SlideShare uma empresa Scribd logo

Journey to the Center of Security Operations

♟Sergej Epp

Why is Security Orchestration Automation & Response (SOAR) becoming the gravity center of Security Operations Centers worldwide?

Tecnologia
1 de 30
Baixar para ler offline
JOURNEY TO THE CENTER OF SECURITY OPERATIONS SERGEJ EPP Chief Security Officer, Central Europe
FRANKFURT, GERMANY 2 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. SERGEJ EPP Chief Security Officer, Central Europe § Regional Cybersecurity Strategy and Operations § Thought Leadership Global Head of Cyber Forensics & Investigations Global Head of Cyber Hygiene Operations § Endpoint Detection Response § Fraud & Insider Investigations § Firmware and Supply Chain Forensics § Configuration Management, Neutral Control Global Head of Cyber Defense Center § Threat Intelligence § Threat and Forensics Response § Red Team § Cyber Analytics & Big Data § Security Awareness and Roadshows WHOAMI
EVOLUTION OF INFORMATION SECURITY OPERATIONS 3 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. NOC Compliance SOC Threat-Intel Driven SOC Integrated SOC Fusion Center Level 1 Perimeter focused operations Level 2 SIEM based, Policy driven operations and static playbooks Level 3 Threat-Intelligence focused security operations Level 4 Integrated detection, incident response, forensics, intelligence and vulnerability functions Level 5 Integrated non- cybersecurity functions such as physical security, fraud or business operations
4 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
5 | © 2018, Palo Alto Networks. All Rights Reserved. We have not responded to an intrusion using a ZeroDay exploit in the last 24 months - National Security Agency* * RSA Conference 2019 “ ”
GROW YOUR RISK MANAGEMENT 6 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. § Connected vehicle (air/rail/car) threats § Quantum computing § Data exfiltration in the cloud § Cyber Hygiene § AI voice fraud § AI phishing § AI chatbots § Firmware implants § Destructive threats § ID mass blackmailing § OT/IoT Threats § Insider Threat § Third Party Threat § Spyware § Identity theft § Ransomware Virus § AI Exploit Fuzzing § AI Malware Gen. § Biometrics loss § CEO Fraud § Compromised patch control § Crimeware-as-a- service § Phishing § Supervisory Oversight § BYOD threats § Attack obfuscation § Denial of Service § Banking Malware § Advanced regulations § Cryptojacking 10 mio 5 mio 1 mio 100k 10k 1% 2% 5% 10% 20% VULNERABILITIES AND MISCONFIGURATIONS IF YOU CAN FIX ONLY 1/10 OF YOUR VULNERABILITIES, WHICH ONES WILL YOU FIX? CVE-2017-0143 (aka EternalBlue) • Security risk = CVSS 9.3 High • Business risk = Critical • Change risk = Medium
7 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
HYPE CYCLE REACTIVE PREVENTIVE 80% of Enterprises IT investment in security* 72% of VC investments in security startups** *Source: VmWare Analysis ** Cyber Defenders Report, CB Insights 2019
9 | © 2018, Palo Alto Networks. All Rights Reserved. BURDEN TO TRIAGE IS STILL A PROBLEM A Tier concept makes sense when the symptoms are well understood. In cybersecurity, we ask the most unexperienced analyst in Tier1 to identify APT attacks. Are you surprised this does not work? TIER 1 TIER 2 TIER 3 106.887.657.123 37% Manual alert enrichment (e.g. checking IP in database)* The Definition of SOC-cess? SANS 2018 Security Operations Center Survey 34% Mostly automated alert enrichment* ALERT ENRICHMENTLACK OF CONSISTENT VISIBILITY FALSE POSITIVE FATIGUE FRONT LINE OF DEFENSE Threat actors are often leveraging Shadow IT, IoT devices or simply unmanaged devices to maintain persistent access. It requires a fusion between SIEM, network, endpoint etc. to enable triage of activities. Examples: APT10 (CloudHopper), NSA TAO Event if the attack is detected the chance that its identified by the analyst is small due to to many false positives Bonus: Hackers often launch a DDoS attack to flood SIEM systems shortly after a successful targeted attack against a bank.
