavior 5 - Quickly after the scanning begins, the SIEM is informed. Asset Transparency + ML-based Threat Management (UEBA) + SIEM + SOAR - Leveraging Machine Learning (ML) and automation to pro-actively address risk and employ machine-speed incident response for a majority of traditional Tier 1 events. SOC of the Future - Leveraging Automation, Orchestration & Machine Learning User Journey Map SOAR SIEM EDR NGFW EPP ... SIEM SIEM

Upload: others

Post on 18-Dec-2021

6 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: SOC of the Future - Leveraging Automation, Orchestration

AbbreviatedCapabilitiesStoryboard

Full enterprise transparency for HW/SW for IT operations and security purposes

Full transparency of assets,users & privileges, informed by business needs & calculated risk

Full awareness of enterprise status & events as compared to “normal”

Access to create, view, & edit playbooks plus “beyond playbook” automated system responses

Reliance on automation for a majority of issuesReal-time, integrated views of pre-collected data points related to suspicious activity

Full enterprise transparencyfor instumentation andcyber hygiene

P. Parker, SOC Analyst

SOC

/Fut

ure

SOC

Atta

ck F

ram

ewor

k

Weaponize DeliverRecon Exploit Control Execute

Protection Detection Response Recovery

S. BurchAdversary

S. BurchAdversary B. Banner

Innocent Victim

Rogue DeviceDetected

SuspiciousActivityIssue

Analyze&

Respond

SIEM

Security Tools

Unified SOCVisibility

Health | Events | Response

Fusion CenterDevSecOps

NOC

RiskFacility Ops

Other Business

ContinuousCollaboration

AutomatedResponse

Parces & Informs

AlignAsset Con�gurations

and Privilegeswith Business Needs

AlignSuspicious Activities

with Business Riskand Other Operations

CollaborativeResponse Activities

Prioritized byBusiness Implications

Informs and EnablesAlignment of Currentand Future Responses

CollaborativeContinuous

ImprovementActions

BusinessRisk Dashboard

Threat-Based Risk Management

Mid-Event orAfter Action

Review

rootkit

CompromisedAsset

Network Scan

scanning

Entire Attack ModelRogue device timestampIPMAC addressPortHostetc.

Prevents or MitigatesDamage done byMalicious Actors

Disconnect/VLAN jail through NACShut down port/USB through SepioShut down VMware on serverLeverage an EDR (Carbon Black) to remediate deviceOther, business specific...

Automated data analysis & retrieval for SOC review

Maintain

Some Response Options:

Network

Matter of Minutes...

Auto-response

2 - Analyst has insight into ALL assets on the network, and would be alerted to a rogue device. However, quicker than the analyst can determine whether this is a problem, the SIEM is informed.

5 - Before the analyst has time to process the alerts they are seeing, the SIEM has begun correlating alert data from the UEBA and rogue device tools. This is much faster than the analyst could do on their own.

3 - While a device has been compromised, things happen so quickly that the analyst likely won’t need to respond to an alert before automated security measures have mitigated the risk...

4 - Analyst is alerted to activities that are outside of “normal,” and in this case, could see a network scanning alert as picked up by a UEBA & ML tool. At the same time, the SIEM is already integrating alert data.

6 - Quickly after the initial incidents occur (appearing as lesser, isolated alerts in yesterday’s SOC), the system leverages the SOAR to parce together the disparate data points to establish an entire attack model.

7 - Again, in a matter of minutes, and likely without any SOC analyst intervention, the attack is identified, response actions initiated, and damage prevented.

8 - The SOC analyst will mostly see the event in an automated system action, where they can review actions taken if needed. If more analysis is needed, a tool like Polarity helps gather & track multiple disparate data points.

1 - SOC Analyst leverages a unified UX to monitor instrumentation & cyber hygiene posture, as tools become more automated, ML-driven & self-directing. They collaborate with broader business teams, and focus more on strategy and business risk mitigation.

2 - Malicious actor is able to plug in a small network (rogue) device with a USB rootkit.

3 - Rogue device is able to deliver rootkit malware to a Windows 10 machine, and initiate network scanning.

4 - Network scanning activities are initiated, and flagged as anomalous behavior due to the spike in activity, activity type, and device initiating the scans.

6 - Malicious activity is identified, with corroborating evidence, likely long before SOC analyst would put the pieces together.

7 - Before too much damage is done, the rogue device is disabled or quarantined. The adversary is not able to maintain their presence.

1 - Malicious actor performs recon activities, and due to lax physical security, is able to gain brief access to a network asset.

InstrumentationPosture &Cyber Hygiene Monitor/Manage

38 4482-0.20-1.3

rogue device

models ofanomalousbehavior

5 - Quickly after the scanning begins, the SIEM is informed.

Asset Transparency + ML-based Threat Management (UEBA) + SIEM + SOAR - Leveraging Machine Learning (ML) and automation to pro-actively address risk and employ machine-speed incident response for a majority of traditional Tier 1 events.

