2. • Many daily alerts, even after advanced aggregation and correlation.
• Responding to every alert is not always possible due to lack of
physical/virtual access, tools, time, or knowledge.
• Just initiating the response may take hours or even days – long after
the initial alert was triggered.
• Response procedures are often non existing or not strict enough –
resulting in different responses to the same alerts.
• Not all alerts are handled, causing the SOC to miss possible incidents.
Sunday, August 17, 2014 slide 2
3. Most companies want to tackle the
“Unknown” threats
Yet the same companies still
struggle with the most common
“Known” threats
Sunday, August 17, 2014 slide 3
4. • Build clear and strict response procedures for known alerts.
• Start a clear and strict response procedure for every single alert
within seconds.
• Reduce False-Positive using automated data enrichment and
collection processes from various sources post-alert.
• Minimize SOC work around scriptable procedures, allowing the
SOC to focus its work on actions that cannot be automated.
• Increase the amount of alerts handled to provide better coverage.
Sunday, August 17, 2014 slide 4
5. • Complete automation or semi-automation of IR processes.
• Data enrichment and data collection.
• False-Positive reduction.
• Ticketing and event management.
Sunday, August 17, 2014 slide 5
6. Sunday, August 17, 2014 slide 6
Scenarios
For example: a compromised laptop floods
a critical system
Systems & Content
System: Netflow
rule monitoring laptops
communication
Risk
For example: Availability loss to a critical system
• Phase A – Plan monitoring
according to risks.
• Must be suited to YOUR COMPANY.
7. • Phase B – Plan response
procedure according to
the risk, scenario,
systems, knowledge,
and available tools.
• Must be suited to
YOUR COMPANY.
Sunday, August 17, 2014 slide 7
Mail arriving
Check
Virustotal
Check Traffic
Malicious
Evidence
Open Ticket To
Block in:
- Websense
- TM WebRep
End Workflow and notify SOC
Check
Virustotal
Send MD5 To
ArcSight
Send To TM
Log and
notify SOC
Has Links In
Body
No
YES
Has
Attachments
YES
No Encrypted YES
Malicious
Evidence
YES No
YES No
8. • Phase C – Automate the response
procedure according to the risk,
scenario, systems, knowledge, and
available tools.
• Must be suited to
YOUR COMPANY.
Sunday, August 17, 2014 slide 8
9. Failed to login
12345
Logging in AD
Sunday, August 17, 2014 slide 9
User_adm_14
WS98123
User running Brute Force Attack!
Hostname: WS98123
User: User_adm_14
Number of failed attempts: 5
10. • Possible questions to ask:
• Is the user a valid user in AD? If so, does it belong to a person or a service?
• Is the user a member of a critical group or has administrative privileges?
• Is the user currently locked?
• Did the user reset his/hers password recently?
• Possible actions to take:
• Ask the person in charge of the user if he/she failed to login from that host.
• Lock/disable the account (if not already locked by DC policy).
• Send the host to a different VLAN using NAC/IPS.
Sunday, August 17, 2014 slide 10
11. • Possible questions to ask:
• Is the user a valid user in AD? If so, does it belong to a person or a service?
• Is the user a member of a critical group or has administrative privileges?
• Is the user currently locked?
• Did the user reset his/hers password recently?
• Possible actions to take:
How much time would it take
to answer/perform these tasks
in your SOC?
• Ask the person in charge of the user if he/she failed to login from that host.
• Lock/disable the account (if not already locked by DC policy).
• Send the host to a different VLAN using NAC/IPS.
Sunday, August 17, 2014 slide 11
12. Sunday, August 17, 2014 slide 12
• ArcSight alerts
eyeShare using the
OOTB e-mail
template with all
information related
to the incident.
13. Sunday, August 17, 2014 slide 13
• eyeShare opens an
internal ticket for
operators to see the
incident.
14. Sunday, August 17, 2014 slide 14
• eyeShare queries AD
checking if the user
exists or not.
15. Sunday, August 17, 2014 slide 15
• If the user exists,
eyeShare queries AD
again, getting the
user’s mobile phone
number.
16. Sunday, August 17, 2014 slide 16
• eyeShare sends a text
message to the user,
asking him/her if
he/she failed to login
on the relevant host.
17. Sunday, August 17, 2014 slide 17
• If the user replies
“yes”, the internal
ticket is closed and
the incident is
resolved.
18. Sunday, August 17, 2014 slide 18
• If the user replies
“no”, or does not
reply in 10 minutes,
the severity of the
internal ticket is
raised, and the user is
disabled for 10
minutes.
19. Sunday, August 17, 2014 slide 19
• If the user does not
exists, eyeShare
sends a text message
to the operator on
call, asking if he/she
knows the user or
details about the
incident.
20. Sunday, August 17, 2014 slide 20
• If the operator on call
replies with “yes”, the
internal ticket is
closed and the
incident is resolved.
21. Sunday, August 17, 2014 slide 21
• If the operator on call
replies with “no”, or
does not reply in 10
minutes, the severity
of the internal ticket
is raised, and the host
is quarantined by the
NAC.