COLLECTING OR DETECTING? 10 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. BOTTOM-UP start with data LOG DATA TOP-DOWN start with use case MONTHS vs. DAYS Identify most relevant threats Create use-cases Collect only relevant data Analyze alerts Parse and interpret data Collect available data sources Build use case Data is oil for security operations teams, but collecting simply all available data will not only overload your infrastructure but also impact capacity of your team. Top-down approach considering the entire end-2-end (Identify- detect-respond) use-cases is the way to go for most of the SOCs.
Alerts must be 90%+ True Positive Move high False Positive Alerts to Hunting Dedicated hunt time Move high True Positive to Alerting 11 | © 2019 Palo Alto Networks. All Rights Reserved. Alerting Program Hunting Program „HUNTING IS A PROCESS, NOT A DEDICATED TEAM“
12 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. MACHINE LEARNING WILL INCREASE AUTOMATED RESPONSES PRE-COMPUTE LEARNING OF 1,000+ BEHAVIORAL DIMENSIONS Time Profile • History, per Detector • Network -> Application Peer Profile • Peer profile, per Detector Entity Profile • Entity Type • User, admin, workstation, server, server type MLTechnique Pre-Compute Learning UNSUPERVISEDSUPERVISED
13 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
14 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. GORCH FOCK SOC DATA LAKE
15 | © 2015, Palo Alto Networks. Confidential and Proprietary. DEMISTO - ORCHESTRATION ENGINEER ORCHESTRATEPLATFORMIZE
Reconnaissance Weaponization and Delivery Exploitation Command and Control Lateral Movement Installation Actions on the Objective Automated Detection and Prevention Threat Alerting and Hunting Focus on this side Focus on this side AFAutoFocus TRTraps WFWildFire GPGlobalProtect AP Aperture 16 | © 2019 Palo Alto Networks. All Rights Reserved. Cortex XDR SHIFT RIGHT – TAKE THE HUMANS OUT OF ROBOTS
17 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASESecurity Operations Update: 1. Your Threat Intelligence team reports other companies experiencing the same Ransomware based cyberattack. 2. The attackers demand Bitcoin in order to decrypt the hard drive. 3. An interesting observation is that the Bitcoin wallet address is always the same.
THREAT INTELLIGENCE 18 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. ✓ Mature capability for most organizations ✘ More than 95% of consumed intelligence is already known (Waste of money and time) ✘ Companies lack instrumentation of controls to automate consumption ✘ Most companies don’t generate actively threat intelligence CONSUME GENERATE SHARE OPERATIONAL (IOCs, TTPs,) TACTICAL (Adversary campaigns, Trends, Sharing) STRATEGIC (Business risk) ✓ Maturity on government level resulting in cyber policy influence ✘ Most boards lack understanding that they are in software business and cyber is one of the greatest risk ✘ Investment in cybersecurity are by far not proportional to investments in digitalization ✓ Mature capability in some industries e.g. Financial Industry. ✓ Strong community focus e.g. CTA, CSSA, CDA, FS-ISAC ✘ Application of Active Cyber Defense lifecycle takes time
EXAMPLE: INSTRUMENT YOUR CONTROLS FOR CONSUMPTION Block list Quarantine list Alert list Sandbox ExploitKits, Scanning IPs C2 IPs Move to quarantine network Rebuild device Analyze device Signatures Firewall Endpoint Indicators APT IPs Notify user AI: beaconing SHARING User Violation
MEASURING AND IMPROVING SOC-CESS 24 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. www.soc-cmm.com
THREE CATEGORIES OF METRICS HEALTH % of controls running % of assets configured to best practices % of vulnerable systems % of traffic visible … Mean time to detect (MTTD) Time to discover all impacted assets Completeness per IOC sweep Detection for % of all attack vectors Detection for % of all data leakage vectors % of false positive alerts per analytic % of attacks automatically prevented % of users with privilege rights … RESILIENCE Mean time to respond (MTTR) Mean time to rebuild a desktop % of automated countermeasures % of red team exercises detected Time from intrusion to eradication (dwell) … VISIBILITY BUSINESS VALUE AND PRODUCTIVITY METRICS § Losses occurred vs. losses prevented § Mean cost per incident § % of XXX vs industry benchmark …
EXAMPLE: CONFIGURATION OF ATT&CK VISIBILITY – DETT&CT 27 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. ü Identification of your visibility/log/detection maturity for common attacks described in ATT&CK can help to prioritize configuration ü BUT: To set the right coverage bar for your organization requires mature understanding for relevant threat actor
