Scribd
Upload
597 views20 pages

Building Next Gen SOC-20p

Uploaded by

sasuke Chibi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
597 views20 pages

Building Next Gen SOC-20p

Uploaded by

sasuke Chibi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Building Next Gen SOC for

Advance Detection, Threat Hunting


and Auto-Response
REINVENTING SECURITY OPERATIONS

Yudi Arijanto, CISSP, PCNSE


System Engineering Manager

1 | © 2019 Palo Alto Networks. All Rights Reserved.


Emerging
Challenges in
Security
Operations

2 | © 2019 Palo Alto Networks. All Rights Reserved.


As threats escalate, SecOps is more important than ever
150M 147M records
412M records
143M records records stolen
stolen stolen
stolen

2B records 2M records
stolen stolen
145M records
200M records stolen 500M
stolen 110M records guest
stolen records
2.9M records stolen
77M
records stolen
stolen
134M credit
cards stolen
925M +
New Malicious
1.6M records 600M programs
stolen
New Malicious registered

Space 95M records 182M programs


registered
agency stolen New Malicious
Morris Worm
breach
47M programs
New Malicious registered
programs
registered

1998 2004 2007 2010 2013 2016 Present


Malicious code Identity theft DNS attacks Social engineering Banking malware Ransomware Cyberwarfare
Trojans Phishing Botnets DDos attacks Keyloggers Cryptominer Fileless attacks
Worms Mobile viruses Sabotage Malicious email Ransomware Certificate attacks Automated & AI attacks
Viruses Anti-spam Ransomware Botnets Bitcoin wallet Cloud migration
SQL attacks Botnets Android hacks S3 buckets
Insider threats

3 | © 2019 Palo Alto Networks. All Rights Reserved.

3 | © 2019 Palo Alto Networks. All Rights Reserved.


Why security teams struggle

Gaps in Prevention Lack of Time Limited Context

Legacy tools generate too Manual tasks across siloed It takes days to
many alerts tools take too long investigate threats

174k 30+ 4+ days


alerts per week point products to complete an investigation

4 | © 2019 Palo Alto Networks. All Rights Reserved.


The reality (and complexity) of security operations

NEWS & ALERTS

5 | © 2019 Palo Alto Networks. All Rights Reserved.


How SecOps must transform to reduce risk
EFFICIENCY

MTTR/MTTD &
RISK

Low High
Maturity Medium
(Reactive) (Proactive)
Detection RULE-BASED CORRELATED RULE-BASED ANALYTICS-BASED

Context LOG AGGREGATION SILOED DATA COLLECTION INTEGRATED RICH DATA

Automation NONE PARTIAL FULL

6 | © 2019 Palo Alto Networks. All Rights Reserved.


SOC Maturity Graph
Most Org
want to be
here

But they
are here

7 | © 2019 Palo Alto Networks. All Rights Reserved.


SOC Mapping - Product Cortex Automated
Threat
Data Lake Forensics Hunting

bility Logging Advanced


Automated
si Threat
Vi Analytics Playbooks

Threat
Security Posture

Security Hunting
Cloud Orchestration Networks
NGFW Visibility +
User + Entity
ATP Behavior Detection and
Compliance
Analytics Response
NGFW

IDS/IPS
Cortex XDR Demisto
FW

AV
End Point SIEM Incident
Management Management

TRAPS Demisto+ WF +AutoFocus

Maturity

8 | © 2019 Palo Alto Networks. All Rights Reserved.


Our Unique
Approach

9 | © 2019 Palo Alto Networks. All Rights Reserved.


Reinventing SecOps with Cortex

Prevent everything Everything you can’t Automate response


you can prevent, detection and get smarter with
and investigate fast each incident

Traps & Next-Generation Cortex XDR Demisto


Firewall & Autofocus

10 | © 2019 Palo Alto Networks. All Rights Reserved.


