Accelerate Incident Response with Orchestration & Automation
Download as PPTX, PDF0 likes303 views
Daily IT security operations processes have not changed significantly over the past decade, but that all stands to change now that a new technology has arrived—enabling security teams to work smarter, respond faster, and improve their defenses. With Security Orchestration, Automation and Response (SOAR) technology, mundane processes can be handled by computers, allowing the SOC team to focus on identifying and responding to the real threats and attacks. This session examines traditional SOC processes and what becomes possible with a SOAR platform like Splunk Phantom. Whether it's a two-person security operation or a full complement SOC, learn to identify the processes that computers can handle on your behalf, and how to go beyond simple use cases and leverage all of the available security tools in your arsenal to the max.
![© 2019 SPLUNK INC.
https://usergroups.splunk.com/
Check website for
upcoming events
[CITY] Area User Group
Connect with Local Splunkers
Get More
Information
Here at the
SplunkZone](https://image.slidesharecdn.com/ppt-splunklive-fy20-accelerate-incident-response-using-orchestration-and-automation-101final-190618055821/85/Accelerate-Incident-Response-with-Orchestration-Automation-30-320.jpg)
Ad
More Related Content
What's hot (16)
Similar to Accelerate Incident Response with Orchestration & Automation (20)
Ad
More from Splunk (20)
Ad
Recently uploaded (20)
Accelerate Incident Response with Orchestration & Automation
- 1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Accelerate Incident Response Using Orchestration and Automation
- 2. © 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
- 3. © 2019 SPLUNK INC. Incident Response Too many alerts Not enough insights Tools Too many No integration Skills Attracting Training Retaining Scale Orchestration & Automation Horizontal & Vertical Security Operations Practices Need to Change
- 4. © 2019 SPLUNK INC. Incident Response Challenge
- 5. © 2019 SPLUNK INC. Incident Response Takes Significant Time 5 Source: SANS 2017 Incident Response Survey Time from compromise to detection Time from detection to containment Time from containment to remediation 1-3 months 2–7 days
- 6. © 2019 SPLUNK INC. Where Does Your Time Go? When working an incident, which phase generally takes the longest to complete in your organization? Day in the life of a security professional survey © 2016 EMA, Inc.
- 7. © 2019 SPLUNK INC. Time-to-Contain + Time-to-Remediate = 86% When working an incident, which phase generally takes the longest to complete in your organization? Day in the life of a security professional survey © 2016 EMA, Inc.
- 8. © 2019 SPLUNK INC. Tools
- 9. © 2019 SPLUNK INC. How many security tools and technologies does your company use? Poll #1
- 10. © 2019 SPLUNK INC. Tools and Technologies Galore Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017 TOO MANY TOOLS On average, organizations are using between 25 and 30 different security technologies and services.
