Supervised Active Intelligence: an innovative approach to Automated Incident Response based on Machine Learning, leveraging orchestration, automated playbooks and integration with existing Security Ecosystem

1. Cyber Incidents Under Control for SOC and CSIRT
SUPERVISED ACTIVE
INTELLIGENCE™
Andrea Fumagalli, Vice-President of Engineering
Auditorium della Tecnica
Roma, 11 Aprile 2017

2. About DFLabs - Corporate Profile
EXPERIENCED MANAGEMENT
Management are Former Gov and private sector
veterans, Including EU, Accenture, Deutsche Bank,
Foundstone, Guidance Software. International
Advisory Board (DHS Accademia)
ISO 9001 CERTIFIED
Technology and Professional Services
ISO co-editors
OASIS Member
FORTUNE 500 CUSTOMERS
60% of our Customer base is composed by Fortune
500 and Global 2000 Enterprises
HQ in EMEA
Offices in Milan Italy and Eastern Europe.
Branches in Boston and London
Investors: Evolution Equity Partners
Our Mission: cyber incidents under control

3. The Evolution of SOC and CSIRTS
IR RFC being built
(2350)
IETF – CERT CC
2000 2002 2003 2005
First SOC
Gradual Adoption
First NIST implementations on SP800
Fortune Level
ISO 27001 (BS)
Starting Points – Study Periods

4. The Evolution of SOC and CSIRTS
First MSSP Launched Pure FW
Management
2007 2008 2009 2012
CSIRT - Vs CERT
Internal SOC
Manual – Case Management
Distributed and Manual
CSIRT – Vs Forensics and SOC
2015
Today
Automation and Orchestration

5. The Problem we solve
Extremely sophisticated attacks, cross department response required. Complexity.
SIEM generated Alert Fatigue still a problem. Lots of background noise.
Static Incident resolutions too slow for fighting rapid adaptive attacks.
4 Challenges of today’s Security landscape
Failure not an option.

6. The Approach We Propose
Fully Unattended Automation may be dangerous
 Immature technology based upon «trust on input »
 Development relies too heavily on «Communities» (hidden costs and lack of validation is clear)
 Yet another pseudo agent
 CISOs can’t bring a platform to court
Process Based Ticketing is potentially useless (Overhead)
Vertical platforms (i.e. SIRP over SIEM) could represent a vendor dependency risk.
CISOs are looking for open platforms and Trusted Advisors

7. Our Solution: Supervised Active Intelligence ™
SOC and CSIRT should be equipped with:
a Technology Platform with
Orchestration and Automation capabilities to enable
collaborative and automated real-time
incident management, threat and data breach response.
The Platform must allow Actionable Incident Intelligence
Sharing through a secure cloud-based user community
and advanced visual analytics offering users the ability to
predict future breaches.
 Machine driven actions supervised by humans

8. Supervised Active Intelligence™ : 4 Pillars
Perform actionable and controlled intelligence sharing
with your ISAC of choice. Decide what and how to share
your knowledge by working with your peers yet keeping
your privacy.
Connect with your Security Data Sources and Threat
Intelligence Services in a single transparent ’pane of
glass’ platform
Apply the most appropriate Playbook. Support the
incident management decisions. Automate your CSIRT
and SOC processes
Speed up your investigation, acquire forensic metadata
and artifacts. Automate your response.
Reduce your reaction time.
Share Intelligence
Capture
Manage
Automate Response
CYBER INCIDENTS
UNDER CONTROL

