SlideShare ist ein Scribd-Unternehmen logo

HP ArcSight & Ayehu eyeShare - Security Automation

Als PPTX, PDF herunterladen
C
cohen88or

Security automation using HP ArcSight and Ayehu eyeShare

Technologie
1 von 43
Or Cohen –We Ankor 2014 or@we-ankor.co.il
• Many daily alerts, even after advanced aggregation and correlation. • Responding to every alert is not always possible due to lack of physical/virtual access, tools, time, or knowledge. • Just initiating the response may take hours or even days – long after the initial alert was triggered. • Response procedures are often non existing or not strict enough – resulting in different responses to the same alerts. • Not all alerts are handled, causing the SOC to miss possible incidents. Sunday, August 17, 2014 slide 2
Most companies want to tackle the “Unknown” threats Yet the same companies still struggle with the most common “Known” threats Sunday, August 17, 2014 slide 3
• Build clear and strict response procedures for known alerts. • Start a clear and strict response procedure for every single alert within seconds. • Reduce False-Positive using automated data enrichment and collection processes from various sources post-alert. • Minimize SOC work around scriptable procedures, allowing the SOC to focus its work on actions that cannot be automated. • Increase the amount of alerts handled to provide better coverage. Sunday, August 17, 2014 slide 4
• Complete automation or semi-automation of IR processes. • Data enrichment and data collection. • False-Positive reduction. • Ticketing and event management. Sunday, August 17, 2014 slide 5
Sunday, August 17, 2014 slide 6 Scenarios For example: a compromised laptop floods a critical system Systems & Content System: Netflow rule monitoring laptops communication Risk For example: Availability loss to a critical system • Phase A – Plan monitoring according to risks. • Must be suited to YOUR COMPANY.
• Phase B – Plan response procedure according to the risk, scenario, systems, knowledge, and available tools. • Must be suited to YOUR COMPANY. Sunday, August 17, 2014 slide 7 Mail arriving Check Virustotal Check Traffic Malicious Evidence Open Ticket To Block in: - Websense - TM WebRep End Workflow and notify SOC Check Virustotal Send MD5 To ArcSight Send To TM Log and notify SOC Has Links In Body No YES Has Attachments YES No Encrypted YES Malicious Evidence YES No YES No
• Phase C – Automate the response procedure according to the risk, scenario, systems, knowledge, and available tools. • Must be suited to YOUR COMPANY. Sunday, August 17, 2014 slide 8
Failed to login 12345 Logging in AD Sunday, August 17, 2014 slide 9 User_adm_14 WS98123 User running Brute Force Attack! Hostname: WS98123 User: User_adm_14 Number of failed attempts: 5
• Possible questions to ask: • Is the user a valid user in AD? If so, does it belong to a person or a service? • Is the user a member of a critical group or has administrative privileges? • Is the user currently locked? • Did the user reset his/hers password recently? • Possible actions to take: • Ask the person in charge of the user if he/she failed to login from that host. • Lock/disable the account (if not already locked by DC policy). • Send the host to a different VLAN using NAC/IPS. Sunday, August 17, 2014 slide 10
• Possible questions to ask: • Is the user a valid user in AD? If so, does it belong to a person or a service? • Is the user a member of a critical group or has administrative privileges? • Is the user currently locked? • Did the user reset his/hers password recently? • Possible actions to take: How much time would it take to answer/perform these tasks in your SOC? • Ask the person in charge of the user if he/she failed to login from that host. • Lock/disable the account (if not already locked by DC policy). • Send the host to a different VLAN using NAC/IPS. Sunday, August 17, 2014 slide 11
Sunday, August 17, 2014 slide 12 • ArcSight alerts eyeShare using the OOTB e-mail template with all information related to the incident.
Sunday, August 17, 2014 slide 13 • eyeShare opens an internal ticket for operators to see the incident.
Sunday, August 17, 2014 slide 14 • eyeShare queries AD checking if the user exists or not.
Sunday, August 17, 2014 slide 15 • If the user exists, eyeShare queries AD again, getting the user’s mobile phone number.
Sunday, August 17, 2014 slide 16 • eyeShare sends a text message to the user, asking him/her if he/she failed to login on the relevant host.
Sunday, August 17, 2014 slide 17 • If the user replies “yes”, the internal ticket is closed and the incident is resolved.
Sunday, August 17, 2014 slide 18 • If the user replies “no”, or does not reply in 10 minutes, the severity of the internal ticket is raised, and the user is disabled for 10 minutes.
Sunday, August 17, 2014 slide 19 • If the user does not exists, eyeShare sends a text message to the operator on call, asking if he/she knows the user or details about the incident.
Sunday, August 17, 2014 slide 20 • If the operator on call replies with “yes”, the internal ticket is closed and the incident is resolved.
Sunday, August 17, 2014 slide 21 • If the operator on call replies with “no”, or does not reply in 10 minutes, the severity of the internal ticket is raised, and the host is quarantined by the NAC.
Logging in AD Power User Normal User VIP Users Group Add to group
A few minutes later……
