SlideShare a Scribd company logo

Automation and Orchestration - Harnessing Threat Intelligence for Better Incident Response

Chris Ross
Chris Ross

The document discusses automation and orchestration in incident response. It notes that early attempts focused on vendor mergers but that never fully delivered. Standards like APIs and REST have enabled products to integrate more easily. The future of automation and orchestration likely involves products communicating directly through APIs rather than going through a centralized system. This allows for customized solutions and speed while still using best-of-breed products. It requires security teams to develop these integrations themselves.

Technology
1 of 9
Download to read offline
22
Automation and Orchestration 2 CONTENTS Background ............................................................................................................................. 3   Early Moves ............................................................................................................................ 5   SDKs and APIs ....................................................................................................................... 6   The Way Forward in Automation and Orchestration ............................................................... 7   Conclusion—Having Your Cake and Eating It Too ................................................................. 7   © 2015 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
Harnessing Threat Intelligence for Better Incident Response 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from that survey. This current document is the fourth in a new series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Background The nature of information security is evolving. With the emergence of Web 1.0 it took a basic perimeter defensive stance, with a barrier defending the trusted corporate network from the untrusted internet. But with the arrival of Web 2.0, the cloud and mobile computing coupled with the increasing maturity of threat actors, has come the growing realization that a barrier is no longer good enough to keep bad actors off the company networks.
Automation and Orchestration 4 The consensus today is that defenders should assume that it is impossible to keep a determined and resourceful adversary out—indeed, defenders should assume that they have already been breached; or if not yet, they very soon will be. This requires a new way of thinking: if you have already been breached, how you respond is now the priority. This has led to a new type of security: incident response. It comprises recognizing the incident and responding to it quickly and effectively. It therefore encompasses products like DLP, SIEM, threat detection and anomaly detection with the specific intent to both find and respond to a breach in as close to real-time as possible. A key element in almost all incident response systems is the collection and presentation of potential incident information, more usually described as ‘threat intelligence.’ This comes with two problems: firstly the sheer volume of data presented by incident response systems; and secondly the disparate and isolated manner in which the intelligence is reported. A common response from CISOs is that “I don’t need more intelligence, I just need better intelligence.” That ‘better’ intelligence also needs to be ‘usable’ intelligence by different security controls. It is of little surprise that the Assessing IT Security Risks report shows that today’s CISOs have a strong interest in acquiring the ability to automate and orchestrate the intelligence they receive from different controls (see Figure 1 taken from the underlying survey). Figure 1. Survey Question: Which Incident Response security controls will be most relevant to you during the next 3 - 5 years in your organization? Source: Wisegate, June 2014
Harnessing Threat Intelligence for Better Incident Response 5 As the Assessing IT Security Risks report notes, “Over half (59%) of respondents marked either proactive threat/misuse detection or automated orchestration as a top choice to streamline their incident response plans and limit their exposure windows.” The question, however, is how do you achieve that automation and orchestration in incident response? Early Moves The early attempts at orchestrating infosecurity really focused around vendor mergers and acquisitions in an attempt to build a single supplier covering all of the angles. The commercial argument is that buyers would be attracted by the ‘all-under-one roof’ argument. In reality this never materialized—the argument for buying best-of-breed point products is generally more attractive than buying a single product that is perceived to provide lesser security. But the result of buying separate point products is the basis of today’s problem: how do you automate and orchestrate the threat intelligence provided by multiple disparate security controls? One possible solution is to develop a separate product to do it for you—and SIEMs are a good example. In theory, SIEMs can receive and interpret alerts taken from one control and automatically instruct a different control to perform a required response. For example, theoretically, a SIEM should be able to receive an infection alert from an AV control, shut down the infected system, and write firewall rules to prevent further infection by the malware detected. That would indeed provide both orchestration and automation. The problem is that early SIEMs never quite delivered on what they promised. But the SIEMs’ promise, says Bill Burns, author of the Assessing IT Security Risks report and developer of its underlying survey, is good. “The goal was right,” he comments: “how can we get a standard protocol and a standard process in place so that all of our different security products can deliver their intelligence to a single system that will then, with some hand-waving and magic, come out with better answers than each of the products working by themselves?” If those answers could be used to automatically trigger the correct response from other systems, then that would indeed be the problem of orchestration and automation solved. But, continues Burns, “the standard protocols were very rudimentary. The initial complaint with SIEMs was that there was a high promise—but it required a very large investment in human capital and a very large investment in professional services to get delivery on that promise.”
