SOAR In Cyber Security - Arjola Hoxha

hello everyone I hope you are having a great time in this conference uh before I start I want to thank Paulina andio for organizing this amazing conference it's the only conference for cyber security I hope there will be many more conferences like this um before I start and go deep into the cyber security and so our world uh I want to start with something that we all can relate to timers and alarms I personally use them a lot because I want to keep my life on track and to keep my life organized uh for example when I wake up in the morning I wake up in the morning with multiple alarms just not uh because one

only cannot wake me up uh that's why um I wanted to manage or for example when cooking or managing workshifts I wanted you to think of so in the cyber security uh world as um let's um I want to think of s cyber security equivalent of these timers and alarms um it's all about staying organized and efficient in the comp in the complex world of cyber security now before I start with my presentation I want to present my myself I am Mar laa I work as a specialist in the largest bank in Albania in bank or shortly BK I also work in um faculty of economy University of tyana as a assistant lecturer where where I um teach uh the field the cyber

security subjects and computer science also I'm here today to um present the so are and uh the changing of are in the uh cyber security game uh here is an expression that it takes 20 years to build a reputation and a few minutes of in of cyber incidents to ruin it uh the bank I work for um has more than 20 years in the market and the most important thing uh of uh of the bank is to uh have a reputation and to um have the trustworth of the customers uh so this uh this quote is cannot be more accurate for the for the bank that I work for uh but what can ruin the reputation

cyber attacks which have been increasingly sophisticated challenging to detect and defend against their main objectives is financial gain or reputation damage or both of them that's why we have to defend from SP spare fishing this is listed some common cyber security attacks which are spare fishing SQL injection ransomware men in the middle Tech zero exploits or D do uh how to protect from these attacks we can protect through automation or through s s uh data can be protected with highly structured procedures policies baselines but document only documentation cannot protect our data so this um these procedures these policies should be uh applied in a robust system and um system and processes in our companies or in my bank in this case the

most common problems in today's cyber security infrastructure is that use human resources not efficiently so they use human resources to do routines uh tasks or U to maintain a a system and to do common uh common jobs which can be totally automated with so in this case uh and through this uh this technology uh so stands for security orchestration Automation and response it's the perfect solution to reduce jobs in today's world so uh so are uh or open AI or any other uh or any other artificial intelligent solutions have and will continue to reduce manual jobs but on the other hand we have will have so many more jobs that will be open that will be new uh but

we'll have to um but uh we'll have more efficient employees because so are because R is like having an automated assistant for your security team here in fact is an um quote that achieving maximum result with minimum resources may sound impossible uh if you have are doing that manually but practically it can be possible with so in cyber security uh but for what can help or the benefits of so which are the benefits of s the benefits of s is dealing with more threats because in today's world as cyber security uh gets more complicated so helps us handle them efficiently responding faster when a security issue arise so helps us react quickly to contain the problem uh the third one is

reducing mistakes uh because it cuts down on human errors in our cyber security processes using uh resources wisely as I said before because so makes sure that we uh use our security teams time efficiently uh keeps thing consistent because it ensures that security proced proc procedures are consistent and standardized keeping think consistent uh and the the the last one is scaling up as our organization grow so I can adapt to handle more uh the key capabilities of so are or uh are managing management of threat and vulnerabilities automated security incidents responding to security incidents let's take a look look at each of them uh so managing of threats and vulnerabilities uh so involves identifying accessing and prioritizing

potential security threats and vulnerabilities when an organization's network uh within an organization's Network and system it utilizes tools and processes to scan the vulnerab ility uh even though the zero day vulnerabilities with multiple plugins collected threat intelligence and categorize risk based on the severity and potential impact it helps team stay ahead of emerging threats enabling them to take preventive measures to mitigate risk before they can be exploit the second one is responding to security incidence SAR provides the tool to and workflow necessary to detect to respond to security incident proper promptly a so our secure system can automate incident trial and investigation processes provide predefined playbooks uh which we will see later on an example

of the Playbook and automated actions that guide security teams in containing and remediating the incident efficiently and reduce response time and minimize potential damage the third one is the automation Security operation ations automation is the heart of so are automation routines and repe repetitive tasks freeing up Manu uh human resources to focus on more complex security challenges by not doing manual things or by not doing routine things so our system utilize scripting orchestration and workflow automation ensures consistency in Security operation reducing the risk of human errors because you know that human are the leak uh point in every organization evolving threat landscape by automatically updating security policies and counter measures based on the real-time threat

intelligence uh here are some features of the so or security orchestration Automation and response which are alert overload security automation stock response visual Playbook Builders threat intelligence and flexible integration let's see them one by one by defining them challenges that this alert overload as a feature of so so have the solution and the benefits the definition is that alert overload refers to the overwhelming influx of security alerts from various sources make it the challenging to it challenging to manage the challenge itself is that security team face difficulties in efficient prioritizing and responding to a high volume of alerts uh the solution is that so are addresses this challenge by streamline streamlining uh the triage of