9. SAI Implementation - IncMan
standard
standard
standard
MULTI-TENANCY

10.  Fully customizable Dashboard
 Custom Widgets
 Customizable KPI/KRI reporting
 Build feeds into Incident / Event Management
 User customizable reporting
 Board, C-Level, HR, Legal and Audit dedicated access
 Persona based Dashboard and Reporting
 SOC – CSIRT Orchestration (On-premises and Cloud ready)
 Automated Correlation and Response
 Protected Cyber Intelligence Sharing
 Predictive Analysis – Multi Tenant (MSSP)
 Active task monitoring & tracking
 Automated escalation/enrichment/remediation (Playbooks)
 API Calls for Automated Response
 Bi-Directional Integration with Third Parties (i.e. Threat Intelligence Platform, Malware Analysis
Platform, Firewalls, IPS, IDS, etc.)
 Incident Management and Response Dashboard
 Forensic Case and Evidence Management
 Incident Prioritization
 Evidence tracking process
Operational Capabilities
Third Party Integration
Workflow and Case Management
Reporting and Analytics
GRC Integration
IncMan - Main Features

11. Persona Based Dashboard

12. Playbooks and KB (NIST, ISO, etc)
Peter Parker
PHASE
TASK
WHAT TO DO
PROGRESS
STATUS
OPTIONS
DEADLINEWHOAUTHORIZER

13. Playbooks (Supervised Active Intelligence)
• Standard Operating Procedures
• Composed by two types of actions:
- Machine driven: Enrichment, Remediation, Containment
- Human-driven: User collaboration, Approvals, Tasks, Escalation, Notifications
• Actions in external Security technology, fully coordinated by IncMan
- Machine to Machine integrations
• Machine Learning to assist SOC and CSIRT to improve efficiency, identify innovative course of actions
and foster Correlation
Machine Learning to assist SOC and CSIRT:
- to reduce human effort and free up time for other more important tasks
- to drive effective resolution thru innovative course of actions
- to improve efficiency and reduce human errors
Reaction
Time
reduced

14. Playbooks - Dual Mode: Machine to Machine

15. Playbooks - Dual Mode: Machine to Human

16. Visual Correlation: Incidents and Artifacts

17. USE CASES for Incident Response
 Automated or Semi-Automated Playbook (Processes and Machine to Machine)
 Endpoint Quarantine: identify the network port where a suspicious device is located and disable the port/device.
 Suspend Users: if an account compromise is suspected, halt a user’s account access—no matter which device they use.
 Collect Machine Data: in the case of malware, is able to gather forensic data from the suspect endpoint.
 Suspend Network Access: if data exfiltration is occurring, the incident response team can kill the connection by updating the access control list used
by corporate firewalls.
 Terminate a Threat: if the SIEM detects unknown or blacklisted processes on critical devices, IncMan can kill the specific running process.
In coordination with the existing security ecosystem, IncMan™ can execute:

18. Why is SAI different
SUPERVISED ACTIVE
INTELLIGENCE™
Advanced Knowledge Base For Automated Courses of Action
And Intelligence Sharing between Constituencies.
Machine Created/Controlled Playbooks based upon standard protocols
Incident Correlation and Artifacts Visualization Engine
Predictive and Retrospective Analysis using STIX and other protocols,
User Supervision

19. Benefits of adopting SAI
 Optimized User activity
 Force multiplier and repeatable approach
 Standard Operating Procedures (Playbook)
 Knowledge Base.
 Improved remediation
 Reduced reaction time
 Consistent results
 Simplification and Improved Quality of Products and Processes
 Overall Cost reduction
 Skill Shortage reduction
 Higher productivity
 Reduction of human errors
 Risks mitigation
 Interchangeability
Cyber Incidents Under Control

20. SAI Conclusions
 Playbooks, to implement Standardized Efficient and Compliant approach (repeatable)
 Machine-driven actions empowered by Automation and Orchestration
 Incident Enrichment
 Incident Containment – to defend Corporate resources
 Humans still supervising critical tasks, taking tactical decisions (assuming Responsibility)
 Resolution/Eradication of incident proposed by the Machine but mostly peformed by Operators
Technology Integrated Security Ecosystem

21. Supervised Active Intelligence
Adopting Supervised Active Intelligence™ for SOC and CSIRT
CYBER INCIDENTS UNDER CONTROL
Andrea Fumagalli
Vice-President of Engineering
af@dflabs.com
www.dflabs.com