Rule User Added & Removed From VIP Group in 1h Added User: X Adding User: Y Group: GroupZ Logging in AD Power User Normal User VIP Users Group Remove from group
• Possible questions to ask: • Was this action authorized and documented in IDM/Ticketing? • Who is the adding user? Is he/she authorized to do add/remove user from groups? • Who is the added user? Is she/he a new employee? From which department? • What time is it? Is it night? Is it a holiday or weekend? • Possible actions to take: • Talk to both users to understand why the user was added and removed. • Lock their accounts. • Remove their permission until further investigation. Sunday, August 17, 2014 slide 25
• Possible questions to ask: • Was this action authorized and documented in IDM/Ticketing? • Who is the adding user? Is he/she authorized to do add/remove user from groups? • Who is the added user? Is she/he a new employee? From which department? • What time is it? Is it night? Is it a holiday or weekend? • Possible actions to take: How much time would it take to answer/perform these tasks in your SOC? • Talk to both users to understand why the user was added and removed. • Lock their accounts. • Remove their permission until further investigation. Sunday, August 17, 2014 slide 26
Sunday, August 17, 2014 slide 27 • ArcSight alerts eyeShare using the OOTB e-mail template with all information related to the incident. • A ticket in opened.
Sunday, August 17, 2014 slide 28 • All AD information for both users is gathered.
Sunday, August 17, 2014 slide 29 • A search is performed on the ticketing system to validate if a ticket has being opened, review, and authorized regarding this issue. If so, the incident is resolved.
Sunday, August 17, 2014 slide 30 • If a ticket is not present for this issue, a e-mail is sent to the adding user, the added user, and the SOC operator. • The e-mail requests that they explain their actions. • Their response is documented and reviewed by the SOC.
Sunday, August 17, 2014 slide 31
E-mail sent to user/s User/s suspect e-mail might be malicious, forward to SOC SOC Investigate Web Reputation Anti-virus History (URL/Mail) Sandbox Etc.
• Possible questions to ask: • Who sent the e-mail? • Are there any links in the e-mail? If so, could pressing on them lead to infection? • Are there any attachments in the e-mail? If so, would opening them lead to infection? • How many people got this e-mail? • Possible actions to take: • Block sender in mail-relay. • Block links in proxy. • Block/blacklist attachments, upload to AV vendor. Sunday, August 17, 2014 slide 33
• Possible questions to ask: • Who sent the e-mail? • Are there any links in the e-mail? If so, could pressing on them lead to infection? • Are there any attachments in the e-mail? If so, would opening them lead to infection? • How many people got this e-mail? • Possible actions to take: How much time would it take to answer/perform these tasks in your SOC? • Block sender in mail-relay. • Block links in proxy. • Block/blacklist attachments, upload to AV vendor. Sunday, August 17, 2014 slide 34
• This workflow gets an e-mail sent by users to the SOC and does the following: • Thank the user for forwarding the e-mail to the SOC. • Check for links and e-mail address, send all finding to be analyzed by Virustotal. Notify ArcSight by CEF syslog if a link is malicious. • Check for attachments, uploads all finding to be analyzed by Virustotal and Cuckoo Sandbox. Notify ArcSight by CEF syslog if an attachment is malicious. • Sends the analysis verdict to the back to the user (clean/malicious). Sunday, August 17, 2014 slide 35
Sunday, August 17, 2014 slide 36 • A user gets this e-mail, and decides to forward it to the SOC.
Sunday, August 17, 2014 slide 37 • Upon reception, eyeShare sends back a successful submission e-mail, providing the user with some initial instructions and a reference ID.
Sunday, August 17, 2014 slide 38 • The operator on call will receive an e-mail notification if an attachment or link is detected as malicious.
Sunday, August 17, 2014 slide 39 • At the end of the analysis, the user gets a response from eyeShare with the verdict.
Sunday, August 17, 2014 slide 40 • At the end of the analysis, the user gets a response from eyeShare with the verdict.
• If we know what the alert is, which questions to ask, which action to perform for each answer we receive – why not automate it? • Using automation, a SOC can handle more alerts with greater efficiency, maximize human productivity, strengthen the bond with the rest of the company, raise the SOCs maturity, and raise overall security posture. • Operators / analysts will handle incidents after False-Positive reduction, reconnaissance, user input, and in the correct severity. • Operators/analysts will work much less on the “Known” threats and will be available to investigate the “Unknown” threats. Sunday, August 17, 2014 slide 41
• No more standalone, unsupported, unmanaged scripts written in different programming languages. • Single framework for all workflows with support for multiple devices (AD, CISCO, VMWare, move files, http requests, DB queries, etc.). • Know the result of every part of every workflow, and keep it for as long as you need. • Integration with HP ArcSight (provided by We Ankor). • Support for HA, segmentation, and multiple domains. Sunday, August 17, 2014 slide 42
Or Cohen –We Ankor 2014