Automation and Orchestration 6 He gave an example of the difficulties. He once used a single AV product across all of his company’s computers. “That AV,” he said, “generates a report each week that I could not read on my iPad. When I went to the vendor and asked for the report in PDF format, the reply was, ‘Well, we’re thinking about it, but it’s not a priority for us.’” In other words, the vendor could not or would not provide a standard output, never mind a format that could be understood by other machines. “That is a dinosaur of a product,” he added; and dinosaurs became extinct. It leaves the customer with the choice of accepting the problem, or going to the trouble of developing his own format conversion routine. At an earlier company, commented Burns, he had replaced the very same AV product “with a different vendor that had an open API allowing us to write our own reports using a RESTful API. It allowed me to tie my analytics system to my anti-virus system.” SDKs and APIs While one line of development explored acquisitions and specific orchestration products, a second line led to standards in APIs. APIs first existed as part of and within products’ SDKs. The existence of an SDK was an essential selling point for all new products—it allowed developers to produce new products that would work with, and therefore improve the overall value of, their own products. But the API began to take on a life of its own as buyers chose to use the API within separate products and tie them together rather than to buy one and develop one. The first serious API standard to emerge was SOAP (Simple Object Access Protocol). Although this is still in use, it is largely being replaced by REST (Representational State Transfer). The driving force behind these APIs is the evolution of the web and the increasing use of web services. Burns explains, “Traditionally, IT products were proprietary and complicated. If you wanted to wire two things together you would call in a consulting company to do a custom integration.” But the web and web services changed things. “There was an early realization that the way IT departments were provisioning their computers and services through hardware dependent manual processes was just too slow. As the web began to make communications easier it exposed friction in the IT organizations because they couldn’t move fast enough—they couldn’t change their systems and their interconnections in a timely fashion.” This led to a pent up demand for more efficient provisioning, which in turn led to APIs emerging from within their SDKs to stand on their own—first with SOAP and then with REST. While both are described as ‘web services,’ this is probably only accurate for REST. SOAP is focused on accessing named operations, while REST is focused on accessing named
Harnessing Threat Intelligence for Better Incident Response 7 resources through a single consistent interface. SOAP concentrates on pieces of application logic, while REST is superior at handling CRUD operations over the internet. “Consider,” continues Burns, “that I want to do security controls in the cloud—something like Amazon, for example—and I want to apply an AV software to all of my servers in that cloud. If I don’t have an API that I can program to push out all of the configurations I will never be able to keep up with the velocity of change in the cloud. So products that don’t participate in orchestration simply won’t get chosen going forward.” APIs make it possible to automate provisioning—but they also make it easier for different systems to talk to each other. In other words, what might start as provisioning can expand into orchestrated automation between different products. The Way Forward in Automation and Orchestration While companies still acquire other companies in order to strengthen their product line or increase their customer reach, there are others separating so that each new part can focus on its own core product area. It seems to be a natural process in business—companies combine, lose their edge over time, and separate again. Whatever the reason for this, it appears that the era of widespread company acquisitions to provide the all-in-one killer security product seems to be over. The options for automation and orchestration are now focused on the use of RESTful APIs; either with IT departments doing the work themselves, or waiting for SIEM 2 or even SIEM 3 (not specifically, but as a metaphor for new orchestration products) to do it for them. Burns believes that the evolution of SIEM-like products into a universal connector— something he calls the ‘notion of centralized security management’—is unlikely. “I think the trend will be decentralized,” he explains, “so that products talk to and integrate with other products directly rather than going through a centralized broker (although there may also be a centralized aggregator of information).” The value of a single central orchestration system is less important now as people have seen SIEMs fail—the reality was just too unwieldy. “The future,” he concludes, “is more decentralized.” Conclusion—Having Your Cake and Eating It Too “For orchestration and automation,” says Burns, “I don’t necessarily need different companies and different products to work together in lockstep, but I need them to work together in some way. So I guess the question is, is it easier for me as a customer to glue these products together via their APIs, or wait for a vendor to do it for me? It’s the tension
Automation and Orchestration 8 between speed and capability on the customer side.” In infosec, the need for speed will always prevail, provided only that the company also has the capability. So self-made orchestration and automation via best-of-breed products and APIs is not merely the best solution, it is by definition tailored to individual requirements. It’s like having your cake and eating it—but to achieve this requires a staff of people who are both security-minded and also able to write and develop their own code. “It’s not just a case of deploying products,” says Burns, “but being able to orchestrate the response from those products. So, if an AV product says, ‘Hey, I think I’ve found an infected machine’, that response needs to generate a firewall rule to kick the infector off the network.” It requires, he continues, “a network person and an AV person, but also someone with a security mindset and the ability to glue these systems together in a fashion that neither product can do by itself.” This in turn becomes a forcing function on security staff, who now require an additional skill to what’s been accepted in the past: orchestration and automation requires APIs and an in-house security developer.
Harnessing Threat Intelligence for Better Incident Response 9 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.

