Automation in the SOC - Everyone is ready, everyone can afford it

actually um i guess since cove had started i've probably attended like five virtual conferences now uh you know some obviously hosted as more of like a community type event like these sides and some huge you know multi-million dollar corporation hosted and sponsored conferences and i mean i have to say like they all have technical problems uh but this one has had by far the fewest technical issues out of almost any of the conferences that i've been on lately uh i mean even ones that are like you know there's there's millions of dollars going into these you know platforms and conferences and stuff like that and i mean there's been some technical hiccups that i've seen

on b sides but nothing like even remotely as bad as like some of the other ones uh hey mike how's it going uh so yeah kudos to the to the b-sides crew for uh and and the army of volunteers for putting together this conference because i think it's it's been really great so far i've had a lot of fun um all right so it's pretty much almost 105. i'm going to actually kick this off and get started now because i did a dry run a couple of days ago and uh it went an hour and 20 minutes which is way over my time so i'm gonna try i i cut a bunch of content out but you know i'm gonna try and kind

of fly through this as much as i can just so that i can kind of cover all of the talking points so the uh agenda today of what i kind of want to talk about is you know a very brief introduction about who i am and uh like what is soar uh what does the sore landscape look like some of the things that i've heard people say to me when they think that they're not ready for soar um and then i wanted to kind of dive a little bit deeper into the types of things that you might need to know if you want to get into using a sore platform right like how do i get

data into it and um how do i break problems down to find out if you know they're a good fit for soar or not and then i wanted to walk through step by step an example of how we might break a problem down and get it into a soar platform and then where i think we're heading in the future and uh i'm gonna keep this as vendor agnostic as possible actually don't work for a soar vendor uh today i have in the past but i'm not going to be talking about any one specific technology i'm going to be talking kind of about the entirety of the the sore landscape today so a little bit about who i

am uh i'm nick mccarroll i'm currently a field engineering manager at a company called data bricks uh but i've kind of had a long and very varied i.t career that's spanned over the past 20 years or so i'm not going to get into those details or not but i did want to pull up a picture of my favorite job title that i've had over the years so at one point in my career i worked for a very small software development company that got acquired by lockheed martin and when lockheed bought us they said hey everybody keep doing what you're doing uh you know uh you're doing a great job and we bought you to kind of keep

plugging away at the you know uh the technology that you're working on the business that we acquired but we don't want to keep any of your job titles because lockheed had a very like structured job title matrix that they wanted everyone to fit into so they said don't worry about it you know we're just going to change your job title we'll send you all new business cards with your new job titles and and that's that so a month goes by and i get a box of business cards in the mail and i open them up in the french while they're they're english and french and on the french side uh the job title did not look anything

like what i was expecting and i don't speak french but i you know google translated it and it roughly equated to deputy chief analyst of information systems and any french speakers on the um on the chat you know chime in if i translated that wrong but it was the one and only time i think probably in my life and in my career where i get to claim the title of deputy chief which definitely was not my title while i was working at lockheed uh but according to my business cards it was so my favorite job title that i've had over my years is the deputy chief uh analyst for information systems now um any good presentation

uh should probably start with a quote so i'm gonna throw a quote at you here no amount of money ever bought a second of time and that quote could be attributed to howard stark does anyone in the chat know who i'm talking about when i say howard stark uh i'll give you a hint it's it's this guy uh and if you're still not sure i'll give you another hint um it's iron man's dad from the avengers movies so it was uh there you go chad you got it uh the uh quote is great right as a father i can really attribute or appreciate where it came from uh in terms of you know the the quote

itself because uh you know being a father uh and having to balance time between work and family you know definitely it's true that no amount of money ever bought me back a second time with my kids which is the context in which that quote was made however i would put a little caveat around that in that uh that quote is 100 true unless you're talking about that money being spent on a soar platform and that's really going to be a kind of common theme that we're going to talk about today is uh sore tools first and foremost are going to focus on saving you time and time is a commodity that is obviously in very short supply

especially in most socks that i've ever you know been a part of or or witnessed and you know in in any it organization time is of such short supply and there's very little or very few things that you can invest your money in that will actually give you time back in fact most security tools are going to be demanding of your time right if you acquire purchase them then time is essentially something that you're going to have to spend on configuring them setting them up monitoring them and making sure that they're working properly but hopefully uh soar is the opposite of that it's still going to take an investment of your time but hopefully that time gets paid back

in in much greater dividends so what is soar because you know i've probably used the acronym at this point like a half dozen times in the presentation we're already like five minutes in well soar is security orchestration automation and response that's what the acronym stands for and it's a relatively new category of security tool that kind of really started gaining popularity around two or three years ago i mean um good security folks are probably like just good id people in general have been scripting away at everything that they possibly can for as long as it's been a thing you know so soar is kind of like both the newest and the oldest uh product in security right because we