Empfohlen

Digital Transformation - The New Normal
Digital Transformation - The New NormalDigital Transformation - The New Normal
Digital Transformation - The New NormalSumit Ganguli
 
Cloud computing for authoring process automation
Cloud computing for authoring process automationCloud computing for authoring process automation
Cloud computing for authoring process automationMalinka Ivanova
 
Transformation Through Automation: Harnessing the Power of Modern Solutions
Transformation Through Automation: Harnessing the Power of Modern SolutionsTransformation Through Automation: Harnessing the Power of Modern Solutions
Transformation Through Automation: Harnessing the Power of Modern SolutionsHelpSystems
 
How To Automate Labor-IntensiveServiceNow Tasks Without Programming
How To Automate Labor-IntensiveServiceNow Tasks Without ProgrammingHow To Automate Labor-IntensiveServiceNow Tasks Without Programming
How To Automate Labor-IntensiveServiceNow Tasks Without ProgrammingAyehu Software Technologies Ltd.
 
Valmet becomes stronger as a result of acquiring Process Automation Systems
Valmet becomes stronger as a result of acquiring Process Automation SystemsValmet becomes stronger as a result of acquiring Process Automation Systems
Valmet becomes stronger as a result of acquiring Process Automation SystemsValmet Oyj
 
AI as Game Changer: How Blue Chips can Survive in a Digitized World
AI as Game Changer: How Blue Chips can Survive in a Digitized WorldAI as Game Changer: How Blue Chips can Survive in a Digitized World
AI as Game Changer: How Blue Chips can Survive in a Digitized WorldESMT Berlin
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
DevOps in Digital Transformation
DevOps in Digital TransformationDevOps in Digital Transformation
DevOps in Digital TransformationBrillio
 

Empfohlen

Digital Transformation - The New Normal
Digital Transformation - The New NormalDigital Transformation - The New Normal
Digital Transformation - The New NormalSumit Ganguli
 
Cloud computing for authoring process automation
Cloud computing for authoring process automationCloud computing for authoring process automation
Cloud computing for authoring process automationMalinka Ivanova
 
Transformation Through Automation: Harnessing the Power of Modern Solutions
Transformation Through Automation: Harnessing the Power of Modern SolutionsTransformation Through Automation: Harnessing the Power of Modern Solutions
Transformation Through Automation: Harnessing the Power of Modern SolutionsHelpSystems
 
How To Automate Labor-IntensiveServiceNow Tasks Without Programming
How To Automate Labor-IntensiveServiceNow Tasks Without ProgrammingHow To Automate Labor-IntensiveServiceNow Tasks Without Programming
How To Automate Labor-IntensiveServiceNow Tasks Without ProgrammingAyehu Software Technologies Ltd.
 
