Download - Incident Response at Scale - Black Hat
![Page 1: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/1.jpg)
Incident Response at ScaleBuilding a next generation SOC
Omer Cohen@omercnet
![Page 2: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/2.jpg)
Who?
● 15+ years Information Security experience
● Sr. Paranoid, Global IR Lead, Yahoo!
● Co-Founder, VP IR, IL-CERT
● ISACA CSX Task Force
● Licensed Skydiver, 996 jumps
![Page 3: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/3.jpg)
Security Operations Center?
![Page 4: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/4.jpg)
Security Operations Center in real life
http://securityreactions.tumblr.com/
![Page 5: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/5.jpg)
205 daysbefore detecting a security breach
Mandiant M-Trends® 2015
![Page 6: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/6.jpg)
© BreachLevelIndex.com
![Page 7: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/7.jpg)
Majority of any given SOC shift
http://securityreactions.tumblr.com/
![Page 8: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/8.jpg)
Why?
![Page 9: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/9.jpg)
![Page 10: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/10.jpg)
Triaging a malware eventSIEM Alert
![Page 11: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/11.jpg)
Triaging a malware eventSIEM Alert ->
Analyst collects information
![Page 12: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/12.jpg)
![Page 13: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/13.jpg)
![Page 14: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/14.jpg)
![Page 15: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/15.jpg)
![Page 16: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/16.jpg)
Triaging a malware eventSIEM Alert ->
Analyst collects information ->
Analyst understands context
![Page 17: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/17.jpg)
Triaging a malware eventSIEM Alert ->
Analyst collects information ->
Analyst understands context ->
Analyst classifies incident
![Page 18: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/18.jpg)
![Page 19: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/19.jpg)
![Page 20: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/20.jpg)
![Page 21: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/21.jpg)
Triaging a malware eventSIEM Alert ->
Analyst collects information ->
Analyst understands context ->
Analyst classifies incident ->
Analyst opens ITSM re-image ticket
![Page 22: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/22.jpg)
![Page 23: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/23.jpg)
![Page 24: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/24.jpg)
Triaging a malware eventSIEM Alert ->
Analyst collects information ->
Analyst understands context ->
Analyst classifies incident ->
Analyst opens ITSM re-image ticket ->
System re-image
![Page 25: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/25.jpg)
Triaging a malware eventSIEM Alert ->
Analyst collects information ->
Analyst understands context ->
Analyst classifies incident ->
Analyst opens ITSM re-image ticket ->
System re-image ->
Incident closed
![Page 26: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/26.jpg)
Forensics at Scale?
![Page 27: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/27.jpg)
![Page 28: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/28.jpg)
How?
![Page 29: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/29.jpg)
Incident Response on a tight budget
http://securityreactions.tumblr.com/
![Page 30: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/30.jpg)
Better junior analysts
● Junior Analysts have a steep learning curve
● Company specific play-books
● Senior analysts focus on investigations
![Page 31: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/31.jpg)
Let’s automate
![Page 32: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/32.jpg)
Automation overkill
http://securityreactions.tumblr.com/
![Page 33: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/33.jpg)
Triaging a malware eventSIEM Alert
![Page 34: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/34.jpg)
SIEM Alert ->
Automagically collect endpoint information
Triaging a malware event
![Page 35: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/35.jpg)
SIEM Alert ->
Automagically collect endpoint information ->
Automagically make a decision based on BU
Triaging a malware event
![Page 36: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/36.jpg)
SIEM Alert ->
Automagically collect endpoint information ->
Automagically make a decision based on BU ->
Automagically classify incident
Triaging a malware event
![Page 37: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/37.jpg)
SIEM Alert ->
Automagically collect endpoint information ->
Automagically make a decision based on BU ->
Automagically classify incident ->
Automagically open ITSM re-image ticket
Triaging a malware event
![Page 38: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/38.jpg)
How your team SHOULD respond to incidents
http://securityreactions.tumblr.com/
![Page 39: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/39.jpg)
SIEM Alert ->
Automagically collect endpoint information ->
Automagically make a decision based on BU ->
Automagically classify incident ->
Automagically open ITSM re-image ticket ->
System re-imaged
Triaging a malware event
![Page 40: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/40.jpg)
SIEM Alert ->
Automagically collect endpoint information ->
Automagically make a decision based on BU ->
Automagically classify incident ->
Automagically open ITSM re-image ticket ->
System re-imaged ->
Incident closed
Triaging a malware event
![Page 41: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/41.jpg)
![Page 42: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/42.jpg)
Integrate APIs into Incident Response● Endpoint information
○ Host Asset Management○ HR Systems
![Page 43: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/43.jpg)
Integrate APIs into Incident Response● Endpoint information
○ Host Asset Management○ HR Systems
● IOC Lookups○ Threat Exchange○ Virus Total○ IOC Management Systems
![Page 44: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/44.jpg)
https://facebook.com/threatexchange
![Page 45: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/45.jpg)
https://github.com/facebook/ThreatExchange/
![Page 46: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/46.jpg)
Automatic e-Crime detection?
![Page 47: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/47.jpg)
Automatic e-Crime detection?
![Page 48: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/48.jpg)
![Page 49: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/49.jpg)
![Page 50: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/50.jpg)
Integrate APIs into Incident Response● Communications
○ STOP USING EMAIL (least for full reports)○ Incident Management Systems (not your SIEM)○ Alerts on messaging systems (IM/hipchat/slack/whatsapp/etc.)
![Page 51: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/51.jpg)
Integrate APIs into Incident Response● Communications
○ STOP USING EMAIL (least for full reports)○ Incident Management Systems (not your SIEM)○ Alerts on messaging systems (IM/hipchat/slack/whatsapp/etc.)
● Automate the response○ Open reimage tickets in ITSM○ Send out incident digest reports
![Page 52: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/52.jpg)
![Page 53: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/53.jpg)
![Page 54: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/54.jpg)
![Page 55: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/55.jpg)
![Page 56: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/56.jpg)
Benefits of automation
![Page 57: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/57.jpg)
Benefits of automation
![Page 58: Incident Response at Scale - Black Hat](https://reader031.vdocuments.site/reader031/viewer/2022030323/58a3030b1a28ab2e458bb571/html5/thumbnails/58.jpg)
Benefits of automation
● Reduce triage time
● Reduce response time
● Ensure all tasks are completed