the minute we had computers we started scripting as much as we can in terms of getting rid of useless or auto or automating the things that are repetitive that we don't want to do um the uh fact of what soar provides beyond what we can currently do today is more so a framework and and a structure that makes it so much easier to automate things and we're going to talk a little bit about what that exactly means in a few slides from now um you know gartner believes that to be a sore tool you have to touch upon uh the the three bullet points that i've got underneath the definition which is a sore platform or a sore tool will

provide threatened vulnerability management security incident response capabilities and security operations automation um you know most sore tools are going to be providing the automation automation is actually kind of easy right anyone that's written a script before should be familiar with automation the orchestration part is much trickier so orchestration really requires multiple products that don't generally work together to start working together as like a singular unit and i mean if they did work together you probably wouldn't need sore for example like if your corporate firewall and your endpoint security product were able to talk to each other and communicate with each other and share and pass information between each other then you know maybe if that was the

process that you were trying to automate you wouldn't necessarily need sore um or if you like you know um predominantly work in the cloud then you can automate you can script a lot of actions inside the cloud however if you've got multiple cloud platforms you know doing that security in the cloud uh you know in terms of like identifying where your threats and vulnerabilities might be and locking things down it's very different between each cloud platform because you've got different apis and you've got all sorts of like differences between how you actually inter-operate or interact with those platforms so you know you might use soar to kind of tie all of those things together um across different cloud vendors so if

you do end up investing in a sore platform what is that actually going to get you like what's it going to provide well i mean soar is kind of mostly a small evolution in security operations again because we've been scripting things for years already but it's first and foremost as i mentioned a tool for recapturing time and that time that you want to recapture is time spent on menial repetitive tasks that don't really require a lot of human logic or intellect you know you're also going to be getting the capabilities to respond much quicker to incidents or issues you're probably not fully remediating those issues and we're going to talk a little bit about that in a bit

but um you know just getting rid of a lot of the menial repetitive tasks making sure that those get taken care of much quicker uh another key and probably often overlooked benefit to what soar is going to provide is that capability to standardize how you respond to your events right so especially during like the investigation phase in an event you probably have more than one security analyst that works at your organization today they're going to all have varying different ranges of skill sets and knowledge and a sore platform can really help them codify the steps that they need to take and standardizing how they respond to those incidents through kind of like a semi-structured workflow right uh

one that will produce much more uniform outcomes as people take on or tackle different types of incidents inside the organization so that standardization of how you respond is going to be a huge benefit to a lot of organizations by investing in soar which maybe isn't something people think of because when they think of soar they think of these big wild playbooks that you know end to end just kind of take care of processes and that's definitely not the you know that's not the first step that's not where you want to get started when you're using soar another area where sora is going to be providing you a benefit is probably probably can bring together this convergence of the sock and the

knock or the sock and i t operations i mean plenty of stock and off teams today work totally separately but in my opinion you know that's kind of like the heart and lungs uh not knowing that each other exists right or not being able to interoperate with each other right you start exercising your heart beats faster but if your breathing doesn't increase and you don't get the oxygen to your blood and likewise in any type of corporate i.t environment if security and i.t are operating independent of each other then there really isn't a lot of knowledge about one what one is doing what the other is doing and whether or not they're kind of both contributing to the

overall health of the organization the sock and the knock are part of the company's body right they needed to live so they should work together and that's maybe a rant for a different b sides because we could go into a much greater detail about like the convergence of security and and i.t or the security and network operations center but you know we won't necessarily talk too much about that in the interest of time and lastly store's going to provide you with a better way to focus on risk management um and you know it's uh important to kind of differentiate between i don't really think so is going to help you mitigate risks per se but it's going to be a good tool for

helping you manage risks because with some of the time consuming tasks that or the repetitive tasks that you're going to be using your sore platform to try and address you're going to have a much more time to be able to spend on kind of higher value activities and you know those might be activities like threat hunting or focusing on like risk-based alerting so risk management is going to become a little bit easier with the soar platform because you can kind of take on or tackle some more risk inside the organization that you need to be able to focus on uh and some things that sort isn't going to be able to provide to you is your

platform isn't like going to get rid of your sock right you're not going to operate or or automate i should say all of the operations inside your sock so is it gonna get rid of your stock uh i'd say the answer is no um is your store platform uh you know gonna get rid of the need for a mssp or a managed security service provider well the answer to that is is kind of maybe right because it really depends on what your mssp is providing to you today i know a lot of people use mssps especially in larger organizations but you know what those mssps are providing really varies from company to company right and if

automation of the services that that you know mssp provides is something that you know the soar platform can provide well then it's probably easier to replace them with a sore platform and it's probably a lot cheaper as well too but totally depends on the size the scope your security posture what it is that you're trying to automate i mean it's not a one-size-fits-all answer uh is your store platform going to eliminate the need for a sim well we're going to get into that a little bit later but i think the answer to that kind of is maybe um you know what we're seeing in the industry today is there's like a convergence of soar and sim