Recommended

Security Orchestration and Automation with Hexadite+
Security Orchestration and Automation with Hexadite+Security Orchestration and Automation with Hexadite+
Security Orchestration and Automation with Hexadite+Nathan Burke
 
Overview
OverviewOverview
OverviewNathan Burke
 
If We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantIf We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantNathan Burke
 
Solving the cybersecurity capacity problem
Solving the cybersecurity capacity problemSolving the cybersecurity capacity problem
Solving the cybersecurity capacity problemNathan Burke
 
8 Reasons to Choose Logrhythm
8 Reasons to Choose Logrhythm8 Reasons to Choose Logrhythm
8 Reasons to Choose LogrhythmLogRhythm
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Threat Life Cycle Management
Threat Life Cycle ManagementThreat Life Cycle Management
Threat Life Cycle ManagementFujitsu Middle East
 
Cylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment DatasheetCylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment DatasheetInnovation Network Technologies: InNet
 

Recommended

Security Orchestration and Automation with Hexadite+
Security Orchestration and Automation with Hexadite+Security Orchestration and Automation with Hexadite+
Security Orchestration and Automation with Hexadite+Nathan Burke
 
Overview
OverviewOverview
OverviewNathan Burke
 
If We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantIf We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantNathan Burke
 
Solving the cybersecurity capacity problem
Solving the cybersecurity capacity problemSolving the cybersecurity capacity problem
Solving the cybersecurity capacity problemNathan Burke
 
8 Reasons to Choose Logrhythm
8 Reasons to Choose Logrhythm8 Reasons to Choose Logrhythm
8 Reasons to Choose LogrhythmLogRhythm
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Threat Life Cycle Management
Threat Life Cycle ManagementThreat Life Cycle Management
Threat Life Cycle ManagementFujitsu Middle East
 
Cylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment DatasheetCylance Information Security: Compromise Assessment Datasheet
Cylance Information Security: Compromise Assessment DatasheetInnovation Network Technologies: InNet
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachRahul Neel Mani
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)Enterprise Management Associates
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReZa AdineH
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingPriyanka Aash
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 
Should You Be Automating
Should You Be AutomatingShould You Be Automating
Should You Be AutomatingSiemplify
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability ManagementRahul Neel Mani
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterKomand
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...SparkCognition
 
Neptune facebook autoremediation_talk
Neptune facebook autoremediation_talkNeptune facebook autoremediation_talk
Neptune facebook autoremediation_talkKiran Gollu
 
Neptune : Re-thinking Incident Response Automation
Neptune : Re-thinking Incident Response Automation Neptune : Re-thinking Incident Response Automation
Neptune : Re-thinking Incident Response Automation Kiran Gollu
 
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...Joel W. King
 
Event Driven Automation Meetup May 14/2015
Event Driven Automation Meetup May 14/2015Event Driven Automation Meetup May 14/2015
Event Driven Automation Meetup May 14/2015Dmitri Zimine
 

