Supervised Active Intelligence: an innovative approach to Automated Incident Response based on Machine Learning, leveraging orchestration, automated playbooks and integration with existing Security Ecosystem
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea Fumagalli
1. Cyber Incidents Under Control for SOC and CSIRT
SUPERVISED ACTIVE
INTELLIGENCE™
Andrea Fumagalli, Vice-President of Engineering
Auditorium della Tecnica
Roma, 11 Aprile 2017
2. About DFLabs - Corporate Profile
EXPERIENCED MANAGEMENT
Management are Former Gov and private sector
veterans, Including EU, Accenture, Deutsche Bank,
Foundstone, Guidance Software. International
Advisory Board (DHS Accademia)
ISO 9001 CERTIFIED
Technology and Professional Services
ISO co-editors
OASIS Member
FORTUNE 500 CUSTOMERS
60% of our Customer base is composed by Fortune
500 and Global 2000 Enterprises
HQ in EMEA
Offices in Milan Italy and Eastern Europe.
Branches in Boston and London
Investors: Evolution Equity Partners
Our Mission: cyber incidents under control
3. The Evolution of SOC and CSIRTS
IR RFC being built
(2350)
IETF – CERT CC
2000 2002 2003 2005
First SOC
Gradual Adoption
First NIST implementations on SP800
Fortune Level
ISO 27001 (BS)
Starting Points – Study Periods
4. The Evolution of SOC and CSIRTS
First MSSP Launched Pure FW
Management
2007 2008 2009 2012
CSIRT - Vs CERT
Internal SOC
Manual – Case Management
Distributed and Manual
CSIRT – Vs Forensics and SOC
2015
Today
Automation and Orchestration
5. The Problem we solve
Extremely sophisticated attacks, cross department response required. Complexity.
SIEM generated Alert Fatigue still a problem. Lots of background noise.
Static Incident resolutions too slow for fighting rapid adaptive attacks.
4 Challenges of today’s Security landscape
Failure not an option.
6. The Approach We Propose
Fully Unattended Automation may be dangerous
Immature technology based upon «trust on input »
Development relies too heavily on «Communities» (hidden costs and lack of validation is clear)
Yet another pseudo agent
CISOs can’t bring a platform to court
Process Based Ticketing is potentially useless (Overhead)
Vertical platforms (i.e. SIRP over SIEM) could represent a vendor dependency risk.
CISOs are looking for open platforms and Trusted Advisors
7. Our Solution: Supervised Active Intelligence ™
SOC and CSIRT should be equipped with:
a Technology Platform with
Orchestration and Automation capabilities to enable
collaborative and automated real-time
incident management, threat and data breach response.
The Platform must allow Actionable Incident Intelligence
Sharing through a secure cloud-based user community
and advanced visual analytics offering users the ability to
predict future breaches.
Machine driven actions supervised by humans
8. Supervised Active Intelligence™ : 4 Pillars
Perform actionable and controlled intelligence sharing
with your ISAC of choice. Decide what and how to share
your knowledge by working with your peers yet keeping
your privacy.
Connect with your Security Data Sources and Threat
Intelligence Services in a single transparent ’pane of
glass’ platform
Apply the most appropriate Playbook. Support the
incident management decisions. Automate your CSIRT
and SOC processes
Speed up your investigation, acquire forensic metadata
and artifacts. Automate your response.
Reduce your reaction time.
Share Intelligence
Capture
Manage
Automate Response
CYBER INCIDENTS
UNDER CONTROL
12. Playbooks and KB (NIST, ISO, etc)
Peter Parker
PHASE
TASK
WHAT TO DO
PROGRESS
STATUS
OPTIONS
DEADLINEWHOAUTHORIZER
13. Playbooks (Supervised Active Intelligence)
• Standard Operating Procedures
• Composed by two types of actions:
- Machine driven: Enrichment, Remediation, Containment
- Human-driven: User collaboration, Approvals, Tasks, Escalation, Notifications
• Actions in external Security technology, fully coordinated by IncMan
- Machine to Machine integrations
• Machine Learning to assist SOC and CSIRT to improve efficiency, identify innovative course of actions
and foster Correlation
Machine Learning to assist SOC and CSIRT:
- to reduce human effort and free up time for other more important tasks
- to drive effective resolution thru innovative course of actions
- to improve efficiency and reduce human errors
Reaction
Time
reduced
17. USE CASES for Incident Response
Automated or Semi-Automated Playbook (Processes and Machine to Machine)
Endpoint Quarantine: identify the network port where a suspicious device is located and disable the port/device.
Suspend Users: if an account compromise is suspected, halt a user’s account access—no matter which device they use.
Collect Machine Data: in the case of malware, is able to gather forensic data from the suspect endpoint.
Suspend Network Access: if data exfiltration is occurring, the incident response team can kill the connection by updating the access control list used
by corporate firewalls.
Terminate a Threat: if the SIEM detects unknown or blacklisted processes on critical devices, IncMan can kill the specific running process.
In coordination with the existing security ecosystem, IncMan™ can execute:
18. Why is SAI different
SUPERVISED ACTIVE
INTELLIGENCE™
Advanced Knowledge Base For Automated Courses of Action
And Intelligence Sharing between Constituencies.
Machine Created/Controlled Playbooks based upon standard protocols
Incident Correlation and Artifacts Visualization Engine
Predictive and Retrospective Analysis using STIX and other protocols,
User Supervision
19. Benefits of adopting SAI
Optimized User activity
Force multiplier and repeatable approach
Standard Operating Procedures (Playbook)
Knowledge Base.
Improved remediation
Reduced reaction time
Consistent results
Simplification and Improved Quality of Products and Processes
Overall Cost reduction
Skill Shortage reduction
Higher productivity
Reduction of human errors
Risks mitigation
Interchangeability
Cyber Incidents Under Control
20. SAI Conclusions
Playbooks, to implement Standardized Efficient and Compliant approach (repeatable)
Machine-driven actions empowered by Automation and Orchestration
Incident Enrichment
Incident Containment – to defend Corporate resources
Humans still supervising critical tasks, taking tactical decisions (assuming Responsibility)
Resolution/Eradication of incident proposed by the Machine but mostly peformed by Operators
Technology Integrated Security Ecosystem
21. Supervised Active Intelligence
Adopting Supervised Active Intelligence™ for SOC and CSIRT
CYBER INCIDENTS UNDER CONTROL
Andrea Fumagalli
Vice-President of Engineering
af@dflabs.com
www.dflabs.com