so a lot of sim products are implementing sore technology and or buying sore companies and integrating them into their product line so it's becoming quite a gray area what the sim and soar might be and you know if we follow the non-clan shirt of most you know uh security tools we'll start seeing next generation sims that include swords stuff like that would probably already have that today but um you know it's just not quite there yet it's getting there um however if you don't have a sim today i wouldn't necessarily say that you need to have one to invest in a soar platform and we're going to go much deeper into that in a little bit here and lastly your soar

isn't really a staff augmentation platform so is it going to reduce the need for you to hire more analysts well again that's kind of a maybe right you can't replace um people with sore unless the tasks that you have those people doing are the equivalent of like george jetson pushing the button right you know if you don't know what i'm talking about here then that just means that i'm much much older than you uh but you know in the jetsons his job was to just push a button every single day um but you know if the people that you have working in your organization today are predominantly doing something that you could fully automate with sore

then you probably could replace them but i would argue that you probably hired them not because they're really good at menial repetitive tasks you could take the things that they're doing on a daily basis automate that process and shift them into higher value activities right or shift them into providing even more value back to the organization now this is a bit of a gray area right because we're going to start talking about things that like you can do with soar that gets you time back and time back is equatable to like man hours so to speak and therefore you know could we eliminate the need to hire more analysts if we bought into a sore platform

well really that's kind of very debatable and or personal to like the problems that you're seeing within your uh security operations center today um but i i think it's better to think of it less as a staff augmentation tool and more so as a tool that gives people time back so they can do higher value activities now uh do you need a sim to get value out of store we touched upon that already but like digging a little bit deeper into that question i said a sore platform doesn't need to replace a sim but you do need or let me kind of rephrase that um a sore platform doesn't replace a sim but do you need a sim to get value out

of sore and i've heard from a lot of people that in their security roadmap they kind of have a list of like a wish list of things that they want to acquire sim comes before soar in in that particular instance well i can tell you kind of definitively sim is not a prerequisite to soar and for the folks that are on the call that are wondering what sim is because i guess i should have defined that acronym uh that's security uh incident event management right or security information event management i've heard different acronyms but security incident event management essentially a way to standardize bringing all the security alerts in your organization into a single place and

then providing with a platform so that you can start remediating and triaging those incidents um but again like the industry's kind of conflating and combining these two terms uh rapidly but depending on what your problems are today you probably don't need a sim to be able to get into soar and i think that uh you know it can be a benefit definitely if you have a sim today you should be looking at sore um but really like if you have an environment where you have some kind of centralized searchable log storage uh you have a ticketing or a ticket event management system happening in your organization today you can probably get into store right away

especially the types of store platforms that have api level connectivity to those different tools and products um sometimes you know people uh don't need i'm sorry i'm reading the comments as they're flying by here uh thanks sean sometimes people don't ever need a sim and kind of bypass that need for it and i'm going to talk about like that archetype of a company in a few slides here um but what you essentially need to be able to use a sim today or to sorry to be able to use a sore platform today is some sort of an ability to extract artifacts and artifacts you can kind of think of as like the iocs i've got

listed in my pyramid of pain here like um hash values and ip addresses and domain names and stuff like that and if you can get those artifacts out of your tooling that you have today even if that tooling isn't a sim then you are probably ready for a sore platform um you know you probably also don't need a sim if really like the problems or the processes that you're trying to automate have really nothing to do with a sin in and of itself right and we're going to talk about uh a yeah i did say pyramid of pain um tj uh and the link to that pyramid of pain is is maybe hard to read but it's at the

bottom of that side here that's not my uh creation that uh somebody else created the pyramid of pain and the pyramid of pain like when they talk about it they talk about like things that are really easy iocs that are kind of easy to determine like the size and scope of versus things that are really really tough so if you attended like kyle houston's talk yesterday where he was talking about like how he flags and tags you know different types of iocs as they come into his environment and then he tries to also tag you know ttps or tools that uh that attackers might be using against him you know you have to have a fairly

robust framework of logging and and uh tagging capabilities sort of built up inside your organization to be able to even get to that stage and then once you're at that stage you can automate a lot of the responses or investigation stages of those processes with soar so we're going to go into that i mean the really important thing there is that you need to have some kind of ability to have like a common event model inside your organization where you can normalize the content of that data that you're collecting which is why maybe if you have centralized logging you can do that and there's lots of different formats out there like common event format and

uh you know if you have a splunk platform the splunk common information model that would allow you to be able to normalize data which is going to make it so much easier for you but for you to be able to build your uh soar playbooks um and so i i talked a little bit about there's different security archetypes that i've encountered as i've worked with people over the years and i've kind of broken them down into three different security archetypes so these are different companies that i've kind of come into uh where they've said you know we don't know if we're ready for soar or sim or or where we're gonna go next um so can

you help us can you give us some guidance here and um this is by no means all-inclusive there are more than three different security archetypes with uh companies uh however that this is sort of just in general what i've witnessed so the first archetype of company that i've kind of come across is a company that says hey we have a sim right okay so we have a sim and we have a problem with our sim today uh and and this problem is almost universal for any organization that has a sim uh we have a ton of events or a ton of alerts uh those alerts are are coming into the sim and that's great uh