Reinventing SecOps with Cortex

Stop threats with best- Detect sophisticated Accelerate investigations Automate response and get
in-class prevention threats with analytics with rich context smarter with each incident

Traps & Next-Generation Cortex XDR Cortex XDR & Demisto


Firewall AutoFocus

11 | © 2019 Palo Alto Networks. All Rights Reserved.


Reinventing SecOps with Cortex
Endpoint Playbook
Protection Orchestration

ML-based Case
Threat Detection Management

Investigation & Real-Time


Response Collaboration

12 | © 2019 Palo Alto Networks. All Rights Reserved.


CORTEX : Disruptive Security Operation Co-Exist with SIEM/SOC
Security Gateway (Sensor)
3 rd Party Log
Protect Network Endpoint Cloud
(Compliance)

Threat
Cyber Threat & Risk Improvement
Intelligenc
1. Reduce OPEX cost (use case
e management, log normalization and
rule correlation)
SIEM 2. Reduce the alert and false positive
Detect AutoFocus
Cortex
3. Reduce time to triage and root cause
Data Lake
SOC Team analysis with impact
Cortex XDR 4. Prioritize alerts for most critical
incident
Minemeld AI&ML Analytics
5. Proactively advanced threat detection
& hunting

NW Improvement
Response 1. Timecontainment
1. Time to response, to responseandwitheradicate
containment
the
EndPoint
threats and remediation
IDM
APIOperation Ticket 2. Standardize securityChallenges
process and workflow with
Server Team System automation.
1. Non-standard incident response workflow and playbook
App 2.3. Orchestrate several
Manual incident security
response devices
operation with
with multiple team
automation (analyze & response).
3. Slow time to contain threat and remediate impact
Database 4. Continuous improvement
4. Lack of SOC measurementSLA & SOC Metric
5. Lack of central knowledge based and lesson learn
Use Case:
Phishing
Response
(Demisto)

14 | © 2019 Palo Alto Networks. All Rights Reserved.


The Problem: Phishing response is hard

High Alert Disjointed Processes Ever-Present


Volumes and Growing

Phishing attacks are Security teams must 95% of all attacks on


frequent, easy to execute, coordinate across email enterprise networks are a
and act as the entry vector inboxes, threat intel, NGFW, result of spear phishing1
for most security attacks ticketing, and other tools for
phishing response

1Source: https://www.networkworld.com/article/2164139/network-security/how-to-blunt-spear-phishing-attacks.html

15 | © 2019 Palo Alto Networks. All Rights Reserved.


Our Approach: Phishing response
Before After
IP, domain, attachment
Check indicator
Manual triage
reputation
Threat Email Email Extract
Intelligence
Ingest
Collect context
SIEM
Security Threat
Analyst SIEM Sandbox
Intelligence
Detonate file
Enrich
Malware
Analysis Respond

Quarantine

Raise
EDR Open Ticket
severity
Ticketing Severity Mail Inform
Analyst

16 | © 2019 Palo Alto Networks. All Rights Reserved.


Key Differentiators: Automate and standardize phishing response

Product Integrations Intuitive Response Automated Actions


Playbooks

Demisto integrates with all OOTB and custom task- 1000s of automated actions
security tools commonly used based workflows enable across security tools make
for phishing enrichment and security teams to coordinate scalable phishing response a
response across teams, products, and reality
infrastructures

17 | © 2019 Palo Alto Networks. All Rights Reserved.


Cortex XDR achieves best MITRE ATT&CK coverage

Scored higher than all


other vendors with
93% fewer misses

PALO ALTO
NETWORKS
Cybereason Microsoft CrowdStrike SentinelOne Endgame Carbon Black

88% 78% 77% 77% 74% 74% 74% FireEye

70%
Countertack RSA

57% 55%

Attack technique coverage

18 | © 2019 Palo Alto Networks. All Rights Reserved.


Palo Alto Networks:
Better Together

19 | © 2019 Palo Alto Networks. All Rights Reserved.


SECURE THE ENTERPRISE

20 | © 2019 Palo Alto Networks. All Rights Reserved.

You might also like