Valmet becomes stronger as a result of acquiring Process Automation Systems
Valmet becomes stronger as a result of acquiring Process Automation SystemsValmet becomes stronger as a result of acquiring Process Automation Systems
Valmet becomes stronger as a result of acquiring Process Automation SystemsValmet Oyj
 
AI as Game Changer: How Blue Chips can Survive in a Digitized World
AI as Game Changer: How Blue Chips can Survive in a Digitized WorldAI as Game Changer: How Blue Chips can Survive in a Digitized World
AI as Game Changer: How Blue Chips can Survive in a Digitized WorldESMT Berlin
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
DevOps in Digital Transformation
DevOps in Digital TransformationDevOps in Digital Transformation
DevOps in Digital TransformationBrillio
 
Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...
Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...
Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...Bizagi
 
Ayehu eyeShare Overview
Ayehu eyeShare OverviewAyehu eyeShare Overview
Ayehu eyeShare OverviewAyehu Software Technologies Ltd.
 
Game AI 101 - NPCs and Agents and Algorithms... Oh My!
Game AI 101 - NPCs and Agents and Algorithms... Oh My!Game AI 101 - NPCs and Agents and Algorithms... Oh My!
Game AI 101 - NPCs and Agents and Algorithms... Oh My!Luke Dicken
 
A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...
A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...
A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...Enterprise Management Associates
 
Case Study: Taking IT Asset Management to the Next Level With Process Automation
Case Study: Taking IT Asset Management to the Next Level With Process AutomationCase Study: Taking IT Asset Management to the Next Level With Process Automation
Case Study: Taking IT Asset Management to the Next Level With Process AutomationCA Technologies
 
Getting VMs in Shape with data-driven workflows in CA Process Automation
Getting VMs in Shape with data-driven workflows in CA Process AutomationGetting VMs in Shape with data-driven workflows in CA Process Automation
Getting VMs in Shape with data-driven workflows in CA Process AutomationCA Technologies
 
What's the value proposition in adding automation/orchestration on top of Ser...
What's the value proposition in adding automation/orchestration on top of Ser...What's the value proposition in adding automation/orchestration on top of Ser...
What's the value proposition in adding automation/orchestration on top of Ser...Ayehu Software Technologies Ltd.
 
What is Robotics Process Automation ?
What is Robotics Process Automation ?What is Robotics Process Automation ?
What is Robotics Process Automation ?Aditya Sharma
 
Ulab Research Report
Ulab Research ReportUlab Research Report
Ulab Research ReportJaime Brown
 
Research Report
Research ReportResearch Report
Research ReportJaime Brown
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetAPNIC
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...MyNOG
 
Leveraging Analytics In Gaming - Tiny Mogul Games
Leveraging Analytics In Gaming - Tiny Mogul GamesLeveraging Analytics In Gaming - Tiny Mogul Games
Leveraging Analytics In Gaming - Tiny Mogul GamesInMobi
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAPNIC
 
Hci final presentation
Hci final presentationHci final presentation
Hci final presentationTarun Chakravorty
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programAPNIC
 
Hci final presentation
Hci final presentationHci final presentation
Hci final presentationTarun Chakravorty
 
Hci final presentation
Hci final presentationHci final presentation
Hci final presentationTarun Chakravorty
 
Quick Response Fraud Detection
Quick Response Fraud DetectionQuick Response Fraud Detection
Quick Response Fraud DetectionFraudBusters
 
IT Fraud and Countermeasures
IT Fraud and CountermeasuresIT Fraud and Countermeasures
IT Fraud and CountermeasuresJim Kaplan CIA CFE
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...Lounge47
 

Weitere ähnliche Inhalte

Andere mochten auch

Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...
Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...
Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...Bizagi
 
Game AI 101 - NPCs and Agents and Algorithms... Oh My!
Game AI 101 - NPCs and Agents and Algorithms... Oh My!Game AI 101 - NPCs and Agents and Algorithms... Oh My!
Game AI 101 - NPCs and Agents and Algorithms... Oh My!Luke Dicken
 
A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...
A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...
A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...Enterprise Management Associates
 