but they're being uh you know tagged or or qualified with a questionable level of urgency right um so i don't know if my uh threat activity detected is critical or not critical my you know sim thinks it's critical but i have to do an investigation be able to determine whether that is or is not true right and the problem with this is that when you get a sim all of a sudden you've got all these alerts that you actually have to do something about right so you have a steadily growing queue of unassigned work that you have to take on so now it's time to investigate like well what do we do about this well

either we have to tune our sim and ignore a bunch of these alerts that are getting created or we have to uh you know figure out a way to kind of automate or triage as many of these events as possible and the best possible way you can do that is going to be from determining whether or not these are false positives or not and whether or not the urgency or criticality of these events is truly been assigned to the uh you know proper level that it actually is to your organization so you'll have uh this journey right where you want to down start going and investigating your different sore platforms that are out there today and in a few slides

we're actually going to talk about like what that journey might actually look like the next type of archetype of company that i've come across is the one that says we don't have a sim but we think we have a pretty good idea of what's going on in our environment today right so you don't need a sim to be good at security or to have a really strong security operations center i mean it's helpful but it's not necessary you can get through a bunch of different dashboards and a bunch of different uh tools you know visibility into the different types of alerts that are happening in your environment today uh and you're gonna see you know people

like hey i check my endpoint logs and i check my firewall logs and i check the logs in my various different cloud platforms and you know maybe the team has gone out and you know scripted a bunch of stuff in powershell to be able to scan the environment and look for vulnerabilities or you know look for issues that they might need to tackle uh maybe they already have an mssp and that mssp kind of handles a lot of the remediation of things that they ship off to them in terms of their logs or they've got cloud dashboards for different systems and a ticketing system that allows them to see like what's uh you know being generated and what's

going on you know this type of company is still a good candidate for soar um because you know maybe they do or don't have a playbook already for how to handle common incidents but it wouldn't take much for you to sit down with that company or to just sit down as the team together and work out like two or three of either the most important or the lowest hanging fruit in terms of like incidents that frequently occur within the organization and you know i say this because if you're investigating getting a sore platform then you're going to want to take to the vendor of choice or the vendors of choice that you're going to be engaging

with this list of things that you want to be able to automate right or if you're looking at implementing open source or you're going to want to either like pick the open source person or the person who's going to be like tasked with implementing the solution inside your environment you want to sit down with them and say hey here are the first two or three things that we really want to automate inside our organization today and you're going to want that vendor or that person to show you how they can integrate and handle your playbooks you know most importantly does the soar platform that you're looking at um actually integrate with your technology stack right if it doesn't have built-in

integrations with the types of tools and technology that you already have in your environment today then before looking at well how are we going to get it to integrate look to other vendors first right maybe i can purchase another sort tool that has better integration into the technology that we've already invested in because the business isn't going to want to rip everything out and replace it with the tools that the soar platform best integrates into if it doesn't have that integration then how long will it take that company to create that integration for you right so when you're evaluating a store platform if you say hey we have the security tool and i want you to integrate with

it and it doesn't look like you do today how long is it going to take you to turn around that integration for me and and you know build that functionality into it so being able to like see how responsive that sore platform is is going to identify whether or not you're going to be a good fit with them right because if you look at what soar can provide to you over time you know a big component of that is that you know i'm not writing all these scripts manually because scripts are really brittle right and the smallest change into my environment or maybe i update a tool and it changes the api or it changes the way that

the api responds back with the type of information that the source platform needs to parse i need that vendor to fix it for me right otherwise that work is on me and now my task is constantly chasing all the integration points of my soar platform to make sure that they're working properly and really the platform should make that easy and the company that you're buying the platform from should make that easy for you so it's something to like keep in mind if you don't have a sim or just in general when you're purchasing a soar platform is does this align with my technology stack and does my technology stack provide the capabilities for automation in their

apis because i can't tell you how many times i've gone into a company and they've said okay uh you know we have um fireeye we've got palo alto we've got uh cisco we've got checkpoint we've got fortinet we've got this and this and this uh i would like my soar platform to automatically quarantine my hosts whenever this particular activity takes place it's like great what kind of host quarantining uh you know software do you have and they'd be like oh i've got this technology and you look at it and it's like does it have an api yeah okay great what capabilities exist within that api well the api doesn't allow you to quarantine hosts okay well we've got a problem here

because it's going to be really difficult to build a playbook around something that we can't automate so now we got to investigate like where can we go from there so you have to ask those questions in advance and not just assume that every single software platform out there has a robust api that has all the functionality that you're looking for i think new and modern companies take an api first approach because that's where the industry is heading but really legacy companies don't and i won't name any names because i'm sure that there are some vendor sponsors here today that wouldn't want me to but there are some vendors that really need to get their act together in terms

of getting their apis up to snuff now you know having gone on that little tangent here the third archetype that i want to talk about is the company that doesn't have a sim and they also don't really know what's going on um so those types of organizations it's a little bit tougher you're not really ready for soar right they've got dashboards but they don't look at those dashboards until a security uh incident happens or occurs and then when that incident occurs it's a scramble to do uh you know root cause analysis and and figure out how they're gonna remediate and then uh they get it fixed and then they rinse and repeat and it just keeps happening

