security automation case study maricopa community colleges /maricopa... · watch the full webinar...
TRANSCRIPT
![Page 1: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/1.jpg)
Security Automation Case StudyMaricopa Community Colleges
Watch the full webinar replay
![Page 2: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/2.jpg)
Your Speakers
Rich LangTechnical Director: Information Technology
Security & PlanningMaricopa Community Colleges
Tammy SextonVice President
LogicHub
Watch the full webinar replay
![Page 3: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/3.jpg)
![Page 4: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/4.jpg)
PHISHING HIGHER-EDSOC AUTOMATION
![Page 5: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/5.jpg)
SOC AUTOMATION
• 2016 data – Higher Education hit across the country Phishing attacks
• https://www.universitybusiness.com/article/college-cyber-attacks-don-t-take-bait
• Important update from your IT Helpdesk – please login and update your profile.
• TOR, Anonymous Proxies used by threat actors• Postmortem review / findings
![Page 7: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/7.jpg)
SOC AUTOMATION
• Google’s recommendation for stopping suspicious logins: • Ask the user if they remember signing in.
• Have them check their last account activity.
• If you can’t establish the legitimacy of the signin- follow the Admin security checklist.
• Google Cloud Support can’t investigate alerts as they are considered sensitive and potentially private.
![Page 8: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/8.jpg)
SOC AUTOMATION
• So what were you doing on the night of Friday the 13th
2 AM at IP address 10.10.1.20.
• Do you frequently log in from the Ukraine, Iraq or Brazil?
• Have you checked your last login activity?
• I noticed you are using a free proxy service.
• Are you aware your home computer may be infected?
![Page 9: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/9.jpg)
SOC AUTOMATION
• Avg daily number of employee Suspicious Logins – 50
• Avg daily number of student suspicious logins – 200
• Consider 250 events * 5 minutes / event handling Appx two FTE dedicated to Suspicious login eventsROI less than 2 months
![Page 10: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/10.jpg)
SOC AUTOMATION
Save the patient!
Is the cure worse than the disease?
I am an adjunct faculty member traveling abroad through Europe and you just shut my access down at the airport !!!
I am your CIO presenting to the board via a kiosk and you just locked me out !!!
I am your board member, my wife installed a proxy service at home for privacy.
![Page 11: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/11.jpg)
SOC AUTOMATION
Enter LogicHub for the SOC
If it has a webhook it can be automated.
SumoLogic great for log event triggers and integrated access to Gsuite API’s.
CrowdStrike to provide malware confidence scoring
![Page 12: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/12.jpg)
SOC AUTOMATION
Lots of great data and event
management but how do we reach
the customer!
Twilio for the win. Right on their
phone.
![Page 13: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/13.jpg)
SOC AUTOMATION
Push notifications
Webhooks
Threat Intelligence
![Page 14: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/14.jpg)
SOC AUTOMATIONDetect
AssessRespond
Log
Close
SMS
Response
Action
![Page 15: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/15.jpg)
SOC AUTOMATION
![Page 16: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/16.jpg)
SOC AUTOMATION
16
• The alert is sent from Sumo Logic into LogicHub.
• Sumo Logic , CrowdStrike, LogicHub,
• Twilio• This flow captures the
work that would be done manually if we had the resources
![Page 17: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/17.jpg)
SOC AUTOMATION
17
• A text message is sent via Twillio.• This flow can be modified, Example:
add action to send a text message to IT security if the user is an admin, a financial aid processor, or has access to wire transfers
• Any action can be 24x7 or just during the work day or school year.
![Page 18: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/18.jpg)
SOC AUTOMATION
18
• LogicHub created an action that opens a case in ServiceNow for purposes of the POC.
• In the test case, Lucky User had responded “yes” to the text which is automatically documented in the case that LogicHub automatically opened
• This action could be easily modified to our Case Management System via API access
![Page 19: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/19.jpg)
SOC AUTOMATION
• Lucky User - The Information Security Office has received notification of suspicious activity from your account. IP: 72.216.244.24 Login Time: 2018-06-12T14:17:30.000Z Please reply with “Y” or “YES” if this WAS you. Please reply with a “N” or “NO” if this WAS NOT you. Maricopa Community Colleges will never ask you for your password, and you may contact the Information Security Office to verify the validity of this message at 480-7xx-xxxx or [email protected].
![Page 20: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/20.jpg)
SOC AUTOMATION
• Because the user has not entered a mobile phone number, we are resetting their password.Time: 2018-06-12T21:33:18.000Z UTCName: Lucky UserTitle: Music Instruction HrlySuspicious login from: , United StatesLogin IP: 2600:8800:2c00:e430:4577:2b1d:f130:5a3f
• Because the user did not respond, we reset their passwordTime: 2018-06-12T16:21:22.000Z UTCName: Ima TeepotTitle: Tech Support SpecialistSuspicious login from: Ashburn, United StatesLogin IP: 54.208.84.215
![Page 21: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/21.jpg)
SOC AUTOMATION
Best Practices
Validate Data Integration Sources
Enlist Peers to Test the System
Scope The Prototype
Set Your Expectations
Fail Fast
![Page 22: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/22.jpg)
SOC AUTOMATION
Lessons Learned
Consider Event Timing / Synchronization
Build in Error Handling
Enlist Communications Team
Start with Modest Workflow
![Page 23: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/23.jpg)
![Page 24: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/24.jpg)
LogicLogicHub Automates:
Reduce false positives by 95%Alert Triage
Reduce response times (MTTR)Incident Response
Detect unknown threatsThreat Hunting
![Page 25: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/25.jpg)
Next Generation Security Automation:
( Security Events )
BILLIONS
Alerts
THOUSANDS
Eliminate False
Positives
HUNDREDS
Incidents
TENS
Ignored Notifications
Detection Rules
Traditional SOA Vendors
Threat Hunting Alert Triage Incident Response
•Founded in 2015•Headquarters: Mountain View, CA
![Page 26: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/26.jpg)
Security Automation Platform:
Security Products
Case Management
Network Management
Any API enabled system
End-to-End Intelligent Automation for Detection and Response
Ing
estion
Fra
mew
ork
Alerts
Threat Intelligence
Cloud Logs
Security Products
Log Aggregators
SIEMs
Integ
ratio
n F
ram
ewo
rk
Automation Framework
Human Feedback
Deep Ranking
![Page 27: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/27.jpg)
LogicHub Integrations90+ and counting, including:
Investigative
freegeoip
ICANN WHOIS
Ticketing Systems
SIEMs
Threat Intelligence Vulnerability Management
Remote Access
Identity Management
Messaging
Cloud
AWS Cloud Trail
VPC Flow Logs
Endpoint
ET Intelligencedig
![Page 28: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/28.jpg)
LogicHub Sample Use Cases
![Page 30: Security Automation Case Study Maricopa Community Colleges /Maricopa... · Watch the full webinar replay . PHISHING HIGHER-ED SOC AUTOMATION. SOC AUTOMATION ... access to Gsuite API’s](https://reader034.vdocuments.site/reader034/viewer/2022051923/6010aa10030ffa02dd325050/html5/thumbnails/30.jpg)
Q & A