Case Study: Taking IT Asset Management to the Next Level With Process Automation
Case Study: Taking IT Asset Management to the Next Level With Process AutomationCase Study: Taking IT Asset Management to the Next Level With Process Automation
Case Study: Taking IT Asset Management to the Next Level With Process AutomationCA Technologies
 
Getting VMs in Shape with data-driven workflows in CA Process Automation
Getting VMs in Shape with data-driven workflows in CA Process AutomationGetting VMs in Shape with data-driven workflows in CA Process Automation
Getting VMs in Shape with data-driven workflows in CA Process AutomationCA Technologies
 
What's the value proposition in adding automation/orchestration on top of Ser...
What's the value proposition in adding automation/orchestration on top of Ser...What's the value proposition in adding automation/orchestration on top of Ser...
What's the value proposition in adding automation/orchestration on top of Ser...Ayehu Software Technologies Ltd.
 
What is Robotics Process Automation ?
What is Robotics Process Automation ?What is Robotics Process Automation ?
What is Robotics Process Automation ?Aditya Sharma
 

Andere mochten auch (8)

Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...
Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...
Bizagi and Stone Coast Fund Services: How Centers of Excellence Speed Up Digi...
 
Ayehu eyeShare Overview
Ayehu eyeShare OverviewAyehu eyeShare Overview
Ayehu eyeShare Overview
 
Game AI 101 - NPCs and Agents and Algorithms... Oh My!
Game AI 101 - NPCs and Agents and Algorithms... Oh My!Game AI 101 - NPCs and Agents and Algorithms... Oh My!
Game AI 101 - NPCs and Agents and Algorithms... Oh My!
 
A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...
A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...
A Realistic Approach to Transforming IT Operations: Analytics + Automation + ...
 
Case Study: Taking IT Asset Management to the Next Level With Process Automation
Case Study: Taking IT Asset Management to the Next Level With Process AutomationCase Study: Taking IT Asset Management to the Next Level With Process Automation
Case Study: Taking IT Asset Management to the Next Level With Process Automation
 
Getting VMs in Shape with data-driven workflows in CA Process Automation
Getting VMs in Shape with data-driven workflows in CA Process AutomationGetting VMs in Shape with data-driven workflows in CA Process Automation
Getting VMs in Shape with data-driven workflows in CA Process Automation
 
What's the value proposition in adding automation/orchestration on top of Ser...
What's the value proposition in adding automation/orchestration on top of Ser...What's the value proposition in adding automation/orchestration on top of Ser...
What's the value proposition in adding automation/orchestration on top of Ser...
 
What is Robotics Process Automation ?
What is Robotics Process Automation ?What is Robotics Process Automation ?
What is Robotics Process Automation ?
 

Ähnlich wie HP ArcSight & Ayehu eyeShare - Security Automation

Ulab Research Report
Ulab Research ReportUlab Research Report
Ulab Research ReportJaime Brown
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetAPNIC
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...MyNOG
 
Leveraging Analytics In Gaming - Tiny Mogul Games
Leveraging Analytics In Gaming - Tiny Mogul GamesLeveraging Analytics In Gaming - Tiny Mogul Games
Leveraging Analytics In Gaming - Tiny Mogul GamesInMobi
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAPNIC
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programAPNIC
 
Quick Response Fraud Detection
Quick Response Fraud DetectionQuick Response Fraud Detection
Quick Response Fraud DetectionFraudBusters
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...Lounge47
 
Lean UX и дизайн-спринты: как построить ведущий продукт на рынке за пять дней
Lean UX и дизайн-спринты: как построить ведущий продукт на рынке за пять днейLean UX и дизайн-спринты: как построить ведущий продукт на рынке за пять дней
Lean UX и дизайн-спринты: как построить ведущий продукт на рынке за пять днейCEE-SEC(R)
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...Jason Hong
 
Dragons's Den 2014 Semester 1
Dragons's Den 2014 Semester 1Dragons's Den 2014 Semester 1
Dragons's Den 2014 Semester 1Samuel Mann
 
The AI Conundrum: How HR Can Prepare for the Storm of Change
The AI Conundrum: How HR Can Prepare for the Storm of ChangeThe AI Conundrum: How HR Can Prepare for the Storm of Change
The AI Conundrum: How HR Can Prepare for the Storm of ChangeAggregage
 
ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen
ArcSight & RSA ECAT Integration - By We-Ankor & Or CohenArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen
ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohencohen88or
 

Ähnlich wie HP ArcSight & Ayehu eyeShare - Security Automation (20)

Ulab Research Report
Ulab Research ReportUlab Research Report
Ulab Research Report
 
Research Report
Research ReportResearch Report
Research Report
 
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring BudgetMyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
MyNOG 9: Vulnerability Reporting Program on a Shoestring Budget
 
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
Vulnerability Reporting Program on a Shoestring Budget by Jamie Gillespie, A...
 
