Event Recording

Hemant Dusane: SOAR Use Cases for Effective Threat Response.


Hello, everyone. Thank you so much for joining the session. I quickly introduce myself. My name is Haman Desani. I'm a co-founder and CEO of invent ons. We are India based company, but we serve global customers in the recent market. One of the research company have identified that improving alert, triad quality and speed as a key driver for the adoption of security orchestration, automation and response, which is a saw tools. Security operations team are having to respond to a higher number of more complex, increasingly destructive cyber attacks on their organization and are looking at low and how they can automate sought and incident response processes to reduce their time to contain and remitted security incidences. So to introducing our topic quickly, by integrating the security orchestration automation and response capability, or a platform with SIM is going to help the organization security teams and they can build very market leading threat management solution. That covers the decision detective investigation, limitation of threat across a wide range of cyber use cases. The technology integration between the two solution allows the security Analyst audio soft team member to quickly and efficiently escalate, suspected offenses from SIM to a source solution triggered additional automated enrichment and drive the full investigation process. As the incident evolves, all the information is synchronized between your SIM solution as well as saw ensuring full data integr and any new information uncovered by saw is fed back to the SIM solution. So it improves the overall detection process.
So what is saw saw is basically security, orchestration, automation, and response that terminology is adopted and is an approach to a security operation and incident response used today to improve security, operation efficiency, efficacy, and consistency, to better understand what it means. Let's look at the component separately. So there are three components here we are talking. First component is security orchestration where the coordination of various disparate security tools and technology being used with the tool stack, typically various vendors you have in the organization to seamlessly integrate and communicate with each other to establish reputable, enforceable, measurable, and effective incident response process and workflows. So people and processes must also be orchestrated properly to ensure the maximum efficiency. Second component is security automation, the method of automatically handling tasks and processes without the need of manual intervention. Reducing the time these takes by automating reputable processes and applying machine learning methodologies to appropriate task automation usually take place through the use of playbooks and runbooks.
So there's a quick difference between playbook and runbook playbook is basically a, a linear task or a step by step approach towards the day-to-day activities. Versus the runbook is talking about decision based conditional actions when there's an incident, what other decisions can be taken and then what other action can be taken. So that's a slight difference between playbook and runbook and it helps you to reduce eliminate the mundane actions that must be performed. Okay. And the third component here is security response, the approach to addressing and mapping the security incident. Once an alert have been confirmed, including triage, containment, remediation, and many more steps today, many actions such as quarantine files discipling the access to the compromise accounts to name a few are performed automatically. So the incident that once post a real threat can be quickly resolved.
So what are the important capabilities of so first is threat and ity management. These technology support all the capabilities supports the remediation of volatilities in the environment they provide, provide formalized workflows reporting and collaboration capabilities with your variety management tools, second security incident response. These technologies of saw or capabilities of saw support. How on how an organization plans manages tracks and coordinate the response to security incident. And the third component here is security operations, automation, these technologies or capabilities support the automation and orchestration of workflows processes, policy, and execution, and reporting. So just a fun card, like someone receive a memo from a regulatory authority in there saying that will protect your business. And it's, it's, it's basically we, we are the people who have to protect our business.
So let's understand quickly what are the security requirements of any kind of organization? So what I've done here is I have segregated various kind of enterprises into three categories, small, medium, and large, and listed out certain key services. Here, there can be limited services or more services. I have identified certain services with my experience in the Richard research I've done. So in these services, there are two, two key important services are required for any kind of organization, whether it's your startup or a mid-size or a big enterprise. First is the infras security operations, which is very key component for any company to ensure the security of their, their infrastructure or the technology stacks. And second is the risk management process. It's a program which you have to define within your organization to address all of your minimum security requirements in the organization. Rest of these services are these suggestions and can be tweaked as for the needs of the organization. So, I mean, if you want, you can list it on. We are going to share the presentation later as well.
So let's understand what are the security challenges, which are actually beyond the technology or the technology factors. There are five, which I listed down here. First is the understaffed, so capabilities or these. So corporations in case of only stock operations, however, you try hard, you will always have lack of people who are running your so operations. And that basically leads to an internal inefficiency and analytic end running the operations successfully. Correct. Second challenge here is the, or with the alerts, which are desperate security products, sending you to your so environment. Lot of tools, I mean, on an average, what, what I heard and seen is that you will have at least 10 to 15 various kind of vendor in the midsize and small size organization in the large, that number can increase and they are sending continuous alerts to your SOC centers. And your team is not capable to do the analysis on their own.
