Automation and open source turning the tide on the attackers
- 6. • SIEM • Packets • Logs • Endpoint • EDR • EPP (AV) • Firewall • UEBA • Identity Management • Security Management • Web Security • Mobile Security • Cloud Security • And the list goes on and on and on… Many simply do not integrate well
- 7. • Organizations are not reacting fast enough to incidents • Lack of skilled resources • Challenges retaining skilled resources • Too much time spent on manual research • Overwhelmed by what’s needed for every incident • Do things faster by streamlining processes by using workflows and leveraging automation • Complaints about the ever growing number of security tools being used • Each product provides it’s own value to the analyst • How can we properly integrate them so we can maximize the ROI for each • Instead of going from product to product, we need orchestration
- 8. Ingest Data Investigate Develop Tools Stay Safe Buy? Develop? Research Demo POC Procure Install Fix Wait, ingest what? Don’t know if it’s malicious…. …or totally benign At least it’s a strong job market
- 9. If you care about results then you should care
- 13. Ingest Data Invest in people Stay Safer… …than everyone elseDetermine weakness Define End state Create Toolset Investigate Remediate Something tangible Red Team Stuff
- 14. ATTRIBUTION
- 16. it requires maintenance, configuration, and ongoing support COMMUNITY CROWD-SOURCED TRANSPARENCY RELIABILITY
- 18. SOA, SAO, SOAR, SAOR…….. NextGen Automation?
Editor's Notes
- #5: We both work for swimlane. Niether of us are experts but we are very interested in the topic and supporting the community
- #6: Jimmy’s
- #7: Emma. So many tools, they don’t talk to each other. You have to hop between all these tools. Many do not integrate well. If they are not integrated you have to jump between tools to take actions. You may or may not manage all these tools, you may manage some. Jumping between each tool takes a lot of time
- #8: You have so many options. By working with the open source community you can influence the outcome of your work and choose the option that makes the most sense to you.
- #10: Emma. Who cares? Some people feel like they are already in water. If you care about delivering real value to your organization and doing more interesting work with the time you have during the workday, then you should care.
- #12: Emma. Get the job you thought you got. Empathy, humor, high level slides. I can help with this one. With automation you can get to the tasks you thoguth you would be responsible for an dyou can take more responsibility and bring more value to your team. We all want the jobs that allow you to work in a fancy lab doing cool work catching the bad guys. Not running around chasing false positives.
- #13: Quick transition, Jimmy
- #14: Define a good end state. Figure out your weaknesses from there.
- #15: Attribution doesn’t happen often because it’s the hardest and we usually don’t have time to do - more manual type work. Goal of Swimlane Is to get through normal SecOps so they have time to get to stuff like attribution
- #16: Emma. Emma take over, gather the process and idea sharing you need to enchance your current toolset and do more with what you already have.. High lfevel overview talk about some capabilities out there.. Creating your tool set, you’re looking to create tool, set-free and open source Some clients we interact with…some clients buy every tool, no orchestration, no strategy, it’s time to orchestrate, until they buy or implement a solution, orchestrate a workflow with playbooks, realize and standardize the process on how to deal with threats, we . From email, extract, payloads, domains header, what do we do with this,
- #17: New ideas, info sharing, using shareable content, scripts experts write to make life easier. You can rely on what the open source community builds. Eveyrone works together! Pros and cons.. Make your job more accurate You can find a lot of different tools, but they did take a little more maintenance and support.. Versus relying on the vendor. Do you have the team that has the capacity? Sometimes it makes sense to buy a product from a budgeting perspecint
- #18: Emma. I need some help with the talking points here. Define it by what you can automate. Talk about what you want to be spending, time on. Hunting, attribution, to get there you need to automate stuff like triage alerts, do you want to manual jump through tools with an ip address.. Why did you get into this profession… free up your time to do those more important things make your team more effective
- #19: Emma. Jargon is not imporntat to me. These acronyms come up a lot in the industry…
- #20: Attribution doesn’t happen often because it’s the hardest and we usually don’t have time to do - more manual type work. Goal of Swimlane Is to get through normal SecOps so they have time to get to stuff like attribution
- #21: More context and data. Any re lated
- #22: Emma Starts Emma does Phishing Logarithm, Detection Jimmy does rest. I take Chris Long,s detection lab and phishing intelligence engine by greg foss Questions for the team: whats the talking point for this slide? It looks like its “this is what the open source community is sharing right now” Slide 21 DumpsterFire: A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations DetectionLab: This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. PIE: The Phishing Intelligence Engine (PIE) is a framework that will assist with the detection and response to phishing attacks. An Active Defense framework built around Office 365, that continuously evaluates Message Trace logs for malicious contents, and dynamically responds as threats are identified or emails are reported. Red Baron: Automate creating resilient, disposable, secure and agile infrastructure for Red Teams Ansible and empire is kinda the same thing as ^^^
- #23: Drill down what actions were part of an incident. Parsing out what’s relevant… gather real time for the endpoint. Get good understanding . Timesktetch (I’ll handle it)sorts through records to isolate which ones relate to a specific incident . If you have an enterprise security team, you’re getting millions of logs. There could be a hundred logs between logs. Sort through quickl.y Emma does time sketch, second. Emma does Time Sketch: Sorts through records to isolate which ones relate to a specific incident
- #24: What if your stuff is time critical? Automation helps you integrate all disparate tools and get more value from them, exactl how you’ve specified. Use the tools in the middle to prevent yourself from having to log in to each tool. Saves a time a The main differentiator is that since they are free teams can focus on customizing them to their needs and not burn money on vendors and proserv unnecessarily. And also this slide shows that every "paid" tool has an open source counterpart Use tools in the middle to automate the stuff on the sides. Example: Elastic Stack, Powershell, VirusTotal
- #25: By integrating your tools you can get richer threat intel out of them. The best part it. You can do whatever you want. Anything you can dream up, you can find a way to orchestrate it.