over and over and over and over and over again and then you know eventually their job really kind of just looks like uh constantly putting out fires and just moving the fires around as best they can to try and get you know some manageable level of sanity in their environment today so um they're not ready for soar right like it's there's other things that they need to focus on right if your job as the security person is also like to wear nine other hats inside the organization your security and your also printer repair and you're also telling me why the internet is slow and you're also help me connect my home computer to the wi-fi network

then you know you might not have time to invest in the soar platform because there's so many other things that you need to focus your attention on um in this situation you know maybe instead of looking at sore platforms you might want to consider looking at a new job but i mean either way you have other issues that you need to deal with first so we've kind of passed through the list of uh archetypal companies now if they actually go out and buy a sore platform what are you actually getting well you're getting out of the box connectors to third-party products you're getting some sort of ui to visually model your playbooks you're getting some way to

detect or debug when your playbooks break you're getting some sort of incident response and instant management and you're getting dashboards and you're getting reports right these are the essential things that you're buying when you buy into a soar platform and who might you buy these things from well there are many many many different vendors on this on the you know soar marketplace today and the list is ever growing some of these are big names right you know you'd recognize like the palo altos and the splunks and the ibm's and servicenow's of the world and some you've maybe never heard of before which one is the best one for you well really it kind of comes down to which

one is going to best integrate in your technology stack provide a platform to perform the processes or actions that you're looking for it to perform and uh price the platform in a way that's affordable to your organization i wish there was like a one size fits all where i could say oh just buy splunk or just buy demisto or just buy uh a resilient but you know the the true answer to that is is that you really have to kind of go out and test a lot of these different platforms because everyone's situation is going to be somewhat unique now maybe you don't like this idea of investing in a vendor technology and you want to

go the open source route well there are open source soar platforms today and i'm not going to proclaim to be an expert in any of them but uh in fact actually i'm only listing one true sore platform in my list here which is shuffle so shuffler.io is the website for shuffle which is an open source sword platform but really to get shuffle to work properly you kind of have to wrap it around a lot of other tools technologies and capabilities right so if you are looking at shuffle then you're probably going to want to look at tools like hive and you're going to want to look at tools like this and you're going to want to look at

tools like you know hey maybe i don't have a um maybe i don't have a sim but uh i could use something like uh alienware which has been rebranded as the cyber security uh os sim product from atnt um or i am looking for just logging in general right and i want to stay in the open source space well elastic has capabilities around that now really what you're looking at here is a lot of things that you have to manage yourself and none of these tools are bad right none of these tools are things where it's like i would not recommend you go down this road with any of them but an open source project requires work

right an open source project requires you to manage and maintain it or pay someone to manage and maintain it for you and stitching all these things together is not a one-time activity you're going to have to continue to make sure that they all work together and you know knowing how our industry works today we're going to take all those tools and technologies we're going to build a you know gold rube goldbergian type uh connection between all of them so that they work together we're going to cram them into a bunch of uh containers inside of kubernetes and we're going to wrap that whole thing in the cloud and uh you know hopefully we've got enough people on staff to

manage and maintain it now i'm not trying to discourage you from looking at open source soar but there's also a lot of community editions of uh paid platforms that are out there today i know de misto does it i know phantom does it and i'm sure others do as well too where you can get a lot of the features and functionality out of the soar platform without paying for it just to start getting your feet wet in terms of automating things that you want to be able to automate and then if you're starting to see value when you're starting to see hey i really like this tool or this platform it's going to be a lot easier to be able

to justify the cost around it so i have my platform be it a closed source or open source platform you know how do i actually get data in and and how do i feed this thing right so um well you know centralized logging solutions would be the most kind of obvious or easiest right if i have centralized logging then i can run you know searches and reports and stuff like that and i can get those to trigger events inside my soar platform or if i do have a sim right again a sim can generate an incident or an event and that event can kick off a playbook inside a sword platform so there's many different ways that those

initial like steps can be kicked off but what if i don't have central logging what if i don't have a sim or what if the uh trigger that i want to trigger my playbook isn't in either one of those tools well ticketing systems right can kick off uh a sore uh playbook uh you can use scripts you can do them over apis you can uh have a inbox that you monitor and every time an email shows up in the inbox you perform some sort of an action uh you can even kick playbooks off manually and this is a really overlooked feature functionality in a sore platform right people think i want to automate everything but

really you know if your sore platform includes the ability to triage events and incidents using some kind of a framework you know nist would be a good example of that you can use a model like nist to develop a framework of how you want your analysts to respond to incidents and you can build a series of playbooks that they need to follow through for them to be able to check off that incident in terms of whether or not it is or is not going to be something that needs to be escalated or remediated right so running simple playbooks and scripts will eliminate the need for those people to take on those repetitive steps and it will save your analysts the time