SOC of the Future - Leveraging Automation, Orchestration & Machine Learning

User Journey Map

SOAR

SIEMEDR NGFW

EPP ...

SIEM SIEM

Orchestration Using Supply Chain Financial€¦ · Financial Orchestration Category ..... 8 3 Monitor Financial Orchestration 9

ECON ENV SOC...SOC Sustainable development and structural transformation in Africa: Managing trade-offs and leveraging synergies Monday, 1st August 2016 Bartholomew Armah, PhD Chief,

Oracle Fusion Distributed Order Orchestration Using Order Orchestration · 2014-12-10 · Oracle Fusion Distributed Order Orchestration Using Order Orchestration 11g Release 8 (11.1.8)

BizTalk Orchestration · BizTalk Orchestration handles the complexity for the user. Concurrency and Synchronization. BizTalk Orchestration ... Complete Instrumentation

App Orchestration 2 - · PDF fileGetting Started with Citrix App Orchestration 2.0 ... Install App Orchestration The App Orchestration software is installed using a wizard that prompts

Transport Network Requirements and Architecture for 5G · Transport VNF Orchestration Layer RAN Orchestration CN Orchestration Transport Orchestration Enterprise Customer (or SI)

Is your SOC SOARing or snoring? - AFCEA...Turn Answers into Action with Splunk Phantom; Optimize your SOC with Orchestration, Automation, and Case Management See a live demo of Splunk’sown

CLOUDSTREAM Media Platform · 4k, and live-to-VOD leveraging high-end workflow orchestration engine. HIGHEST QUALITY Using a cutting-edge live streaming virtualized encoding infrastructure,

Deployment orchestration

Supply Chain Orchestration Leveraging on MNC Networks and ...Orchestration is the automated arrangement, coordination, and management of complex systems, middleware, and services [3]

Resource Orchestration as Source of Competive … · Contents IV The second empirical study focusses on capability leveraging and elaborates this resource orchestration step in the

Orchestration - Forsyth

Contemporary Orchestration

Cisco PONC 2015 · • Cisco and Third Party Applications. Leveraging REST APIs, interface to Orchestration layer or directly to Controller • Orchestration Layer: • Service Orchestration

Orchestration Roles to Facilitate Networked Innovation … · Orchestration Roles to Facilitate Networked ... This study examines orchestration roles ... Orchestration Roles to Facilitate

Leveraging Lifecycle Services Orchestration (LSO)€¦ · KEVIN VACHON Chief Operating Officer Leveraging Lifecycle Services Orchestration (LSO) 28

AT - Leveraging Advanced Physical IP to Deliver Optimized ... · Leveraging Advanced Physical IP to Deliver Optimizedto Deliver Optimized SoC Implementations at 40nm and below John

Orchestration via Foreman - files.meetup.comfiles.meetup.com/18251150/150606 - Orchestration via Foreman.pdf · Orchestration via Foreman Patrick Pierson, Systems Engineer - http

Commercial Libre-RISCV SoC · 2018-07-19 · Designing a Commercial Libre RISC-V SoC Ethical Strategic Leveraging of the bene ts of Libre and Open SW/HW for pure unadulterated Commercial

Orchestration & provisioning

Leveraging SSAE 16 Reports Presentation_IASA.ppt… · •User Control Considerations (“UCCs”) –Review the UCCs within the SOC report –For reliance on SOC report, must ensure

Tripling incident response volume with SOC … ID: #RSAC Yaniv Bar-Dayan. Tripling incident response volume with SOC orchestration. GPS-R08B. Cybersecurity Evangelist Cyberbit @ybardayan

Leveraging Multi-Protocol PHY for PCIe to Cope with SoC

App Orchestration 2 - docs. · PDF fileGetting Started with Citrix App Orchestration 2.6 ... Documentation and support for App Orchestration • App Orchestration in Citrix eDocs:

Resilient and Fast Persistent Container Storage Leveraging Linux’s … · 2019-11-25 · 45. Case study - intel. LINBIT working together with Intel . LINSTOR is a storage orchestration

Docker orchestration

Leveraging Lifecycle Services Orchestration (LSO)...Leveraging Lifecycle Services Orchestration (LSO) 28 Slide 1 28 Let's add some subtle color to the acronymns to bring them out a

Using Order Orchestration Orchestration Distributed · PDF fileOracle Fusion Distributed Order Orchestration Using Order Orchestration 2Process Sales Orders 22 Overview

Orchestration Pra00wagn

Orchestration Handbook

Container orchestration

Piston - Orchestration

TC MANAGE Intelligence-Driven Orchestration · Intelligence-Driven Orchestration Fuse Threat Intelligence and Orchestration Unlike typical orchestration tools, TC Manage™ is built

Operations Orchestration “Automating Your Data … Operations Orchestration “Automating Your Data ... HP Operations Orchestration: Next-generation ITPA and orchestration for the

Microflows: Leveraging Process Mining and an Automated ... · eling, integration, and orchestration of these microservices with business pro-cesses is needed. This paper describes