Lessons learned in automating the incident Life Cycle

Abstract: Over the past several years the volume of alerts coming into the SOC has been untenable especially considering the deficit in Cyber Security personnel globally and the required effort to train an analyst. Creating and structuring an operating model based on SOAR with multiple layers of abstraction including, enrichment, incident management, analysis, notification and remediation will not only drastically reduce the workload of your L1 efforts in your SOC, it will also help your team focus on the important events. Many of the misconceptions of a strong SOC is to focus purely on detections and threat hunting capabilities from the start, however, it’s more important to first have an operational framework in which you able to capture the threat actor expeditiously and react to the attack with aggression by cutting them off in the kill-chain. In this talk we will explain how to build your Incident Life-Cycle. This is an important aspect of the operating model, in your SOC to leverage the power of automation in order to react quickly and decisively in the event of a real breach. There are multiple facets of this presentation that will help SOC professionals achieve a high level of maturity, through SOAR development methodologies, tying your automations into your operation and achieving extremely fast reaction times in your SOC. This talk will present real-hands on experience from the past several years of building SOCs and the lessons learned of what to do vs what not to do. It will cover choosing your platform, operating and maintaining it and implementing your designed incident life-cycle including a live demo of our current automated workflows. Bio: Alexander Sinno is an expert in Cyber Security operations. He has experience in building SOCs around the world and started his security career in the US Military. All of the operations he has built has been on SOAR with a focus on the overall Incident Life-Cycle framework for controlling the flow of an event from ingestion to remediation.