Automation, Orchestration, and Actionable Threat Intelligence I
Facebook Twitter LinkedIn

Automation, Orchestration, and Actionable Threat Intelligence I

Combined Session
Wednesday, October 09, 2019 15:00—16:00
Location: Holeman Lounge

Automating Open-Source Zeek (Bro) for Threat Mitigation and Response

This presentation describes how a common open-source tool Zeek (Bro) that has been used, until today, primarily for threat detection can be extended to provide threat response including mitigation of attacks including those aspects that can be tied to the MITRE ATT&CK framework. 

Today Zeek/Bro has a large open-source and active community that contributes using Zeek/Bro scripts that include detecting attacks such as Heartbleed and many other behavioral (TTP) based detections. This presentation will have the following structure:

  1. Introduction to Zeek/Bro event-based detection techniques including behavioral detection aspects
  2. Show those detection techniques can be applied to MITRE ATT&CK framework to provide the audience with a common taxonomy on what Zeek/Bro does
  3. Introduction how Zeek/Bro event-based programming model can be extended for threat mitigation and response and what the benefits of those extensions would provide orgs
  4. Show specific Zeek/Bro examples that highlight the power of extending the Zeek/Bro paradigm - including simple actions such as being able to respond to Heartbleed after it is detected to then respond with a mitigation action to stop the behavior progressing through the kill-chain
  5. Highlight how this framework can be further extended for automation across a network of sensors and mitigation driven by orchestration tools - show how Zeek/Bro fits into orchestration tools including possible playbooks that are written for security operations that tie detection with automated mitigation
  6. Summarize the approach to extending Zeek/Bro and the value to security organizations

Allan Thomson
Allan Thomson
LookingGlass Cyber Solutions
As LookingGlass Chief Technology Officer, Allan Thomson has more than three decades of experience across network, security, and distributed systems technologies. Allan leads technical and...

CACAO: Insights on Cybersecurity Orchestration Cooperative Collaboration

To defend against threat actors and their tactics, techniques, and procedures, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together into a course of action (COA) / playbook are used to protect systems, networks, data, and users. The problem is, once these steps have been created there is no standardized and structured way to document them, verify they were correctly executed, or easily share them across organizational boundaries and technology stacks.

This presentation introduces work underway by a group of interested industry companies to define a standard way to implement a playbook model for cybersecurity operations.

We’ll cover aspects of CACAO including:

  1. How playbooks are created and document COAs in a structured machine-readable format.
  2. How organizations perform attestation including verification and authentication on COAs and their playbooks.
  3. How sharing and distribution of COAs across organizational boundaries and technology stacks may include protocols, apis, interfaces and other related technology to support sharing across different vendors, organizations.
  4. How organizations can verify COA and playbook correctness prior to deployment.
  5. How organizations would monitor COA activity after successful deployment.

Learning objectives:

Bret Jordan
Bret Jordan
Symantec
Bret Jordan is a seasoned business leader and Cybersecurity Architect with over 20 years of experience in cybersecurity. He has worked with an eclectic mix of global enterprise companies, startups,...
Allan Thomson
Allan Thomson
LookingGlass Cyber Solutions
As LookingGlass Chief Technology Officer, Allan Thomson has more than three decades of experience across network, security, and distributed systems technologies. Allan leads technical and...

Tickets

CyberNext Summit & Borderless Cyber
€700
€1000
 
All days: Oct
Two day ticket
€550
€750
 
Day 1 + Day 2
€550
€750
 
Day 2 + Day 3
€550
€750
 
Day 1 + Day 3
€550
€750
 
One day ticket
€300
€500
 
Day 1
€300
€500
 
Oct
Day 2
€300
€500
 
Oct
Day 3
€300
€500
 
Oct
CyberNext Summit & Borderless Cyber - Gov. rate
€360
 
Government rate, All days: Oct
Two day ticket - Gov. rate
€295
 
Day 1 + Day 2
€295
 
Day 2 + Day 3
€295
 
Day 1 + Day 3
€295
 
One day ticket - Gov. rate
€230
 
Day 1
€230
 
Oct
Day 2
€230
 
Oct
Day 3
€230
 
Oct
Have you participated in our events?
Contact us to get a special discount
Subscribe for updates
Please provide your email address