EXAMPLE: CONFIGURATION OF DATA LEAKAGE VISIBILITY 28 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. HTTP HTTPS FTP FTPS SMTP ICMP DNS TELNET DNSSEC 62% of known data leakage vectors are identified or prevented Exfiltration of sensitive large data sets sent over longer period of time is not being detected! DATA LEAKAGE SIMULATION Easy and effective deployment allows both: • Prioritize configuration and rules in production • Test security products as part of PoC BUT, how do you define the threshold?
29 | © 2015, Palo Alto Networks. Confidential and Proprietary. PLAN FINANCIAL EXISTING METRICS SOAR DOPLAN CHECKACT VERIFICATION DOPLAN CHECKACT DOPLAN CHECKACT THE PATH TO METRICS MATURITY Mean time to X SOC productivity Countermeasure automation Stakeholder responsiveness Network Endpoint Email Security Controls Controls Resilience Exploitation Exfiltration Financial impact Fraud
EVOLUTION OF THE SOC ROLE – HOW TO KEEP UP? 30 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. *The Definition of SOC-cess? SANS 2018 Security Operations Center Survey TRAINING / ROTATIONS § Technical trainings (e.g. SANS, Data Science) § Rotation between offensive and defensive teams CAREER PATH Especially for technical experts, who are not interested in team management but still want to influence the strategic direction of the company CULTURE OF CURIOSITY will attract smart and passioned talent and help to grow naturally skill and capability LEGAL ENABLEMENT § Access to security data and analysis § Threat Sharing Lack of skilled staff is #1 problem in most organizations* Attrition rates of 20-25% are common in our business. What can be done to retain the staff? FROM ANALYST TO CODER AND DATA SCIENTIST
enterprise apps today are cloud-enabled /cloud-native Cloud is Everywhere Containers Have Gone Mainstream enterprises will use containers by 2020 8 of 10 1 in 2 of cloud users leverage 2 or more cloud providers (Gartner) 81% Multi-Cloud CLOUD SECOPS IS HEAVILY BEHIND SANS 2019 Cloud Security Survey ● 99% of cloud security failures will be the customers fault by 2023 (Gartner) ● 42% Lack of skills or training for specific public cloud services* ● 52% Inability to respond to incidents traversing our cloud apps and data* CYBERSECURITY LACKS ADOPTION FOR CLOUD TRANSFORMATION
32 | © 2018 Palo Alto Networks, Inc. All Rights Reserved. SHIFT LEFT PRINCIPLES </> Code Build Test Deploy Monitor CI Continuous Integration CD Continuous Deployment SHIFT LEFT – WILL INCREASE CODING SKILLS IN SECOPS TEAMS 1. Security by design - establish criteria upfront 2. Integrate, automate, automate 4. Share tooling - don’t silo information 5. Train your developer teams for better awareness 3. Establish control gates SIEM IDS
COLLABORATION IS EXPLODING 33 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. FUSION CENTER DEPLOY STAFF IN SOC DEPLOY LIASON OFFICERS IN BUSINESS DEPARTMENTS PHYSICAL ✓ Insights into cyber threat actors ✓ Joint work on cyber enabled physical bugs TRANSPORTATION FRAUD BUSINESS ISOs ✓ Joint monitoring of transportation products ✓ Examples: Connected Car, Airplanes, Railways ✓ Improved time to mitigation for cyber enabled fraud ✓ Typically senior security manager roles ✓ Brokers stakeholder relationship and governs remediation in specific business unit DELEGATED TRIAGE ✓ Delegate triage of alerts to users e.g. “Have you been to Switzerland yesterday?”
34 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. TRANSFORM YOUR TEAM § Start hiring software engineers and data scientist § Focus on data analysis (Hunting is a process) and communication § Stop Use-Cases below 90% true positive and move to hunting MEASURE SMART § Show business impact § Crawl, walk, run (Same as LEGO) § Focus on “health” usecases first MODERNIZE TECH. STRATEGY § Build technology around automation and not vice versa § Evaluate your toolset: § Take out two for introducing one § Increase penetration rate § Enable features AUTOMATIZE PRODUCTION § Make automation a personal goal for everyone § Prevention First § Increase % of § enriched alerts § of automated countermeasure deployments DEMOCRATIZE COLLABORATION § Implement Delegated Monitoring TAKE AWAYS
35 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. Let‘s SOAR