More Related Content

What's hot

From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachRahul Neel Mani
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)Enterprise Management Associates
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReZa AdineH
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingPriyanka Aash
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 
Should You Be Automating
Should You Be AutomatingShould You Be Automating
Should You Be AutomatingSiemplify
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability ManagementRahul Neel Mani
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterKomand
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...SparkCognition
 

What's hot (18)

From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Threat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a BreachThreat Exposure Management - Reduce your Risk of a Breach
Threat Exposure Management - Reduce your Risk of a Breach
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
 
Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)Identifying Effective Endpoint Detection and Response Platforms (EDRP)
Identifying Effective Endpoint Detection and Response Platforms (EDRP)
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
 
Should You Be Automating
Should You Be AutomatingShould You Be Automating
Should You Be Automating
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability Management
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
Using a Cognitive Analytic Approach to Enhance Cybersecurity on Oil and Gas O...
 

Viewers also liked

Neptune facebook autoremediation_talk
Neptune facebook autoremediation_talkNeptune facebook autoremediation_talk
Neptune facebook autoremediation_talkKiran Gollu
 
Neptune : Re-thinking Incident Response Automation
Neptune : Re-thinking Incident Response Automation Neptune : Re-thinking Incident Response Automation
Neptune : Re-thinking Incident Response Automation Kiran Gollu
 
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...Joel W. King
 
Event Driven Automation Meetup May 14/2015
Event Driven Automation Meetup May 14/2015Event Driven Automation Meetup May 14/2015
Event Driven Automation Meetup May 14/2015Dmitri Zimine
 
Monitoring at Facebook - Ran Leibman, Facebook - DevOpsDays Tel Aviv 2015
Monitoring at Facebook - Ran Leibman, Facebook - DevOpsDays Tel Aviv 2015Monitoring at Facebook - Ran Leibman, Facebook - DevOpsDays Tel Aviv 2015
Monitoring at Facebook - Ran Leibman, Facebook - DevOpsDays Tel Aviv 2015DevOpsDays Tel Aviv
 
Event driven-automation and workflows
Event driven-automation and workflowsEvent driven-automation and workflows
Event driven-automation and workflowsDmitri Zimine
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...Amazon Web Services
 
Abb85fb57f02f7b85c8eba91f28b7c99 (1)
Abb85fb57f02f7b85c8eba91f28b7c99 (1)Abb85fb57f02f7b85c8eba91f28b7c99 (1)
Abb85fb57f02f7b85c8eba91f28b7c99 (1)Galina Yaceiko
 
StackStorm DevOps Automation Webinar
StackStorm DevOps Automation WebinarStackStorm DevOps Automation Webinar
StackStorm DevOps Automation WebinarStackStorm
 
Ignite slides minimum viable runbooks lite
Ignite slides minimum viable runbooks liteIgnite slides minimum viable runbooks lite
Ignite slides minimum viable runbooks liteWill La
 

Viewers also liked (10)

Neptune facebook autoremediation_talk
Neptune facebook autoremediation_talkNeptune facebook autoremediation_talk
Neptune facebook autoremediation_talk
 
Neptune : Re-thinking Incident Response Automation
Neptune : Re-thinking Incident Response Automation Neptune : Re-thinking Incident Response Automation
Neptune : Re-thinking Incident Response Automation
 
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...
 
Event Driven Automation Meetup May 14/2015
Event Driven Automation Meetup May 14/2015Event Driven Automation Meetup May 14/2015
Event Driven Automation Meetup May 14/2015
 
Monitoring at Facebook - Ran Leibman, Facebook - DevOpsDays Tel Aviv 2015
Monitoring at Facebook - Ran Leibman, Facebook - DevOpsDays Tel Aviv 2015Monitoring at Facebook - Ran Leibman, Facebook - DevOpsDays Tel Aviv 2015
Monitoring at Facebook - Ran Leibman, Facebook - DevOpsDays Tel Aviv 2015
 
Event driven-automation and workflows
Event driven-automation and workflowsEvent driven-automation and workflows
Event driven-automation and workflows
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
 