If your SIM solution or the SOC do not have the capability to perform those automation. Third challenge here is enable to keep pace with the current threads. As we know that day to day, we have been looking after various new threats and zero day attacks. So there is a always a gap between the skillset required to address those kind of warranties or the threats in the environment and address overall efficiency of your processes. Hence the process latency is going to impact your overall stock operations. The fourth challenge here is the cloud migration imposes new requirement on this. So it's more on the lack of automation and integration of your current same solution to the so stack or the cloud stack, what you have in terms of how you receive the alerts, how you process those alerts and then respond to those incident. And the last challenge here is the security analytics has become a big data problem, definitely because of a lot of data you have been receiving from various tools and OEMs, it becomes very challenging and important for you to see that how you can segregate those logs and address the various analytical filtering challenges in the environment.
So one of the study has been identified that one in four organization S various kind of risk factors, and they are at the risk of major breach in next 24 months. This can be reduced if you are looking at the various different kind of industries, but this is generalized. So an average industry detection time for a breach is 197 days, which is a huge time. And industry average time to contain a breach is 69 days. Again, it's very higher time. And because of these higher number of days, the average cost of data breach is 3.8, 6 million, which is so huge. So the early detection is going to help you to minimize the impact. But if you detect the overall attack on your environment is going to definitely cost you hell lot of money.
So summarizing the research again, this, the average cost of data breach has fluctuated between 3.5 million, two, 4 million in recent years. But if you look at the industry types, lot of people globally, they think that only financial or technological base in companies or industries are being attacked, but the research says something else they're talking about. Healthcare domain energy domain industries have been attacked so far, and they are the highest number of compromised companies. And they have to pay highest number of the cost per the incident. But that's not the whole story as the cost of a breach varies significantly based on industry. That's what we discussed in the diagram. You can see how the average data cost breach varies for various 16 industry out of these industries. Healthcare had been the highest average cost for the data incidents. So the global average total cost of data breach as we have seen in previous slide is 3.8, 6 million for 2020, which is almost similar to 2019 numbers. The average time to identify and contain breach was 280 days in 2020, which is very huge number. So to summarize your organization should look beyond the basics of services, such as automation, advanced reporting, defining KPIs and Caris threating and deceptions advanced case management, advanced security analytics, and advanced threat intelligence.
So let's understand what are the various use cases of, so to manage the threat in your environment. So security, orchestration, automation, and response technology, streamlines security workflows, helping security teams to improve their productivity and efficiency. The technology can be used to automate up to about, let's say, 80 to 90% of a security teams manual task, and address a wide range of use cases. So let's understand what are the use cases and in detail, I'm going to cover couple of important use cases out of this list. And if you want to discuss in detail about these use cases, we can connect later.
So first is about fishing. According to one of the researching attacks plays a role in 92% of security breaches, and everyone can agree to that point. So the primary objective behind any phishing attack is to trick the victims into sharing sensitive or confidential information such as corporate network credential, credit card information, email credential, attackers, employee, social engineering techniques, to manipulate their target into clicking or malicious link or downloading a malware or a malicious file at times, attacker disguise themself as a trusted individual or organization for manipulating the, for manipulating the victims into the voluntary selection of those utilization of those URLs or taking on it, revealing confidential information. If it's phishing attempts has been successful and the organization has not been able to detect the phishing attack, the extent of potential damage wide and substantially. So what organizations should be doing organizations are in experiencing high volume from these potential phishing emails being reported.
It's good that a lot of people are being aware about how they can report the incident and they're doing it. It also job of your security teams to investigate these Alling attacks in detail. So investigating phishing emails is a tedious work and involves passing off every indicators to DataMine if it is legitimate or not. So in this scenario, a so platform can automate these tasks with a playbook, a day-to-day activity that automatically passes out indicators and verifies if they are truly malicious and fetching attempts, the playbook can also enrich the indicators and perform further analysis to perform the triad and determine what, if any response actions are to be taken against the phishing attacks. So automated responses can check false positive block, send us email addresses. They can also block S indicator and also add the indicators to SIM solution to response and check whether these are false, positive or not.