Recomendados

Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 

Recomendados

Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Cybersecurity - Overview
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - OverviewThanuja Seneviratne
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdfAhmedRKhan
 
Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2NetLockSmith
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondSecPod Technologies
 

Mais conteúdo relacionado

Mais procurados

Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdfAhmedRKhan
 
Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2NetLockSmith
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 

Mais procurados (20)

Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Cybersecurity - Overview
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - Overview
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Industrial Security.pdf
Industrial Security.pdfIndustrial Security.pdf
Industrial Security.pdf
 
Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 

Semelhante a Journey to the Center of Security Operations

PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondSecPod Technologies
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataIBM Security
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Cristian Garcia G.
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)GuardEra Access Solutions, Inc.
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementAleksey Lukatskiy
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_finalTerry Young
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_finalTerry Young
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistancePaul-Charife Allen
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_CMR WORLD TECH
 
Infographic-1-MainFrame BlindSpots_082015
Infographic-1-MainFrame BlindSpots_082015Infographic-1-MainFrame BlindSpots_082015
Infographic-1-MainFrame BlindSpots_082015Clint Walker
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfMetaorange
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxMetaorange
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18japijapi
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 

Semelhante a Journey to the Center of Security Operations (20)

PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness Measurement
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
 
Infographic-1-MainFrame BlindSpots_082015
Infographic-1-MainFrame BlindSpots_082015Infographic-1-MainFrame BlindSpots_082015
Infographic-1-MainFrame BlindSpots_082015
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdf
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptx
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Journey to the Center of Security Operations