Abb85fb57f02f7b85c8eba91f28b7c99 (1)
Abb85fb57f02f7b85c8eba91f28b7c99 (1)Abb85fb57f02f7b85c8eba91f28b7c99 (1)
Abb85fb57f02f7b85c8eba91f28b7c99 (1)
 
StackStorm DevOps Automation Webinar
StackStorm DevOps Automation WebinarStackStorm DevOps Automation Webinar
StackStorm DevOps Automation Webinar
 
Ignite slides minimum viable runbooks lite
Ignite slides minimum viable runbooks liteIgnite slides minimum viable runbooks lite
Ignite slides minimum viable runbooks lite
 

Similar to Automation and Orchestration - Harnessing Threat Intelligence for Better Incident Response

Hot Cyber Security Technologies
Hot Cyber Security TechnologiesHot Cyber Security Technologies
Hot Cyber Security TechnologiesRuchikaSachdeva4
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015sllongo3
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330Jim Kramer
 
Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!Daniel L. Cruz
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementAnton Chuvakin
 
IRJET - A Joint Optimization Approach to Security and Insurance Managemen...
IRJET - A Joint Optimization Approach to Security and Insurance Managemen...IRJET - A Joint Optimization Approach to Security and Insurance Managemen...
IRJET - A Joint Optimization Approach to Security and Insurance Managemen...IRJET Journal
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructureAnton Chuvakin
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlationfrantzyv
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdfSavinder Puri
 
Real-time fallacy: how real-time your security really is?
Real-time fallacy: how real-time your security really is?Real-time fallacy: how real-time your security really is?
Real-time fallacy: how real-time your security really is?Anton Chuvakin
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer OverviewScott Suhy
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringBettyRManning
 
How To Select Security Orchestration Vendor
How To Select Security Orchestration VendorHow To Select Security Orchestration Vendor
How To Select Security Orchestration VendorSiemplify
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 

Similar to Automation and Orchestration - Harnessing Threat Intelligence for Better Incident Response (20)

Hot Cyber Security Technologies
Hot Cyber Security TechnologiesHot Cyber Security Technologies
Hot Cyber Security Technologies
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330
 
Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
network-host-reconciliation
network-host-reconciliationnetwork-host-reconciliation
network-host-reconciliation
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
 
IRJET - A Joint Optimization Approach to Security and Insurance Managemen...
IRJET - A Joint Optimization Approach to Security and Insurance Managemen...IRJET - A Joint Optimization Approach to Security and Insurance Managemen...
IRJET - A Joint Optimization Approach to Security and Insurance Managemen...
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlation
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.
 
Incident response in cloud environments
Incident response in cloud environmentsIncident response in cloud environments
Incident response in cloud environments
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
Real-time fallacy: how real-time your security really is?
Real-time fallacy: how real-time your security really is?Real-time fallacy: how real-time your security really is?
Real-time fallacy: how real-time your security really is?
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer Overview
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoring
 
How To Select Security Orchestration Vendor
How To Select Security Orchestration VendorHow To Select Security Orchestration Vendor
How To Select Security Orchestration Vendor
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 

More from Chris Ross

Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationChris Ross
 
Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatChris Ross
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Chris Ross
 
Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsChris Ross
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsChris Ross
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401Chris Ross
 
5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should KnowChris Ross
 

More from Chris Ross (8)

Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
 
Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest Threat
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
 
Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft Skills
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next Steps
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
 
5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Automation and Orchestration - Harnessing Threat Intelligence for Better Incident Response