Leveraging Analytics In Gaming - Tiny Mogul Games
Leveraging Analytics In Gaming - Tiny Mogul GamesLeveraging Analytics In Gaming - Tiny Mogul Games
Leveraging Analytics In Gaming - Tiny Mogul Games
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
 
Hci final presentation
Hci final presentationHci final presentation
Hci final presentation
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
 
Hci final presentation
Hci final presentationHci final presentation
Hci final presentation
 
Hci final presentation
Hci final presentationHci final presentation
Hci final presentation
 
Quick Response Fraud Detection
Quick Response Fraud DetectionQuick Response Fraud Detection
Quick Response Fraud Detection
 
IT Fraud and Countermeasures
IT Fraud and CountermeasuresIT Fraud and Countermeasures
IT Fraud and Countermeasures
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...
 
Lean UX и дизайн-спринты: как построить ведущий продукт на рынке за пять дней
Lean UX и дизайн-спринты: как построить ведущий продукт на рынке за пять днейLean UX и дизайн-спринты: как построить ведущий продукт на рынке за пять дней
Lean UX и дизайн-спринты: как построить ведущий продукт на рынке за пять дней
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
 
Dragons's Den 2014 Semester 1
Dragons's Den 2014 Semester 1Dragons's Den 2014 Semester 1
Dragons's Den 2014 Semester 1
 
The AI Conundrum: How HR Can Prepare for the Storm of Change
The AI Conundrum: How HR Can Prepare for the Storm of ChangeThe AI Conundrum: How HR Can Prepare for the Storm of Change
The AI Conundrum: How HR Can Prepare for the Storm of Change
 
ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen
ArcSight & RSA ECAT Integration - By We-Ankor & Or CohenArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen
ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen
 

Kürzlich hochgeladen

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Kürzlich hochgeladen (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