  • 1. JOURNEY TO THE CENTER OF SECURITY OPERATIONS SERGEJ EPP Chief Security Officer, Central Europe
  • 2. FRANKFURT, GERMANY 2 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. SERGEJ EPP Chief Security Officer, Central Europe § Regional Cybersecurity Strategy and Operations § Thought Leadership Global Head of Cyber Forensics & Investigations Global Head of Cyber Hygiene Operations § Endpoint Detection Response § Fraud & Insider Investigations § Firmware and Supply Chain Forensics § Configuration Management, Neutral Control Global Head of Cyber Defense Center § Threat Intelligence § Threat and Forensics Response § Red Team § Cyber Analytics & Big Data § Security Awareness and Roadshows WHOAMI
  • 3. EVOLUTION OF INFORMATION SECURITY OPERATIONS 3 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. NOC Compliance SOC Threat-Intel Driven SOC Integrated SOC Fusion Center Level 1 Perimeter focused operations Level 2 SIEM based, Policy driven operations and static playbooks Level 3 Threat-Intelligence focused security operations Level 4 Integrated detection, incident response, forensics, intelligence and vulnerability functions Level 5 Integrated non- cybersecurity functions such as physical security, fraud or business operations
  • 4. 4 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
  • 5. 5 | © 2018, Palo Alto Networks. All Rights Reserved. We have not responded to an intrusion using a ZeroDay exploit in the last 24 months - National Security Agency* * RSA Conference 2019 “ ”
  • 6. GROW YOUR RISK MANAGEMENT 6 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. § Connected vehicle (air/rail/car) threats § Quantum computing § Data exfiltration in the cloud § Cyber Hygiene § AI voice fraud § AI phishing § AI chatbots § Firmware implants § Destructive threats § ID mass blackmailing § OT/IoT Threats § Insider Threat § Third Party Threat § Spyware § Identity theft § Ransomware Virus § AI Exploit Fuzzing § AI Malware Gen. § Biometrics loss § CEO Fraud § Compromised patch control § Crimeware-as-a- service § Phishing § Supervisory Oversight § BYOD threats § Attack obfuscation § Denial of Service § Banking Malware § Advanced regulations § Cryptojacking 10 mio 5 mio 1 mio 100k 10k 1% 2% 5% 10% 20% VULNERABILITIES AND MISCONFIGURATIONS IF YOU CAN FIX ONLY 1/10 OF YOUR VULNERABILITIES, WHICH ONES WILL YOU FIX? CVE-2017-0143 (aka EternalBlue) • Security risk = CVSS 9.3 High • Business risk = Critical • Change risk = Medium
  • 7. 7 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
  • 8. HYPE CYCLE REACTIVE PREVENTIVE 80% of Enterprises IT investment in security* 72% of VC investments in security startups** *Source: VmWare Analysis ** Cyber Defenders Report, CB Insights 2019
  • 9. 9 | © 2018, Palo Alto Networks. All Rights Reserved. BURDEN TO TRIAGE IS STILL A PROBLEM A Tier concept makes sense when the symptoms are well understood. In cybersecurity, we ask the most unexperienced analyst in Tier1 to identify APT attacks. Are you surprised this does not work? TIER 1 TIER 2 TIER 3 106.887.657.123 37% Manual alert enrichment (e.g. checking IP in database)* The Definition of SOC-cess? SANS 2018 Security Operations Center Survey 34% Mostly automated alert enrichment* ALERT ENRICHMENTLACK OF CONSISTENT VISIBILITY FALSE POSITIVE FATIGUE FRONT LINE OF DEFENSE Threat actors are often leveraging Shadow IT, IoT devices or simply unmanaged devices to maintain persistent access. It requires a fusion between SIEM, network, endpoint etc. to enable triage of activities. Examples: APT10 (CloudHopper), NSA TAO Event if the attack is detected the chance that its identified by the analyst is small due to to many false positives Bonus: Hackers often launch a DDoS attack to flood SIEM systems shortly after a successful targeted attack against a bank.
  • 10. COLLECTING OR DETECTING? 10 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. BOTTOM-UP start with data LOG DATA TOP-DOWN start with use case MONTHS vs. DAYS Identify most relevant threats Create use-cases Collect only relevant data Analyze alerts Parse and interpret data Collect available data sources Build use case Data is oil for security operations teams, but collecting simply all available data will not only overload your infrastructure but also impact capacity of your team. Top-down approach considering the entire end-2-end (Identify- detect-respond) use-cases is the way to go for most of the SOCs.