  • 1. 22
  • 2. Automation and Orchestration 2 CONTENTS Background ............................................................................................................................. 3   Early Moves ............................................................................................................................ 5   SDKs and APIs ....................................................................................................................... 6   The Way Forward in Automation and Orchestration ............................................................... 7   Conclusion—Having Your Cake and Eating It Too ................................................................. 7   © 2015 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
  • 3. Harnessing Threat Intelligence for Better Incident Response 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from that survey. This current document is the fourth in a new series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Background The nature of information security is evolving. With the emergence of Web 1.0 it took a basic perimeter defensive stance, with a barrier defending the trusted corporate network from the untrusted internet. But with the arrival of Web 2.0, the cloud and mobile computing coupled with the increasing maturity of threat actors, has come the growing realization that a barrier is no longer good enough to keep bad actors off the company networks.
  • 4. Automation and Orchestration 4 The consensus today is that defenders should assume that it is impossible to keep a determined and resourceful adversary out—indeed, defenders should assume that they have already been breached; or if not yet, they very soon will be. This requires a new way of thinking: if you have already been breached, how you respond is now the priority. This has led to a new type of security: incident response. It comprises recognizing the incident and responding to it quickly and effectively. It therefore encompasses products like DLP, SIEM, threat detection and anomaly detection with the specific intent to both find and respond to a breach in as close to real-time as possible. A key element in almost all incident response systems is the collection and presentation of potential incident information, more usually described as ‘threat intelligence.’ This comes with two problems: firstly the sheer volume of data presented by incident response systems; and secondly the disparate and isolated manner in which the intelligence is reported. A common response from CISOs is that “I don’t need more intelligence, I just need better intelligence.” That ‘better’ intelligence also needs to be ‘usable’ intelligence by different security controls. It is of little surprise that the Assessing IT Security Risks report shows that today’s CISOs have a strong interest in acquiring the ability to automate and orchestrate the intelligence they receive from different controls (see Figure 1 taken from the underlying survey). Figure 1. Survey Question: Which Incident Response security controls will be most relevant to you during the next 3 - 5 years in your organization? Source: Wisegate, June 2014
  • 5. Harnessing Threat Intelligence for Better Incident Response 5 As the Assessing IT Security Risks report notes, “Over half (59%) of respondents marked either proactive threat/misuse detection or automated orchestration as a top choice to streamline their incident response plans and limit their exposure windows.” The question, however, is how do you achieve that automation and orchestration in incident response? Early Moves The early attempts at orchestrating infosecurity really focused around vendor mergers and acquisitions in an attempt to build a single supplier covering all of the angles. The commercial argument is that buyers would be attracted by the ‘all-under-one roof’ argument. In reality this never materialized—the argument for buying best-of-breed point products is generally more attractive than buying a single product that is perceived to provide lesser security. But the result of buying separate point products is the basis of today’s problem: how do you automate and orchestrate the threat intelligence provided by multiple disparate security controls? One possible solution is to develop a separate product to do it for you—and SIEMs are a good example. In theory, SIEMs can receive and interpret alerts taken from one control and automatically instruct a different control to perform a required response. For example, theoretically, a SIEM should be able to receive an infection alert from an AV control, shut down the infected system, and write firewall rules to prevent further infection by the malware detected. That would indeed provide both orchestration and automation. The problem is that early SIEMs never quite delivered on what they promised. But the SIEMs’ promise, says Bill Burns, author of the Assessing IT Security Risks report and developer of its underlying survey, is good. “The goal was right,” he comments: “how can we get a standard protocol and a standard process in place so that all of our different security products can deliver their intelligence to a single system that will then, with some hand-waving and magic, come out with better answers than each of the products working by themselves?” If those answers could be used to automatically trigger the correct response from other systems, then that would indeed be the problem of orchestration and automation solved. But, continues Burns, “the standard protocols were very rudimentary. The initial complaint with SIEMs was that there was a high promise—but it required a very large investment in human capital and a very large investment in professional services to get delivery on that promise.”