HP ArcSight & Ayehu eyeShare - Security Automation

  • 1. Or Cohen –We Ankor 2014 or@we-ankor.co.il
  • 2. • Many daily alerts, even after advanced aggregation and correlation. • Responding to every alert is not always possible due to lack of physical/virtual access, tools, time, or knowledge. • Just initiating the response may take hours or even days – long after the initial alert was triggered. • Response procedures are often non existing or not strict enough – resulting in different responses to the same alerts. • Not all alerts are handled, causing the SOC to miss possible incidents. Sunday, August 17, 2014 slide 2
  • 3. Most companies want to tackle the “Unknown” threats Yet the same companies still struggle with the most common “Known” threats Sunday, August 17, 2014 slide 3
  • 4. • Build clear and strict response procedures for known alerts. • Start a clear and strict response procedure for every single alert within seconds. • Reduce False-Positive using automated data enrichment and collection processes from various sources post-alert. • Minimize SOC work around scriptable procedures, allowing the SOC to focus its work on actions that cannot be automated. • Increase the amount of alerts handled to provide better coverage. Sunday, August 17, 2014 slide 4
  • 5. • Complete automation or semi-automation of IR processes. • Data enrichment and data collection. • False-Positive reduction. • Ticketing and event management. Sunday, August 17, 2014 slide 5
  • 6. Sunday, August 17, 2014 slide 6 Scenarios For example: a compromised laptop floods a critical system Systems & Content System: Netflow rule monitoring laptops communication Risk For example: Availability loss to a critical system • Phase A – Plan monitoring according to risks. • Must be suited to YOUR COMPANY.
  • 7. • Phase B – Plan response procedure according to the risk, scenario, systems, knowledge, and available tools. • Must be suited to YOUR COMPANY. Sunday, August 17, 2014 slide 7 Mail arriving Check Virustotal Check Traffic Malicious Evidence Open Ticket To Block in: - Websense - TM WebRep End Workflow and notify SOC Check Virustotal Send MD5 To ArcSight Send To TM Log and notify SOC Has Links In Body No YES Has Attachments YES No Encrypted YES Malicious Evidence YES No YES No
  • 8. • Phase C – Automate the response procedure according to the risk, scenario, systems, knowledge, and available tools. • Must be suited to YOUR COMPANY. Sunday, August 17, 2014 slide 8
  • 9. Failed to login 12345 Logging in AD Sunday, August 17, 2014 slide 9 User_adm_14 WS98123 User running Brute Force Attack! Hostname: WS98123 User: User_adm_14 Number of failed attempts: 5
  • 10. • Possible questions to ask: • Is the user a valid user in AD? If so, does it belong to a person or a service? • Is the user a member of a critical group or has administrative privileges? • Is the user currently locked? • Did the user reset his/hers password recently? • Possible actions to take: • Ask the person in charge of the user if he/she failed to login from that host. • Lock/disable the account (if not already locked by DC policy). • Send the host to a different VLAN using NAC/IPS. Sunday, August 17, 2014 slide 10
  • 11. • Possible questions to ask: • Is the user a valid user in AD? If so, does it belong to a person or a service? • Is the user a member of a critical group or has administrative privileges? • Is the user currently locked? • Did the user reset his/hers password recently? • Possible actions to take: How much time would it take to answer/perform these tasks in your SOC? • Ask the person in charge of the user if he/she failed to login from that host. • Lock/disable the account (if not already locked by DC policy). • Send the host to a different VLAN using NAC/IPS. Sunday, August 17, 2014 slide 11
  • 12. Sunday, August 17, 2014 slide 12 • ArcSight alerts eyeShare using the OOTB e-mail template with all information related to the incident.
  • 13. Sunday, August 17, 2014 slide 13 • eyeShare opens an internal ticket for operators to see the incident.
  • 14. Sunday, August 17, 2014 slide 14 • eyeShare queries AD checking if the user exists or not.
  • 15. Sunday, August 17, 2014 slide 15 • If the user exists, eyeShare queries AD again, getting the user’s mobile phone number.
  • 16. Sunday, August 17, 2014 slide 16 • eyeShare sends a text message to the user, asking him/her if he/she failed to login on the relevant host.
  • 17. Sunday, August 17, 2014 slide 17 • If the user replies “yes”, the internal ticket is closed and the incident is resolved.
  • 18. Sunday, August 17, 2014 slide 18 • If the user replies “no”, or does not reply in 10 minutes, the severity of the internal ticket is raised, and the user is disabled for 10 minutes.
  • 19. Sunday, August 17, 2014 slide 19 • If the user does not exists, eyeShare sends a text message to the operator on call, asking if he/she knows the user or details about the incident.
  • 20. Sunday, August 17, 2014 slide 20 • If the operator on call replies with “yes”, the internal ticket is closed and the incident is resolved.
  • 21. Sunday, August 17, 2014 slide 21 • If the operator on call replies with “no”, or does not reply in 10 minutes, the severity of the internal ticket is raised, and the host is quarantined by the NAC.
  • 22. Logging in AD Power User Normal User VIP Users Group Add to group
  • 23. A few minutes later……
