Technology Innovation in

the SOCJULY 1, 2016

Rukhsar KhanSenior Technical Sales Expert

2

Agenda

•Current SOC pain points

and possible approaches

to address these

•Next-Generation SOC

approach

•Customer Use Case

Current SOC pain points and

possible approaches to

address these

4

Amount of Incidents increasing, too many alerts

• Too many false positives but also

false negatives

• Possible solution: Tune your

SIEM

5

Time to respond

• Attacker automize the attack,

defense needs to be automized

as well

• Possible solution: Reduce breach

exposure time through IR

Automization

6

Skill shortage

• By far not enough experts in the

Cyber Security field

• Possible solution: Augment skill

shortage through next-generation

SOC tools

7

IR to SecOps Gap

• Unrefined IR processes and

procedures

• Possible solution: Use next-

generation SOC tools

8

Data Privacy and Breach laws

• Confusing regulatory landscape

• Possible solution: Use next-

generation SOC tools

Next-Generation SOC

approach

10

We need complete visibility into the threat

• Without complete and contextual

visibility into the threat, we are

BLIND TO THE BREACH!

• Comparison Physical security /

Cyber Security

• Cyber Resilience: Aligning

prevention, detection, and response

capabilities

• Provide incident enrichment

DETECTION

11

An Incident Response Platform is:

• A standardised way to collect and augment cyber incidents

while interfacing with existing, related IT infrastructure

• Enriches incident details by pulling aggregated security

telemetry so security teams can focus training and skills on

an IRP, rather than an assortment of individual point tools.

• Makes IR processes more efficient by allowing junior team

members to triage incidents and reduce the number of

incidents they escalate to more senior SOC staff.

The Rise of the Incident Response Platform (IRP)

Jon Oltsik, Enterprise Strategy Group, Aug 2015

12

The role of an IRP

INTELLIGENCE FEEDS

SIEM

EXTERNAL COMMUNICATION

CONFIGURATIONMGT

SANDBOX

ASSET DATABASEFORENSICS

CUSTOM PORTAL

EMAIL

TICKETING

INCIDENT RESPONSE PLATFORM

The technology needs to integrate with all existing security

systems to create a single hub for IR transforming

organisations' security posture.

• Aligns people, process, and technology across

the organisation

• Enables security teams to automate and

orchestrate their IR processes

• Ensures IR processes are consistent, intelligent,

and configured to teams’ specific needs

13

The role of an IRP cont.

14

The role of an IRP cont.

• Collating and Surfacing

Contextualized Information

• Feeds from SIEM, Ticketing, Big Data,

etc…

• Leveraging Threat Intelligence &

Historical data

• Identifying relationships between

disparate data sources

• Presenting this information to the analyst

in a way that is consumable & actionable

15

The role of an IRP cont.

• Reducing Overhead on the SOC

team

• Automation of manual tasks (IoC

enrichment, CMBD & LDAP lookup)

• Orchestration of external tools

• Enabling internal/external communication

16

The role of an IRP cont.

• Increased Incident Visibility

• Ensures correlation on information from

multiple systems – SIEM, DLP, Ticketing,

external partners

• Translates security data to other

business areas – HR, Legal, C-suite

• Automated reports & dashboards reduce

impact on SOC team

17

Threat Intelligence Resources

• SOC analysts leverage a number

of tools, challenge is processing

the information in context

• Open-Source feeds – VirusTotal,

abuse.ch Zeus, SANS, Malware Patrol,

etc…

• Commercial vendors – IBM Xforce

Exchange, Symantec DeepSight, FireEye

iSight

• Industry/Regional Threat Feeds – FS-

ISAC, HITRUST, CiSP, R-CISC, ENISA

• Effectively analysing this data is a key

challenge

• STIX, TAXII & CYBOX are important

standards to consider

18

Summary

19

1. Centralised Hub for Incident Response – one place to manage all the

processes and technology for cybersecurity incidents throughout an

organisation.

2. Streamlining of existing processes – Reduce the time to detect and contain

incidents by automatically enriching IoCs and provided detailed context to the

IR team.

3. Technology integration – Simplify the technology stack and reduce the risk of

missing critical alerts by integrating SIEM, ticketing systems and other tools

into the IRP.

4. Cross-functional alignment – Allow other parts of the business (Legal, HR, IT)

to prepare for security incidents through simple, repeatable runbooks for

common incident types.

Summary cont.

Customer Use Case

21

Use Case (F50 customer, Financial Services)

iSIGHT

FS-ISAC

Etc. IRP

Threat

Services

Threat Info

Warehouse

Analyst

Action

Module

Remedy

CMDB

AD

QRadar Splunk

BlueCoat Tanium OpenDNS SumoLogic

Artifact

Lookup

Escalate /

Sync

Enrich

DHCP

logs

HR

Enrich

22