  • 6. Automation and Orchestration 6 He gave an example of the difficulties. He once used a single AV product across all of his company’s computers. “That AV,” he said, “generates a report each week that I could not read on my iPad. When I went to the vendor and asked for the report in PDF format, the reply was, ‘Well, we’re thinking about it, but it’s not a priority for us.’” In other words, the vendor could not or would not provide a standard output, never mind a format that could be understood by other machines. “That is a dinosaur of a product,” he added; and dinosaurs became extinct. It leaves the customer with the choice of accepting the problem, or going to the trouble of developing his own format conversion routine. At an earlier company, commented Burns, he had replaced the very same AV product “with a different vendor that had an open API allowing us to write our own reports using a RESTful API. It allowed me to tie my analytics system to my anti-virus system.” SDKs and APIs While one line of development explored acquisitions and specific orchestration products, a second line led to standards in APIs. APIs first existed as part of and within products’ SDKs. The existence of an SDK was an essential selling point for all new products—it allowed developers to produce new products that would work with, and therefore improve the overall value of, their own products. But the API began to take on a life of its own as buyers chose to use the API within separate products and tie them together rather than to buy one and develop one. The first serious API standard to emerge was SOAP (Simple Object Access Protocol). Although this is still in use, it is largely being replaced by REST (Representational State Transfer). The driving force behind these APIs is the evolution of the web and the increasing use of web services. Burns explains, “Traditionally, IT products were proprietary and complicated. If you wanted to wire two things together you would call in a consulting company to do a custom integration.” But the web and web services changed things. “There was an early realization that the way IT departments were provisioning their computers and services through hardware dependent manual processes was just too slow. As the web began to make communications easier it exposed friction in the IT organizations because they couldn’t move fast enough—they couldn’t change their systems and their interconnections in a timely fashion.” This led to a pent up demand for more efficient provisioning, which in turn led to APIs emerging from within their SDKs to stand on their own—first with SOAP and then with REST. While both are described as ‘web services,’ this is probably only accurate for REST. SOAP is focused on accessing named operations, while REST is focused on accessing named
  • 7. Harnessing Threat Intelligence for Better Incident Response 7 resources through a single consistent interface. SOAP concentrates on pieces of application logic, while REST is superior at handling CRUD operations over the internet. “Consider,” continues Burns, “that I want to do security controls in the cloud—something like Amazon, for example—and I want to apply an AV software to all of my servers in that cloud. If I don’t have an API that I can program to push out all of the configurations I will never be able to keep up with the velocity of change in the cloud. So products that don’t participate in orchestration simply won’t get chosen going forward.” APIs make it possible to automate provisioning—but they also make it easier for different systems to talk to each other. In other words, what might start as provisioning can expand into orchestrated automation between different products. The Way Forward in Automation and Orchestration While companies still acquire other companies in order to strengthen their product line or increase their customer reach, there are others separating so that each new part can focus on its own core product area. It seems to be a natural process in business—companies combine, lose their edge over time, and separate again. Whatever the reason for this, it appears that the era of widespread company acquisitions to provide the all-in-one killer security product seems to be over. The options for automation and orchestration are now focused on the use of RESTful APIs; either with IT departments doing the work themselves, or waiting for SIEM 2 or even SIEM 3 (not specifically, but as a metaphor for new orchestration products) to do it for them. Burns believes that the evolution of SIEM-like products into a universal connector— something he calls the ‘notion of centralized security management’—is unlikely. “I think the trend will be decentralized,” he explains, “so that products talk to and integrate with other products directly rather than going through a centralized broker (although there may also be a centralized aggregator of information).” The value of a single central orchestration system is less important now as people have seen SIEMs fail—the reality was just too unwieldy. “The future,” he concludes, “is more decentralized.” Conclusion—Having Your Cake and Eating It Too “For orchestration and automation,” says Burns, “I don’t necessarily need different companies and different products to work together in lockstep, but I need them to work together in some way. So I guess the question is, is it easier for me as a customer to glue these products together via their APIs, or wait for a vendor to do it for me? It’s the tension
  • 8. Automation and Orchestration 8 between speed and capability on the customer side.” In infosec, the need for speed will always prevail, provided only that the company also has the capability. So self-made orchestration and automation via best-of-breed products and APIs is not merely the best solution, it is by definition tailored to individual requirements. It’s like having your cake and eating it—but to achieve this requires a staff of people who are both security-minded and also able to write and develop their own code. “It’s not just a case of deploying products,” says Burns, “but being able to orchestrate the response from those products. So, if an AV product says, ‘Hey, I think I’ve found an infected machine’, that response needs to generate a firewall rule to kick the infector off the network.” It requires, he continues, “a network person and an AV person, but also someone with a security mindset and the ability to glue these systems together in a fashion that neither product can do by itself.” This in turn becomes a forcing function on security staff, who now require an additional skill to what’s been accepted in the past: orchestration and automation requires APIs and an in-house security developer.
  • 9. Harnessing Threat Intelligence for Better Incident Response 9 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.