Automation, Orchestration, and Actionable Threat Intelligence II

  • TYPE: Combined Session DATE: Wednesday, October 09, 2019 TIME: 16:00-17:00 LOCATION: Holeman Lounge
Track

Sessions:

Threat Detection in today's environment requires Security Operational Center (SOC) teams to go beyond SIEM rules and simple correlation. Yet, "blackbox" AI systems often fall short by creating too many false positives and often missing true incidents. Decision Automation is the new paradigm that brings the power of expert root-cause analysis using the 5 Whys approach, coupled with Machine Learning and easily-configured automation platforms, enabling security teams to create powerful intelligent threat detection. This session will explore the fundamentals of Decision Automation along with relevant case studies.


Many enterprise security teams rely on rules and searches to create alerts. Such rules not only have high false positive rates, but have very high false negative rates too. It is easy for a rule based system to miss some very simple attacks that it has not seen before. However, if we give that data to an analyst, they are more often than not, able to detect suspicious behavior and attacks that they have never seen before.

In this talk, we will see how we can build a fully automated system that uses the same techniques as an analyst does, and methodically analyze the data autonomously in order to decide which events are risky and should be turned into incidents. This talk will focus on how to automate threat hunting by using a framework to capture the expertise and techniques of a skilled threat hunter.

Key take-aways:

  • Learn common techniques threat hunters use to hunt for threats without apriori knowledge of what those threats like.
  • Discover how to automate threat hunting, so that you can find threats much more effectively at machine speed.
  • Learn how to apply automation, machine learning and feedback loops to build a much better Threat Detection system.
  • Hear about success stories from real world implementations that are applying automation to alert triage.
  • Learn about a process that has been applied in many companies to measure the effectiveness of automation and how that leads to higher trust in automation.

Speaker:

Kumar has 15 years of experience in the enterprise security and log management space leading product development efforts at ArcSight and SumoLogic. He has a passion for helping organizations improve the efficacy of their security operations, and personally witnessed the limitations of existing...


Can small to medium organizations use what the larger organizations learn about threats to take action in a prioritized, appropriate, and automated manner? Is there an incentive for an organization to share opinions and sightings about Indicators of Compromise (IOCs)? How can a service provider share the insight gained by all these contributors so organizations can directly use that insight? Bandura Cyber has partnered with the IACD team to demonstrate the potential value of: community sharing of opinions/sightings, confidence scores to provide updated context, and dynamic prioritization to drive local response actions. This talk will describe the joint experiment, results, and lessons learned.


How can small to medium organizations use what the larger organizations learn about threats to take action in a prioritized, appropriate, and automated manner? Is there an incentive for an organization to share opinions and sightings about Indicators of Compromise (IOCs)? How can a service provider share the insight gained by all these contributors so organizations can directly use that insight, even if they do not have the staff to analyze all the associated information? Bandura Cyber has partnered with the IACD team to demonstrate the potential value of: community sharing of opinions/sightings, confidence scores to provide updated context, and dynamic prioritization to drive local response actions. This talk will describe the joint experiment, results, and lessons learned.

The experiment uses a simulated AIS feed, a threat intelligence gateway, a SOAR platform, and traditional security products to address an IOC associated with a watering hole attack. The demonstration uses the opinions and sightings from organizations to update the AIS confidence score which is used by the gateway to create a dynamic score. This score is used to block/allow or pass the IOC and context on to an orchestrator for processing. The scenario moves from IOC is good, to IOC is questionable, to IOC is bad, back to IOC is questionable, back to IOC is good. The contributions from the community build a perspective on the changing nature of the IOC, and the gateway can block or allow when appropriate threshold is met. It can also send to the orchestrator when the IOC is questionable.

The intent of the experiment was to: demonstrate a value to community members for sharing sightings/opinions, etc; attempt to use insight from other organizations to deal with a temporal aspect of an IOC; show a way to combine multiple insights into a single value to provide updated context to organizations; and identify the type of information that is needed to define the different actions to invoke under the different conditions based on local policy.

Key take-aways:
Participants who attend this session will leave with an understanding of how they can obtain value from providing local insight into community shared threat intelligence. They will also see a way to use dynamic prioritization to drive different actions in their environment, which may make it more appropriate to process IOCs and associated response actions in an automated manner.

 

Speakers:

Todd brings to the team over 20 years of cybersecurity industry experience with a unique blend of operational and Wall Street experience. Todd is responsible for driving corporate, product, and go-to-market strategy and execution. Todd brings to the team over 20 years of cybersecurity...



Log in to download presentations:  

Moderators:

Session Links


Washington, D.C. - USA

Conference

CyberNext Summit 2019

Language:
English
Registration fee:
€1000.00 $1250.00 S$1600.00 11000.00 kr
Mastercard Visa American Express PayPal INVOICE
Contact person:

Mr. Levent Kara
+49 211 23707710
lk@kuppingercole.com
  • Oct 08 - 10, 2019 Washington, D.C. - USA