of having to figure out what do i do next where do i go um this is one of the big values that a soar platform provides that people don't really think of right again it's that codified way to triage an incident and it doesn't have to be fully automated i don't need to build an end-to-end uh platform uh cara i see your question here about can you please talk a bit about uba so uba would be uh user behavioral analytics and uh i can try uh if we've got time at the end of the presentation we can definitely talk a little bit about uba for those that aren't aware uba would be using tools technology like machine learning to

analyze the behavior of a person on your network to build a baseline of what behavior that is normal or good looks like and what behavior that's abnormal or malicious might look like and then to trigger events based off of that type of behavior uba is still one of those things that is very much black box when it comes to a lot of products that are out there on the market today hopefully we're getting better and and i definitely can talk a little bit more about that but we'll try and save that to the end because i know that we're kind of really dragging on time here for the presentation so yeah i will try kara um so let's talk about breaking

processes down to determine whether or not it's a good fit for soar or not you're going to want to take the lazy system in approach right so think of tasks or activities that you already do today or anticipate doing in the future and whether or not those tasks are repetitive right you anticipate them doing multiple times if you're ever going to do that task or process more than one time hey it might be a good fit for automation and you don't want to try and build everything out end to end you just want to spend time identifying tasks that you need to repeat over and over and over again for different incidents and then build

up the automation around those manual steps i mean if you think about it like from a knock side you know people have been forever like just writing little scripts to fix things build user accounts triage systems that fail or break on occasion that sort of thing and that's been the norm right of course you know in a world where you try and script everything that if that person ever leaves and they've created a whole bunch of scripts that perform a whole bunch of different actions uh the person that inherits their job has no idea what any of the scripts does so eventually they fail and it's like you know let's just uh rebuild the wheel again and start from

scratch if you have a sore platform or some sort of automation platform then hopefully even if a person who built up that script to begin with leaves that the person who inherits it can walk in and look at what's happening inside the sword platform and use it to understand exactly what's going on there right the other thing is that you know if you don't have all the data right uh then you're gonna have a really tough time breaking that process down inside of a sore platform and what i mean by that is uh like let's say that you're not logging this information that you would need to be able to have inside the environment today and maybe a

good example that would be endpoint logs right if part of my incident response is to see whether or not a process is running on a host but i don't log running processes on my hosts then i'm going to have a really hard time automating that but there are again you know paid or free tools and technologies that you can use that maybe bypass or sidestep that need for centralized logging and os query is a good one in that particular instance right especially if you pair a tool like os query with a tool like sysmon or or just even sysmon itself and a way to query the endpoints directly so maybe if that endpoint is on long

online and available i could uh script my soar platform to run a search and and do a local search on the logs to be able to determine whether or not a process was running or a host connected to a particular ip or port or something along those lines so you have to kind of think of is the data available before i build up that sore process and then the next thing is how do you break those processes down to determine if they're a good fit for soar you know do you have a ticketing system what kinds of tickets are being opened how long does it take to investigate those tickets and how long does it take

to remediate them what does a false positive look like how do you validate that false positive and if you didn't get any more false positives for that particular type of incident how much time would that give you back if the answer is a lot then it's probably a good process to start breaking down just to a sore and starting just with one so let's walk through a real quick example here i get an alert for a user visiting a malicious website well first of all if i think through that incident in and of itself there's a lot of problems there right so every time i get an alert for a user visiting a malicious website i have to

ask my question is that alert correct right some alerts are wrong is that alert being flagged for like a minor threat like adware or tracking or cookies or something like that and i really don't care it's a low-risk thing i don't actually care about that alert i probably just need to go tune whatever device generated the alert maybe i don't have time to do that sometimes the alert is for a minor threat but it's in reality a much more serious threat right it's been miscategorized or incorrectly categorized and i need to determine that in the course of an investigation sometimes the alert is for a higher critical threat but it actually isn't a higher critical fact

it's a false positive and sometimes it's a true positive so if we corrected for all of those different conditions with a sore playbook and we made sure that the threats that went to the analyst first and foremost were real threats that were actually worth investigating how much time would that save would it be enough time to justify either the cost or time needed to start going down the road of investigating whether or not a sore platform is worthwhile or not right and next you know when i do get a threat for or an alert for a malicious website i need to go through a whole bunch of different steps so you know might look different in your uh

in your world and i just picked a bunch of random technology but uh i need to test this domain uh you know what am i going to test it against well i might check virustotal right or if i pay for threat intelligence services like isight i might use eyesight to test it maybe if both of those come back as being non-malicious but i'm still not quite sure i want to sandbox that url and i want to see whether or not my sandbox thinks it's malicious so i've got another technology in there it doesn't have to be checkpoint could be joe sandbox right it doesn't really matter what your technology stack is and then based on the outcome of all

those different events i need to decide am i going to continue my investigation or am i just going to say this is a false positive right now let's say going through all of those steps which aren't overly difficult steps i could train an intern to do that but let's say going through all of those steps takes five minutes per domain or if i need to integrate the sandbox into that maybe it takes more closer to like 10 minutes or 15 minutes what if every time that happened i didn't need to spend those five minutes or those 15 minutes right what if looking back at all the previous investigations that i've done that those alerts for malicious domains