  • 11. Alerts must be 90%+ True Positive Move high False Positive Alerts to Hunting Dedicated hunt time Move high True Positive to Alerting 11 | © 2019 Palo Alto Networks. All Rights Reserved. Alerting Program Hunting Program „HUNTING IS A PROCESS, NOT A DEDICATED TEAM“
  • 12. 12 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. MACHINE LEARNING WILL INCREASE AUTOMATED RESPONSES PRE-COMPUTE LEARNING OF 1,000+ BEHAVIORAL DIMENSIONS Time Profile • History, per Detector • Network -> Application Peer Profile • Peer profile, per Detector Entity Profile • Entity Type • User, admin, workstation, server, server type MLTechnique Pre-Compute Learning UNSUPERVISEDSUPERVISED
  • 13. 13 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
  • 14. 14 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. GORCH FOCK SOC DATA LAKE
  • 15. 15 | © 2015, Palo Alto Networks. Confidential and Proprietary. DEMISTO - ORCHESTRATION ENGINEER ORCHESTRATEPLATFORMIZE
  • 16. Reconnaissance Weaponization and Delivery Exploitation Command and Control Lateral Movement Installation Actions on the Objective Automated Detection and Prevention Threat Alerting and Hunting Focus on this side Focus on this side AFAutoFocus TRTraps WFWildFire GPGlobalProtect AP Aperture 16 | © 2019 Palo Alto Networks. All Rights Reserved. Cortex XDR SHIFT RIGHT – TAKE THE HUMANS OUT OF ROBOTS
  • 17. 17 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASESecurity Operations Update: 1. Your Threat Intelligence team reports other companies experiencing the same Ransomware based cyberattack. 2. The attackers demand Bitcoin in order to decrypt the hard drive. 3. An interesting observation is that the Bitcoin wallet address is always the same.
  • 18. THREAT INTELLIGENCE 18 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. ✓ Mature capability for most organizations ✘ More than 95% of consumed intelligence is already known (Waste of money and time) ✘ Companies lack instrumentation of controls to automate consumption ✘ Most companies don’t generate actively threat intelligence CONSUME GENERATE SHARE OPERATIONAL (IOCs, TTPs,) TACTICAL (Adversary campaigns, Trends, Sharing) STRATEGIC (Business risk) ✓ Maturity on government level resulting in cyber policy influence ✘ Most boards lack understanding that they are in software business and cyber is one of the greatest risk ✘ Investment in cybersecurity are by far not proportional to investments in digitalization ✓ Mature capability in some industries e.g. Financial Industry. ✓ Strong community focus e.g. CTA, CSSA, CDA, FS-ISAC ✘ Application of Active Cyber Defense lifecycle takes time
  • 19. EXAMPLE: INSTRUMENT YOUR CONTROLS FOR CONSUMPTION Block list Quarantine list Alert list Sandbox ExploitKits, Scanning IPs C2 IPs Move to quarantine network Rebuild device Analyze device Signatures Firewall Endpoint Indicators APT IPs Notify user AI: beaconing SHARING User Violation
  • 20. MEASURING AND IMPROVING SOC-CESS 24 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. www.soc-cmm.com
  • 21. THREE CATEGORIES OF METRICS HEALTH % of controls running % of assets configured to best practices % of vulnerable systems % of traffic visible … Mean time to detect (MTTD) Time to discover all impacted assets Completeness per IOC sweep Detection for % of all attack vectors Detection for % of all data leakage vectors % of false positive alerts per analytic % of attacks automatically prevented % of users with privilege rights … RESILIENCE Mean time to respond (MTTR) Mean time to rebuild a desktop % of automated countermeasures % of red team exercises detected Time from intrusion to eradication (dwell) … VISIBILITY BUSINESS VALUE AND PRODUCTIVITY METRICS § Losses occurred vs. losses prevented § Mean cost per incident § % of XXX vs industry benchmark …
  • 22. EXAMPLE: CONFIGURATION OF ATT&CK VISIBILITY – DETT&CT 27 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. ü Identification of your visibility/log/detection maturity for common attacks described in ATT&CK can help to prioritize configuration ü BUT: To set the right coverage bar for your organization requires mature understanding for relevant threat actor