  • 24. Rule User Added & Removed From VIP Group in 1h Added User: X Adding User: Y Group: GroupZ Logging in AD Power User Normal User VIP Users Group Remove from group
  • 25. • Possible questions to ask: • Was this action authorized and documented in IDM/Ticketing? • Who is the adding user? Is he/she authorized to do add/remove user from groups? • Who is the added user? Is she/he a new employee? From which department? • What time is it? Is it night? Is it a holiday or weekend? • Possible actions to take: • Talk to both users to understand why the user was added and removed. • Lock their accounts. • Remove their permission until further investigation. Sunday, August 17, 2014 slide 25
  • 26. • Possible questions to ask: • Was this action authorized and documented in IDM/Ticketing? • Who is the adding user? Is he/she authorized to do add/remove user from groups? • Who is the added user? Is she/he a new employee? From which department? • What time is it? Is it night? Is it a holiday or weekend? • Possible actions to take: How much time would it take to answer/perform these tasks in your SOC? • Talk to both users to understand why the user was added and removed. • Lock their accounts. • Remove their permission until further investigation. Sunday, August 17, 2014 slide 26
  • 27. Sunday, August 17, 2014 slide 27 • ArcSight alerts eyeShare using the OOTB e-mail template with all information related to the incident. • A ticket in opened.
  • 28. Sunday, August 17, 2014 slide 28 • All AD information for both users is gathered.
  • 29. Sunday, August 17, 2014 slide 29 • A search is performed on the ticketing system to validate if a ticket has being opened, review, and authorized regarding this issue. If so, the incident is resolved.
  • 30. Sunday, August 17, 2014 slide 30 • If a ticket is not present for this issue, a e-mail is sent to the adding user, the added user, and the SOC operator. • The e-mail requests that they explain their actions. • Their response is documented and reviewed by the SOC.
  • 31. Sunday, August 17, 2014 slide 31
  • 32. E-mail sent to user/s User/s suspect e-mail might be malicious, forward to SOC SOC Investigate Web Reputation Anti-virus History (URL/Mail) Sandbox Etc.
  • 33. • Possible questions to ask: • Who sent the e-mail? • Are there any links in the e-mail? If so, could pressing on them lead to infection? • Are there any attachments in the e-mail? If so, would opening them lead to infection? • How many people got this e-mail? • Possible actions to take: • Block sender in mail-relay. • Block links in proxy. • Block/blacklist attachments, upload to AV vendor. Sunday, August 17, 2014 slide 33
  • 34. • Possible questions to ask: • Who sent the e-mail? • Are there any links in the e-mail? If so, could pressing on them lead to infection? • Are there any attachments in the e-mail? If so, would opening them lead to infection? • How many people got this e-mail? • Possible actions to take: How much time would it take to answer/perform these tasks in your SOC? • Block sender in mail-relay. • Block links in proxy. • Block/blacklist attachments, upload to AV vendor. Sunday, August 17, 2014 slide 34
  • 35. • This workflow gets an e-mail sent by users to the SOC and does the following: • Thank the user for forwarding the e-mail to the SOC. • Check for links and e-mail address, send all finding to be analyzed by Virustotal. Notify ArcSight by CEF syslog if a link is malicious. • Check for attachments, uploads all finding to be analyzed by Virustotal and Cuckoo Sandbox. Notify ArcSight by CEF syslog if an attachment is malicious. • Sends the analysis verdict to the back to the user (clean/malicious). Sunday, August 17, 2014 slide 35
  • 36. Sunday, August 17, 2014 slide 36 • A user gets this e-mail, and decides to forward it to the SOC.
  • 37. Sunday, August 17, 2014 slide 37 • Upon reception, eyeShare sends back a successful submission e-mail, providing the user with some initial instructions and a reference ID.
  • 38. Sunday, August 17, 2014 slide 38 • The operator on call will receive an e-mail notification if an attachment or link is detected as malicious.
  • 39. Sunday, August 17, 2014 slide 39 • At the end of the analysis, the user gets a response from eyeShare with the verdict.
  • 40. Sunday, August 17, 2014 slide 40 • At the end of the analysis, the user gets a response from eyeShare with the verdict.
  • 41. • If we know what the alert is, which questions to ask, which action to perform for each answer we receive – why not automate it? • Using automation, a SOC can handle more alerts with greater efficiency, maximize human productivity, strengthen the bond with the rest of the company, raise the SOCs maturity, and raise overall security posture. • Operators / analysts will handle incidents after False-Positive reduction, reconnaissance, user input, and in the correct severity. • Operators/analysts will work much less on the “Known” threats and will be available to investigate the “Unknown” threats. Sunday, August 17, 2014 slide 41
  • 42. • No more standalone, unsupported, unmanaged scripts written in different programming languages. • Single framework for all workflows with support for multiple devices (AD, CISCO, VMWare, move files, http requests, DB queries, etc.). • Know the result of every part of every workflow, and keep it for as long as you need. • Integration with HP ArcSight (provided by We Ankor). • Support for HA, segmentation, and multiple domains. Sunday, August 17, 2014 slide 42
  • 43. Or Cohen –We Ankor 2014