response process the benefits is that implementing so are results in improved incident response time reduced false positive and an overall enhanc security posture the second feature is the security automation security automation involves the use of technology to perform repetitive security tasks automatically automation accelerates incident response minimizing the risk of human errors as we said before and enhance operational efficiency so our platforms play a crucial role by automating various aspects of incident handling ranging from aler analyes to remediation uh the third one is the visual Playbook Builder so our offers a very user friendly uh Playbook visual Playbook by drag and drop each functionality uh that we want or each um uh each each uh okay each each uh

functionality that we want or creating and customize Playbook Vis visually the advantage the advantage of visual Playbook Builder is that it simplifies uh the development of incident response workflow enhance collaboration collaboration among security teams and ensure adapt adaptability to evolving threat scenarios here I have I don't know if it's I don't know if you can see it you cannot see it okay this is a visual Playbook with u with some cases that I have uh created that and I wanted to show the first one which is the active directory user locked uh visual Playbook let's see if you can see this one okay this is uh the example of a real Playbook Builder it is like drag

and drop from the actions and the filters but if uh you have a use case that it's not default let's say you can create it by using python it's in the second screen but it is not shown here another feature of s is threat intelligence which provides valuable context about emerging threats including information about threat actors tactics techniques and procedures uh the benefits of threat intelligent by incorporating it in the organizations can be achieved enhanced threat detection engage in proactive threat hunting and make well-informed security decision I have added to use case here the example of how threat intelligent can be leveraged including identifying indicators of compromise or ioc uh TC uh tracking threat attention

and enhanced threat detection capabilities it is also flexible because so can be integrated with many uh Solutions like for example CM or endpoint protection or firewalls on ticketing systems or jir for example it can be total integrated with them and of course the sock response which is one of the main features that so have sock uh is Security operation Center response refers to the action taken by security teams to detect investigate and mitigate security incidents so are Empower sock teams by providing tools and capabilities to orchestrate and automate incident response workflow an example of so are uh sock are is that can automate and response to suspicious activity by locking down user accounts preventing potential threats

which we see in fact in the Playbook slide but you can could not see it uh the main what is okay what is s in relation to CM I have uh created some main um components uh of the difference between cm and CR so are but the main um difference is that cm is a system which uh create alerts which have all the logs of a company of a system uh by uh having them from sus Lo collection for example uh which of and focus on monitoring detection and alerting while so are inhance incident response on the other hand Orchestra orchestration and automation uh we can uh relate it to uh some other Solutions like for example

the IPS or IDs the vulnerability management for example and CM of course but there are different solutions from so from so because uh it's like the first level and the second level so are it's like the second level uh it uh takes a holistic approach by integration with these Technologies and automating coordinated responses to security incidents across the entire Spectrum ensuring a more comprehensive and efficient efficient security posture all these are necessary components to a cyber security modern world uh here we have uh the most common use cases where so can be used for which is the automation malware analyzes which improve the speed and accurancy of threat detection is the automation threat hunting which enhance the pro the

proactive identification of potential cyber threats increasing security r u red lines the endpoint Diagnostics uh which enable quick and efficient rbbl shoot shoting of security issues and uh on individual devices the automating failure user logins the automatic ioc enrichment or VPN checks or vulnerability management and at the end uh the fishing attacks with are the most common ones for this last we have uh use case the automation incident responds with splank Thor which is one t that integrates the so uh the use case is the fishing incident uh response automation the scenario that I have chosen is that an organization receives a high volume of fishing emails which is daily nowadays um and on a daily basis

and the security team needs an efficient way to detect respond and remediate those fishing emails Inc to minimize the risk of successful attacks the solution is that email security integration with SAR for example The Office 365 for example uh the Microsoft Office quickly spot the potential fishing email the second is that alert sorting with splank s automatically figures out which email might be fishing attempts by checking things like who sent the email and where it came from the third one is the fishing playbooks the security team has a Playbook a set of instruction for dealing with fishing emails which splank are follow step by step the fourth one is automated response action when a fishing email is found s plank takes

automatic actions like putting the email in the quarantine isolating it and uh blocking the sender and the investigation further the fifth one is that teamwork and organization it helps the security team work together by assigning tasks sending messages and tracking progress to make sure that the problem gets solved quickly uh reports and data splank are also creates rappers with information about how many fishing incident happened how fast they were handled and any trends of patterns that could help prevent future attacks in today's world the technology uh isn't just limited to computers but we can use them even from our mobile devices or smart smartphones that's why I have chosen um an example of how spank are is used in

Mobile [Music] sorry [Music] okay okay

[Music]

for

spun Sor orchestration automation response collaboration and case management capabilities are also available on your mobile device using spun sore on spunk mobile you can respond to security notifications without opening your laptop you can triage events directly from the mobile app you can run and view playbooks on the go you can orchestrate security operations in response from anywhere at any time using the app on your phone and finally you can coordinate and collaborate with colleagues in real time to drive rapid thorough response call from your smartphone

[Music] okay okay that's all I don't know if any I don't know if anyone have any question this was the presentation