Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts...
Transcript of Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts...
![Page 1: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/1.jpg)
Overcoming Security Automation RoadblocksOvercoming Myths, Determining Best Practices
![Page 2: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/2.jpg)
About the Presenter
John Moran
• Sr. Product Manager, DFLabs
• IR Consultant
• Law Enforcement
![Page 3: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/3.jpg)
Automation Myths Obscure Reality
![Page 4: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/4.jpg)
Myth: Automation means fewer jobs
![Page 5: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/5.jpg)
Automation should supplement, not replace
• Analysts are being inundated with alerts
• Too much time spent on mundane, repeatable tasks
• Automation should supplement, not replace
• Allow analysts to focus on tasks which require human intervention
![Page 6: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/6.jpg)
Myth: Security it too complex to automate
![Page 7: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/7.jpg)
Start with small, manageable bites
![Page 8: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/8.jpg)
Myth: Automation is dangerous
![Page 9: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/9.jpg)
![Page 10: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/10.jpg)
![Page 11: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/11.jpg)
Best Practices = Best Results
![Page 12: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/12.jpg)
Why Automate?
• Have measurable goals in mind:
• Automate the repetitive, mundane tasks
• Decrease time to respond to an incident
• Act as a force multiplier for security teams
• Respond in a documented, repeatable manner
• Reduce risk
![Page 13: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/13.jpg)
Identifying Processes to Automate
• Review all security processes and tools
• Which tools can be easily automated?
• Which processes are consistent and predictable?
• Which processes are repetitive?
• Which processes require little human intervention?
• Which processes are taking too much time?
![Page 14: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/14.jpg)
Getting Started
• Small, easy to automate processes
• Well documented, well understood processes
• Quickly and easily show value
• Build out from there…
![Page 15: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/15.jpg)
Human are not the Enemy!
• The goal is NOT to remove humans from the process
• Automation and analysts should complement each other
• Include human interaction at critical junctions or decisions
![Page 16: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/16.jpg)
Common Use Cases
![Page 17: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/17.jpg)
Phishing Email
✓Query threat data for:
• Embedded links
• Sender email
• IPs in header
✓Scan email attachments
✓Scan embedded URLs
✓Check for other instances
✓Quarantine email
✓Notify users
![Page 18: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/18.jpg)
Proxy Alert - URL
✓Query threat data
✓Get domain info
✓Get A records
✓Geolocate IPs
✓WHOIS queries
✓Access URL via Sandbox
✓Query Proxy or SIEM logs
✓Block domain
![Page 19: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/19.jpg)
IDS Alert
✓Query threat data
✓Geolocate IPs
✓Reverse DNS
✓WHOIS queries
✓Traceroute
✓Query Proxy or SIEM logs
✓Simulate network traffic
✓Block IP
![Page 20: Overcoming Security Automation Roadblocks · Automation should supplement, not replace •Analysts are being inundated with alerts •Too much time spent on mundane, repeatable tasks](https://reader034.fdocuments.net/reader034/viewer/2022050517/5fa1317da6b8d63106306cbc/html5/thumbnails/20.jpg)
Questions?