are only actually really malicious one out of the ten times well wouldn't it be great if i just got the alert for that one time instead of for all 10. so next you might say okay you know that's fine i understand what you just described here but um my process is not that simple right i don't just look up a domain and make a decision there right i have a whole bunch of other steps that i need to take but you have to remember you don't want to create a playbook that is going to take you from end to end in terms of an investigation you want to break it down into its smaller atomic parts

and then you want to think of like the use cases where those playbooks might be applicable in other incidents or in other types of scenarios right think about reusable code think about these functions that you can repeat over and over and over again inside your uh inside your security or operation and think about what that event life cycle looks like inside your sock and there's a really good talk uh by a guy named uh rob gresham uh who uh originally worked for uh phantom which is one of the sore platforms that splunk bot and if you you know look for hacking your soul uh s-o-e-l um security operation event life cycle uh the talk by rob is actually really

interesting so uh i won't go into those details but look that one up um but what if we took all of those steps that we just talked about and we whiteboarded them right i used vizio but i mean you could whiteboard this type of thing much much easier and we built up kind of like a process flow of or flowchart of all of the steps that we would need to take for that particular process right of how do i investigate a malicious domain and what do i do whether or not the tool gives me a positive or a negative result based off of that malicious domain when you write all of those steps down visually and you've basically now

built the like precursor to your soar playbook right what did we just do here we documented the response process for a type of event in our organization we broke those response actions down and we started looking at the different phases within those response actions and we started determining well what can we automate and what can't we automate and we didn't go through the whole thing right i didn't talk about what do we do if the url uh that the user visited is actually malicious or not but we're going to get into that in a few seconds here um but we basically determined what are the logical steps that we would follow inside of a playbook

without knowing the sore technology that we may be purchasing or acquiring we just thought through it logically and then we take a step back and we look at well what is our overall high level event life cycle right alerts get generated alerts get validated alerts are scoped and then we have to make some sort of change or monitor and then somewhere in that life cycle either at the end or in between those different steps we need to alert people within the organization maybe the person impacted by the event or maybe someone whose responsibility it is to look after that event now if we wanted to further break this down inside the actual soar platform itself then we could take a really

phased approach and we have to step down and and break it into its atomic parts and the first thing is okay i have a sore platform and i have an alert so how do i get that alert into the sort platform right well in this case i mean if my alert is coming from a ticketing system i just need to make sure the store platform you know integrates with the ticketing system that i have in this case i kind of picked servicenow right and the next step is when these alerts come in i want to take them as something so i mean i called my alert event but we could really tag this alert as

anything like you know hey this is going to be a malicious url investigation and then the next step is so we can get those alerts into the soar platform and still part of phase one is we need to break that use case down now this uh playbook should look very close to the flow chart that we built up on our whiteboarding session or our vizio and essentially what we're doing there is we're bringing the event in so we have some sort of a trigger for our playbook and then we are um you know performing those actions we talked about we're sending that domain off to different services to be evaluated and then we have decisions to be made

right so we have filter blocks or or if then statements that get put into our playbook that basically say you know if this then that if it is malicious then do this action if it's not malicious then do that action we then kind of send that url off to uh the analyst and we say hey we determined it's bad you need to do your investigation here are all the details that we collected around that particular url here's how many uh services in virustotal thought it was bad or thought it was good and then if it's not bad we send it to the sandbox and from there if the sandbox has to engage the analyst because it says yeah

this is definitely bad we feed that back into that original step and then we take the next stage right maybe we just update a ticket and then that information goes to the analyst this is a very simple playbook but if you think about all the time that you could save in this type of a playbook if especially these are the types of events that you needed to analyze on a fairly regular basis then all of a sudden you don't have to do this step every single time and you can start ignoring uh the noise and just focusing on the badness that's happening inside your organization and maybe your next step is a manual one right maybe if you just take the output

from what that ticket says and you go okay i gotta scope the threat phase two then i go into my you know search tool or my sim or my whatever and i start looking for all the hosts that could have been impacted by that threat um you can stop there right you can now start using your soar platform and make sure that this playbook is going to run on a regular basis and be you know reliable and accurate and provide you with that information that you need you don't need to take it to the next step right away but when you are ready to take it to the next step maybe every single time you

get that alert now you perform this action of searching for the scope of that threat inside your organization then the next thing you do is you build that into your store platform right i take that same splunk search which i i didn't write a great splunk search but just as an example and i think that into the soar platform so now i use the soar platform to perform the scoping for me and again i update the ticket with information about the scope of the problem and i don't have to do that day one right that is the most important thing that could be day 30 that could be day 60 that could be day 180 once i'm confident