  • 23. EXAMPLE: CONFIGURATION OF DATA LEAKAGE VISIBILITY 28 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. HTTP HTTPS FTP FTPS SMTP ICMP DNS TELNET DNSSEC 62% of known data leakage vectors are identified or prevented Exfiltration of sensitive large data sets sent over longer period of time is not being detected! DATA LEAKAGE SIMULATION Easy and effective deployment allows both: • Prioritize configuration and rules in production • Test security products as part of PoC BUT, how do you define the threshold?
  • 24. 29 | © 2015, Palo Alto Networks. Confidential and Proprietary. PLAN FINANCIAL EXISTING METRICS SOAR DOPLAN CHECKACT VERIFICATION DOPLAN CHECKACT DOPLAN CHECKACT THE PATH TO METRICS MATURITY Mean time to X SOC productivity Countermeasure automation Stakeholder responsiveness Network Endpoint Email Security Controls Controls Resilience Exploitation Exfiltration Financial impact Fraud
  • 25. EVOLUTION OF THE SOC ROLE – HOW TO KEEP UP? 30 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. *The Definition of SOC-cess? SANS 2018 Security Operations Center Survey TRAINING / ROTATIONS § Technical trainings (e.g. SANS, Data Science) § Rotation between offensive and defensive teams CAREER PATH Especially for technical experts, who are not interested in team management but still want to influence the strategic direction of the company CULTURE OF CURIOSITY will attract smart and passioned talent and help to grow naturally skill and capability LEGAL ENABLEMENT § Access to security data and analysis § Threat Sharing Lack of skilled staff is #1 problem in most organizations* Attrition rates of 20-25% are common in our business. What can be done to retain the staff? FROM ANALYST TO CODER AND DATA SCIENTIST
  • 26. enterprise apps today are cloud-enabled /cloud-native Cloud is Everywhere Containers Have Gone Mainstream enterprises will use containers by 2020 8 of 10 1 in 2 of cloud users leverage 2 or more cloud providers (Gartner) 81% Multi-Cloud CLOUD SECOPS IS HEAVILY BEHIND SANS 2019 Cloud Security Survey ● 99% of cloud security failures will be the customers fault by 2023 (Gartner) ● 42% Lack of skills or training for specific public cloud services* ● 52% Inability to respond to incidents traversing our cloud apps and data* CYBERSECURITY LACKS ADOPTION FOR CLOUD TRANSFORMATION
  • 27. 32 | © 2018 Palo Alto Networks, Inc. All Rights Reserved. SHIFT LEFT PRINCIPLES </> Code Build Test Deploy Monitor CI Continuous Integration CD Continuous Deployment SHIFT LEFT – WILL INCREASE CODING SKILLS IN SECOPS TEAMS 1. Security by design - establish criteria upfront 2. Integrate, automate, automate 4. Share tooling - don’t silo information 5. Train your developer teams for better awareness 3. Establish control gates SIEM IDS
  • 28. COLLABORATION IS EXPLODING 33 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. FUSION CENTER DEPLOY STAFF IN SOC DEPLOY LIASON OFFICERS IN BUSINESS DEPARTMENTS PHYSICAL ✓ Insights into cyber threat actors ✓ Joint work on cyber enabled physical bugs TRANSPORTATION FRAUD BUSINESS ISOs ✓ Joint monitoring of transportation products ✓ Examples: Connected Car, Airplanes, Railways ✓ Improved time to mitigation for cyber enabled fraud ✓ Typically senior security manager roles ✓ Brokers stakeholder relationship and governs remediation in specific business unit DELEGATED TRIAGE ✓ Delegate triage of alerts to users e.g. “Have you been to Switzerland yesterday?”
  • 29. 34 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. TRANSFORM YOUR TEAM § Start hiring software engineers and data scientist § Focus on data analysis (Hunting is a process) and communication § Stop Use-Cases below 90% true positive and move to hunting MEASURE SMART § Show business impact § Crawl, walk, run (Same as LEGO) § Focus on “health” usecases first MODERNIZE TECH. STRATEGY § Build technology around automation and not vice versa § Evaluate your toolset: § Take out two for introducing one § Increase penetration rate § Enable features AUTOMATIZE PRODUCTION § Make automation a personal goal for everyone § Prevention First § Increase % of § enriched alerts § of automated countermeasure deployments DEMOCRATIZE COLLABORATION § Implement Delegated Monitoring TAKE AWAYS
  • 30. 35 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. Let‘s SOAR