22. Logging in AD
Power User
Normal User
VIP Users Group
Add to group
24. Rule
User Added & Removed
From VIP Group in 1h
Added User: X
Adding User: Y
Group: GroupZ
Logging in AD
Power User
Normal User
VIP Users Group
Remove from
group
25. • Possible questions to ask:
• Was this action authorized and documented in IDM/Ticketing?
• Who is the adding user? Is he/she authorized to do add/remove user from groups?
• Who is the added user? Is she/he a new employee? From which department?
• What time is it? Is it night? Is it a holiday or weekend?
• Possible actions to take:
• Talk to both users to understand why the user was added and removed.
• Lock their accounts.
• Remove their permission until further investigation.
Sunday, August 17, 2014 slide 25
26. • Possible questions to ask:
• Was this action authorized and documented in IDM/Ticketing?
• Who is the adding user? Is he/she authorized to do add/remove user from groups?
• Who is the added user? Is she/he a new employee? From which department?
• What time is it? Is it night? Is it a holiday or weekend?
• Possible actions to take:
How much time would it take
to answer/perform these tasks
in your SOC?
• Talk to both users to understand why the user was added and removed.
• Lock their accounts.
• Remove their permission until further investigation.
Sunday, August 17, 2014 slide 26
27. Sunday, August 17, 2014 slide 27
• ArcSight alerts
eyeShare using the
OOTB e-mail
template with all
information related
to the incident.
• A ticket in opened.
28. Sunday, August 17, 2014 slide 28
• All AD information
for both users is
gathered.
29. Sunday, August 17, 2014 slide 29
• A search is performed
on the ticketing
system to validate if a
ticket has being
opened, review, and
authorized regarding
this issue. If so, the
incident is resolved.
30. Sunday, August 17, 2014 slide 30
• If a ticket is not
present for this issue,
a e-mail is sent to the
adding user, the
added user, and the
SOC operator.
• The e-mail requests
that they explain
their actions.
• Their response is
documented and
reviewed by the SOC.
32. E-mail sent to user/s
User/s suspect e-mail
might be malicious,
forward to SOC
SOC
Investigate
Web Reputation
Anti-virus
History (URL/Mail)
Sandbox
Etc.
33. • Possible questions to ask:
• Who sent the e-mail?
• Are there any links in the e-mail? If so, could pressing on them lead to infection?
• Are there any attachments in the e-mail? If so, would opening them lead to infection?
• How many people got this e-mail?
• Possible actions to take:
• Block sender in mail-relay.
• Block links in proxy.
• Block/blacklist attachments, upload to AV vendor.
Sunday, August 17, 2014 slide 33
34. • Possible questions to ask:
• Who sent the e-mail?
• Are there any links in the e-mail? If so, could pressing on them lead to infection?
• Are there any attachments in the e-mail? If so, would opening them lead to infection?
• How many people got this e-mail?
• Possible actions to take:
How much time would it take
to answer/perform these tasks
in your SOC?
• Block sender in mail-relay.
• Block links in proxy.
• Block/blacklist attachments, upload to AV vendor.
Sunday, August 17, 2014 slide 34
35. • This workflow gets an e-mail sent by users to the
SOC and does the following:
• Thank the user for forwarding the e-mail to the SOC.
• Check for links and e-mail address, send all finding to be
analyzed by Virustotal. Notify ArcSight by CEF syslog if a link is
malicious.
• Check for attachments, uploads all finding to be analyzed by
Virustotal and Cuckoo Sandbox. Notify ArcSight by CEF syslog if
an attachment is malicious.
• Sends the analysis verdict to the back to the user
(clean/malicious).
Sunday, August 17, 2014 slide 35
36. Sunday, August 17, 2014 slide 36
• A user gets this e-mail,
and decides to forward
it to the SOC.
37. Sunday, August 17, 2014 slide 37
• Upon reception,
eyeShare sends back a
successful submission
e-mail, providing the
user with some initial
instructions and a
reference ID.
38. Sunday, August 17, 2014 slide 38
• The operator on call
will receive an e-mail
notification if an
attachment or link is
detected as malicious.
39. Sunday, August 17, 2014 slide 39
• At the end of the
analysis, the user gets
a response from
eyeShare with the
verdict.
40. Sunday, August 17, 2014 slide 40
• At the end of the
analysis, the user gets
a response from
eyeShare with the
verdict.
41. • If we know what the alert is, which questions to ask, which action to
perform for each answer we receive – why not automate it?
• Using automation, a SOC can handle more alerts with greater
efficiency, maximize human productivity, strengthen the bond with
the rest of the company, raise the SOCs maturity, and raise overall
security posture.
• Operators / analysts will handle incidents after False-Positive
reduction, reconnaissance, user input, and in the correct severity.
• Operators/analysts will work much less on the “Known” threats and
will be available to investigate the “Unknown” threats.
Sunday, August 17, 2014 slide 41
42. • No more standalone, unsupported, unmanaged scripts written in
different programming languages.
• Single framework for all workflows with support for multiple devices
(AD, CISCO, VMWare, move files, http requests, DB queries, etc.).
• Know the result of every part of every workflow, and keep it for as
long as you need.
• Integration with HP ArcSight (provided by We Ankor).
• Support for HA, segmentation, and multiple domains.
Sunday, August 17, 2014 slide 42