So there are certain steps the source solution can perform here, the scanning, the attachments and the URL workflows. And we talk about the designated decision points to through these same solutions, threat intelligence, lifecycle automation, and threat into lifecycle. It's basically, it's a fundamental framework for any kind of fraud, whether it's a physical or a cybersecurity fraud, it in case of a match or software executed in operations, they're merely helping organization. If it is not properly handled. So at a high level, the threat intelligence life cycle outlines the core steps to apply and uphold high standard at the data hygiene necessary to confidently draw the conclusion and take actions on the data breaches. So the it and adaptable methodology contains five phases, which is shown in the diagram, such as planning direction and collection analysis production and giving feedback to your first stage. So phase one is talking about the threat intelligence life, which is very important step, not just because it's a first step, but it is important to set a purpose and scope for all falling intelligence activities. So if you automate entire process of threat, inte lifecycle management, all five phases, you can easily focus on other activities of addressing the incident. And it becomes easy for the security teams to gather the intelligence on a periodic basis automatically.
So the next use case is about threating and incident response threating is a time consuming task, as we all are aware, and it demands a highly technical skill set that most organization for better or worse have to consider a luxury, right? According to a recent science study, it talks support only 31% of organization have staff dedicated to hunting threats, but being proactive in this area can be enabled all of your Analyst to better understand, better uncover and defend against the complex advanced process and threats, which ares, the attacks that are almost guaranteed to succeed. And with the massive dwell time allows attacker to wreck widespread the AOK. So basically it'll help you to automate the entire process of threating lower, the barrier to hunting and bolster your team's ability to compete with the today's most capable advisories by automating processes around identifying suspicious malicious domain mal ways and other indicators.
So let's understand these three steps quickly operationalized desperate data sets. What it talks about first step is hunting is not just the intensive time intensive, but it also unbounded. There's no boundary that how much deep you can go. So the more data sets you are able to analyze, the more thorough your proactive search for compromise will be. So with orchestration, you can easily add additional tools to your data set without adding substantial time to your hand cycle. Second step is automate reputable task by automating the ongoing task associated with the threat attending such as recurring scans, your team will have more time to do what they can do the best, which is finding and threatening the bad guys, bring team members into the process strategy for the maximum efficiency. Once you automate it will help you to improvise the team efficiency successfully. And the last step is definitely notify and respond faster, create and kickoff designated response workflows, based on the type of threats you have discovered this ensures you follow proper protocol, the approach your stakeholders are also notified as quickly as possible, and that everyone works from the same set of data for a complete end-to-end investigation.
Security teams are bogged by all the ransomware of attacks nowadays. Correct? So let's understand the use case of malware contentment. There are various kind of ransomware viruses, spyware attacks are happening nowadays, or all kind of companies automate the investigation and containment of malware before it does significant damage to your overall network and the organization. So first tape is to identify malicious activity when dealing with malware, it is very important to know these signs of these signs to look for and how to stop the malware in timely manner to reduce the overall spread of the infection, automate processes, to identify indicators to the malware incidents, such as misspelled process names and the abnormal log activities. Second steps talks about investigate the threat. When the malware is detected, workflow has to be tweak the leverage workflow to analyze and adopt the plugins methodologies such as there are a lot of malware analysis plugins available. You can adopt and utilize those plugin and comments at boxing tool, which can help you to investigate the malicious file in a safe space before they get into your network. And the last and most important step is the containment and remote. All malware will require some type of containment or actions, leverage automation to identify the affected users, assets, leaving decision points for a security practitioner to remove the necessary user accounts and isolate the malware and disconnect machines from the network.
So the next use case is about alert enrichment. So according to the survey, 44% of security alerts go uninvestigated due to the overwhelming amount of information received by the Analyst. So the SOC the, so at the enterprise level organization, as we were discussing in the earlier list of services at the enterprise level owns an average of 75 different security tools bouncing between these tools. When the assign alerts tools in every day is mind numbering work that discuss the tier one or the L one Analyst. So orchestration and automation solutions can help you to accelerate detection by enriching the quality of the security alerts you receive, and the automatically waiting out many false positive, giving your team more time and greater context to tackle actual threats. So it's going to help your team in terms of automating the element task, and then focus more on the research part.
So what are the quick three steps here? First step is to leave the heavy lifting to the machines. For example, in today's scenarios, we talked about 70 of our different security tools. Definitely you will receive more than 10,000, 12,000 security alerts on an average per day, right? With your security tools, automatically gathering and compiling relevant context about the security events. Your team can switch their focus to analyze and respond instead of spending time on manually collecting the data. Correct. Second step is to reduce the noise. So last year is to efficiently, automatically enrich your security alerts with the potential and important information. That's the last step here. So I not cover this slide. I'll discuss with the networking session. This is my last slide. If you want to interact and engage with any security providers, such as our company in event on, you can look for five options here and, and we can discuss this in detail. Our thank you so much.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00