that the smaller atomic part of my sore platform or that my playbook is running regularly and accurately then i start introducing additional steps into it and you know the next thing that you could do after that is the remediation phase right so you could take it to the next stage and you could do something like hey um i want to quarantine hosts that have visited a malicious site that i know is malicious and that you know they've run and had the potential to exploit their system so now i want to quarantine hosts well i don't want my sore platform to quarantine hosts automatically it's a terrible idea as soon as it can disrupt the business

then you know it's going to go wrong at some point and when it does go wrong it's going to be highly visible and disruptive so i plug an analyst into that step and i say i'm going to do all of this investigation and then i'm going to give those results to the analyst they get to decide whether or not this is or is not a next step that they want to follow like quarantine the host and if it is then i'm going to use that integration with my knack or my endpoint security platform to quarantine that host uh and then you know if i wanted to yeah and i know i'm kind of out of time here

if i wanted to kind of continue then maybe i want to automate things like alerting the person right or letting them know that hey i have to quarantine your host and then just again saving steps around the communication with the individuals that are responsible to be part of this uh investigation is going to be like a key component because you're constantly having to write these emails anyways maybe you already have the email template sitting in your draft folder feed it into the soar platform and have it do the work for you especially if you know that this is the phase of that investigation that i'm always going to be following when i integrate that next

step i know i flew through that and i knew that this was going to be a very time crunch type of presentation but you know there are lots of different problems that you might use soar to address for and they're up on the screen here i'm not going to kind of read through all of them these are the problems that you might want to try and use soar to address the types of actions that you might want to use sort to address is going to be around like updating statuses and setting severity and performing all of these different types of like menial steps or processes especially things like updating tickets so kind of in conclusion a little bit um

can anyone assert afford a sore platform well it really comes down to a breakdown of the things that you can automate and the more that you can automate the better the more productivity that you're really gonna get right um so that's essentially it now uh i can maybe unless somebody kicks me out of the session here i can touch a very briefly upon you know maybe some of the questions or you know maybe one thing that probably will come up is so you've been looking at all these different slides and in the bottom left corner of every slide it said databricks is databricks a sore platform well no no it isn't i'm not here to like sell you a

sort platform databricks is a data analytics platform and and really it's uh i guess adjacent to soar if i could put it that way um you know it's a great tool to use to start exposing some of the things that we need to be able to do inside our environment today that we really can't and a lot of that comes back to uh every security plan or security product out there on the market today pretty much sells ml is like a black box and ml is not magic ml's math you have data scientists working in your organization today that can tell you that ml is math and ml should actually be useful to you right

so if you want to start trusting ml if you want to start trusting ai then we need to lift the covers up behind that and to do that we need to use tools and technologies that actually just work we don't need more tools we don't need more black boxes to plug into our networks but we need things that can start solving some of these big data or data challenging problems to us like if someone came to you today and said hey we generate 100 terabytes of security data uh per day can we analyze that and look for like human behavior and look for like malicious insider threats the answer is probably no your tools and

technology probably can't handle that type of thing today or if they could it'd be insanely expensive so taking open source tools and technology wrapping them up into a platform that can actually be used to address all these issues is essentially what databricks is databricks is sims or adjacent right it's about using it as a big data analytics platform to accomplish a lot of the big data security tasks we have today that's you know a conversation for another day so thanks everyone i really appreciate you coming to my talk uh my conclusions are listed here i'm not going to reread all of my slides here break your uh break your problems down into smaller atomic processes you're ready for soar

you maybe just didn't know it yet um centralized logging is inside insanely valuable but it's not a prerequisite sim is valuable but it's not a prerequisite don't try and automate everything end and just start just start trying to save your time and get your analysts their time back appreciate everyone sticking around even past the the hour here or past the time here so thank you so much i'm going to hang out i'll answer as many questions in chat if there are any but that's it for me so thank you

everyone um looking through here questions around uh is it difficult to integrate i mean i'm not sure the context around that question but yeah i mean it's a it's a good uh good thing to ask uh when you're evaluating those types of platforms is how hard or difficult is it gonna be to integrate my technology stack right in an ideal world there's like a service account there's an api you plug it into the sort platform and there's a list of actions that they can take care of that's under a perfect world in a not so perfect world you know it might be a little bit of massaging the responses that you get back from those apis

so that you can take that data and actually do something with it right and that's going to be like extracting the artifacts that you need out of those different tools so that you can get them into the next step of your platform um some store platforms are going to make it easier for you and some aren't there's some actually really great open source uh like open api is a source where they're creating kind of like connectors for a lot of really common tools that are out there on the market today so that you can kind of have a common language in which you can interact with lots of different apis because every api responds slightly differently

um but yeah that's that's a good point it can be a real challenge to integrate um certain types of technology into your soar platform um yeah we talked a little bit about uba uba is like a a huge topic and i'm quite passionate about both the advantages and disadvantages of uba um yeah alien vault it's it's free i mean if you don't have money for a sim you can you can give it a try i don't know maybe some folks have had better experience with it than i have i mean for a free tool it's amazing it's great it's changed hands a few times but it's still out there kicking around all right i i don't see any questions in

the chat uh so i'm gonna close this off uh appreciate everybody coming thank you