- 11. © 2019 SPLUNK INC. Skills and Scale Orchestration and Automation
- 12. © 2019 SPLUNK INC. Orchestration ► Security Orchestration is the machine-based coordination of security actions across tools and technologies. ► Brings together or integrates different technologies and tools ► Provides the ability to coordinate informed decision making, formalize and automate responsive actions Automation ► Security Automation is the machine- based execution of security actions. ► Focus is on how to make machines do task-oriented "human work” ► Improve repetitive work, with high confidence in the outcome ► Allows multiple tasks or "playbooks" to potentially execute numerous tasks Orchestration vs. Automation
- 13. © 2019 SPLUNK INC. Do you use Security Orchestration Automation and Response (SOAR) ? Poll #2
- 14. © 2019 SPLUNK INC. Automation & Orchestration Adoption Growing Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
- 15. © 2019 SPLUNK INC. Security Nerve Center Overview
- 16. © 2019 SPLUNK INC. ANALYTICS ORCHESTRATION NETWORK THREAT INTELLIGENCE MOBILE ENDPOINTS IDENTITY AND ACCESS CLOUD SECURITY WAF AND APP SECURITY WEB PROXY FIREWALL Observe Decide Orient Act Security Nerve Center
- 17. © 2019 SPLUNK INC. Splunk Security Portfolio Enterprise Security 3rd Party Apps & Add-ons (900+) User Behavior Analytics Platform for Operational Intelligence Network data Exchange dataES Content Update PCI Compliance Search and Investigate Monitoring & Alerting Dashboards and Reports Incident & Breach Response Splunk Security Apps & Add-ons Security Essentials App for AWS Google Cloud Microsoft Cloud Discover Anomalous Behavior Detect Unknown Threats Automation & Orchestration Threat Detection Security Operations Phantom Premium Solutions
- 18. © 2019 SPLUNK INC. Adaptive Operations Framework Partner ecosystem enables the Security Nerve Center Mission Deeply integrate with the best security technologies to improve cyber defenses and maximize operational efficiency. Approach Gather, analyze, share, and take action using end-to-end context across across multiple security domains. NETWORK THREAT INTELLIGENCE ENDPOINTS IDENTITY AND ACCESS CLOUD SECURITY WAF AND APP SECURITY WEB PROXY FIREWALL Splunkbase Apps & Add-Ons Splunk Enterprise Security Adaptive Response Actions Splunk Phantom Apps & Playbooks DATA / ANALYTICS OPERATIONS 240+ INTEGRATIONS / 1,200+ APIS
- 19. © 2019 SPLUNK INC. Phantom Security Operations
- 20. © 2019 SPLUNK INC. Operationalizing Security With Phantom Integrate your team, processes, and tools together. Work smarter by automating repetitive tasks allowing analysts to focus on more mission-critical tasks. Respond faster and reduce dwell times with automated detection, investigation, and response. Strengthen defenses by integrating existing security infrastructure together so that each part is an active participant.
- 21. © 2019 SPLUNK INC. Automation Automate repetitive tasks to force multiply team efforts. Execute automated actions in seconds versus hours. Pre-fetch intelligence to support decision making.
- 22. © 2019 SPLUNK INC. 200+ APPS & GROWING 1000+ API’S Orchestration Coordinate complex workflows across your SOC.
- 23. © 2019 SPLUNK INC. Collaboration Communicate without losing context of the mission. Share items of interest with your team. Tap into collective knowledge with Phantom Mission Experts™.
- 24. © 2019 SPLUNK INC. Event Management Triage the most relevant events first. Eliminate noise from your workload. Escalate verified events to a formal case.
- 25. © 2019 SPLUNK INC. Create case templates that replicate your SOPs. Manage your response to threats with precision. Embed automation within a case task. Case Management
- 26. © 2019 SPLUNK INC. Quickly assess operational status and team performance. Conduct post-mortem case review. Demonstrate return on your organization's security investment. Reporting & Metrics
- 27. © 2019 SPLUNK INC. SplunkSANDBOX QUERY RECIPIENTS USER PROFILE HUNT FILE HUNT FILE FILE REPUTATION FILE ASSESSMENT RUN PLAYBOOK “REMEDIATE" EMAIL ALERT A Phantom Case Study “Automation with Phantom enables us to process malware email alerts in about 40 seconds vs. 30 minutes or more.” Adam Fletcher CISO How it Works Automated Malware Investigation
- 28. © 2019 SPLUNK INC. DEMO
- 29. © 2019 SPLUNK INC. 1. Use Phantom with Splunk or Splunk Enterprise Security to accelerate Incident Investigation and Response 2. Use Adaptive Operations Framework to realize your security nerve center 3. Splunk offers market proven, comprehensive solutions for Incident Response 4. Use with all Security domains and related IT domains to solve incident response use cases and more Splunk offers options to accelerate incident response with orchestration and automation Key Takeaways
- 30. © 2019 SPLUNK INC. https://usergroups.splunk.com/ Check website for upcoming events [CITY] Area User Group Connect with Local Splunkers Get More Information Here at the SplunkZone
- 31. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Thank You.