if we only had the time: how security teams can focus on what’s important
TRANSCRIPT
Intelligent Security Orchestration and Automation hexadite.com
If We Only Had the Time:How Security Teams Can Focus On What’s Important
Barak Klinghofer, Co-Founder and Chief Product Officer, Hexadite
Intelligent Security Orchestration and Automation hexadite.com
Session Overview
• Background
• Example 1: Alert from C&C Connection
• Example 2: Alert from Antivirus
• The Problem: Alert Volume and Resources
• Automating the 2 Previous Examples
• What to do with Your Newly Found Time
• Wrap Up
Intelligent Security Orchestration and Automation hexadite.com
Barak KlinghoferCURRENT
PREVIOUS
What I Did Why It Matters
My Background
Our entire reason for existing is to minimize the time to investigate and remediate.
Lead technology strategy for a company focused on going from alert to remediation in minutes at scale.
Co-Founder &Chief Product Officer, Hexadite
Cyber Solutions Architect Elbit Systems
Senior Security Consultant COMSEC
Elite Intelligence UnitIsraeli Defense Forces
Designed solutions for both public and private sectors, and trained personnel in National Cyber Security centers.
Reviewed companies’ security polices and technologies for global organizations.
Helped in building a security team from the ground up. From 0 to 100 in 4 years.
I’ve designed training systems to teach cyber analysts how to rigorously investigate and remediate cyber threats.
I understand how companies in all industries approach cybersecurity and helped them increase their security posture.
I worked hands-on to build a team to take on IR challenges with high stakes.
Intelligent Security Orchestration and Automation hexadite.com
Example 1: Alert from
C&C Connection
Intelligent Security Orchestration and Automation hexadite.com
Alert from FireEye (C&C)
Begin InvestigatingAlert
Accessing Endpoint Analyze InstalledServices and Drivers
Analyze Persistency Methods
10 Min.
17 Min. 1.5 Hr. 1.8 Hr.
15 Min. 28 Min. +DaysSearch for Lateral Movement
Identify Endpoint Upload ForensicsTools
Analyze RunningProcesses
33 Min.
52 Min.
Analyze OpenConnections
1.6 Hr.
Analyze RecentlyCreated Files
1.9 Hr.
Analyze InstalledCertificates
Create Firewall Block Rules
2 Hr.
Intelligent Security Orchestration and Automation hexadite.com
Example 2: Alert from
AV
Intelligent Security Orchestration and Automation hexadite.com
Alert from AV
Begin InvestigatingAlert
Locate malicious file Analyze InstalledServices and Drivers
Analyze Persistency Methods
10 Min.
20 Min. 1.5 Hr. 1.8 Hr.
15 Min. 21 Min. +DaysFinish Investigation
Access Endpoint Upload ForensicsTools
Analyze RunningProcesses
22 Min.
52 Min.
Analyze OpenConnections
1.6 Hr.
Analyze RecentlyCreated Files
1.9 Hr.
Search Firewall Logs
Search for Lateral Movement
2 Hr.
Email Alert
Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Every Day• How may of these ”easy” use cases do you see a day
within your organization?• From our experience, SMEs see about 10-20 daily• But what about all the rest?
Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
The problem is the increase in attacks.
The problem is the increase in alerts.
Source: EMA Research
The Problem
Intelligent Security Orchestration and Automation hexadite.com
The Problem
• One cyber analyst can handle roughly 10 alerts per day
• That’s 300 per month (…but they generally take weekends off)
• You’d need 150 cyber analysts working 8 hr shifts to keep up 7 days a week
• That’s just with current alert volume
• That won’t work
• This is what 500 alerts/day looks like
• That’s 15,000 per month
• That’s a lot
Intelligent Security Orchestration and Automation hexadite.com
Even 5% is Too Much
• One cyber analyst can handle roughly 10 alerts per day
• You would still need 3 analysts to handle just the critical alerts
• That’s after you’ve spent time filtering, prioritizing
• Even if you’re able to filter out 95%, you’re still left with 25 critical alerts per day
• That’s 750 per month
Intelligent Security Orchestration and Automation hexadite.com
Even 5% is Too Much
Even if 95% of alerts are commodity/benign, the 5% is still too much to handle.
Intelligent Security Orchestration and Automation hexadite.com
DEMO: Automating the Two Examples
Intelligent Security Orchestration and Automation hexadite.com
What to do with Your
Newly Found Time
Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
What to Do with Your Newly Found Time
• Optimize your process and methodology • Analyze what’s falling through the cracks• Customize your detection mechanisms• Risk assessment – Go back and identify the gaps
Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Optimize your process and methodology
• Constant improvement• Change your mindset from reactive to proactive• When was the last time you reviewed your security
policy?• How can you get your security policy to be more
business-oriented?• What are you currently doing wrong? (We all have
things that we can and should change)
Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Analyze what’s falling through the cracks
• An automatic solution will never be able to do 100% of the work
• Randomly double-check the automatic process, if something is found update the process, keep improving
• Validate what was found• Hunt!
Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Customize your detection mechanisms
• You now have a huge team to do the work, go back review the statistics, recalibrate you detection solutions.
• Re-think prioritization, make sure it is needed• What else did you pay for and never use?
Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Risk assessment –Identify the gaps• It’s time to go back to the basics - Based on the results
where should we invest more, what is the right move?• Business enablement should be always on our radar
Intelligent Security Orchestration and Automation hexadite.com
Wrap-Up
Intelligent Security Orchestration and Automation hexadite.com
Thank You!