The document discusses how security teams are overwhelmed by the increasing volume of alerts they must investigate and respond to. It provides examples of how long it takes to investigate common alerts like connections to command and control servers or antivirus alerts. With current volumes, organizations would need an unrealistically large security team working around the clock. Automating the investigation of routine alerts through intelligent security orchestration and automation can free up analysts' time to focus on more strategic tasks like analyzing what threats may be slipping through, customizing detection, and performing risk assessments. This allows security programs to optimize processes and methodologies and strengthen their overall security posture.
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
If We Only Had the Time: How Security Teams Can Focus On What’s Important
1. Intelligent Security Orchestration and Automation hexadite.com
If We Only Had the Time:
How Security Teams Can Focus On What’s Important
Barak Klinghofer, Co-Founder and Chief Product Officer, Hexadite
2. Intelligent Security Orchestration and Automation hexadite.com
Session
Overview
• Background
• Example 1: Alert from C&C Connection
• Example 2: Alert from Antivirus
• The Problem: Alert Volume and Resources
• Automating the 2 Previous Examples
• What to do with Your Newly Found Time
• Wrap Up
3. Intelligent Security Orchestration and Automation hexadite.com
Barak Klinghofer
CURRENT
PREVIOUS
What I Did Why It Matters
My Background
Our entire reason for existing is to minimize
the time to investigate and remediate.
Lead technology strategy for a company
focused on going from alert to remediation in
minutes at scale.
Co-Founder &Chief Product
Officer, Hexadite
Cyber Solutions Architect
Elbit Systems
Senior Security Consultant
COMSEC
Elite Intelligence Unit
Israeli Defense Forces
Designed solutions for both public and private
sectors, and trained personnel in National
Cyber Security centers.
Reviewed companies’ security polices and
technologies for global organizations.
Helped in building a security team from the
ground up. From 0 to 100 in 4 years.
I’ve designed training systems to teach
cyber analysts how to rigorously investigate
and remediate cyber threats.
I understand how companies in all industries
approach cybersecurity and helped them
increase their security posture.
I worked hands-on to build a team to take on
IR challenges with high stakes.
7. Intelligent Security Orchestration and Automation hexadite.com
Alert from AV
Begin Investigating
Alert
Locate malicious file Analyze Installed
Services and Drivers
Analyze Persistency Methods
10 Min. 20 Min. 1.5 Hr. 1.8 Hr.
15 Min. 21 Min. +Days
Finish Investigation
Access Endpoint Upload Forensics
Tools
Analyze Running
Processes
22 Min.
52
Min.
Analyze Open
Connections
1.6 Hr.
Analyze Recently
Created Files
1.9 Hr.
Search Firewall
Logs
Search for
Lateral Movement
2 Hr.
Email Alert
8. Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Every Day
• How may of these ”easy” use cases do you see a day
within your organization?
• From our experience, SMEs see about 10-20 daily
• But what about all the rest?
9. Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
The problem is the
increase in attacks.
The problem is the
increase in alerts.Source: EMA Research
The Problem
10. Intelligent Security Orchestration and Automation hexadite.com
The Problem
• One cyber analyst can handle
roughly 10 alerts per day
• That’s 300 per month (…but
they generally take weekends
off)
• You’d need 150 cyber analysts
working 8 hr shifts to keep up 7
days a week
• That’s just with current alert
volume
• That won’t work
• This is what 500 alerts/day
looks like
• That’s 15,000 per month
• That’s a lot
11. Intelligent Security Orchestration and Automation hexadite.com
Even 5% is Too Much
• One cyber analyst can handle
roughly 10 alerts per day
• You would still need 3 analysts
to handle just the critical alerts
• That’s after you’ve spent time
filtering, prioritizing
• Even if you’re able to filter out
95%, you’re still left with 25
critical alerts per day
• That’s 750 per month
12. Intelligent Security Orchestration and Automation hexadite.com
Even 5% is Too Much
Even if 95% of alerts are commodity/benign, the 5% is still too
much to handle.
15. Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
What to Do with Your Newly Found Time
• Optimize your process and methodology
• Analyze what’s falling through the cracks
• Customize your detection mechanisms
• Risk assessment – Go back and identify the gaps
16. Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Optimize your process and methodology
• Constant improvement
• Change your mindset from reactive to proactive
• When was the last time you reviewed your security
policy?
• How can you get your security policy to be more
business-oriented?
• What are you currently doing wrong? (We all have
things that we can and should change)
17. Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Analyze what’s falling through the cracks
• An automatic solution will never be able to do 100% of
the work
• Randomly double-check the automatic process, if
something is found update the process, keep improving
• Validate what was found
• Hunt!
18. Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Customize your detection mechanisms
• You now have a huge team to do the work, go back
review the statistics, recalibrate you detection solutions.
• Re-think prioritization, make sure it is needed
• What else did you pay for and never use?
19. Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Risk assessment –Identify the gaps
• It’s time to go back to the basics - Based on the results
where should we invest more, what is the right move?
• Business enablement should be always on our radar
Connection to a C&C was detected by your IPS/FireEye/etc. T+0
Alert was received by Arcsight ESM and pushed to the main channel (We can do correlation of threat intelligence feed) T+5
Analyst opens the alert and start the investigation flow (10 Minutes)
The analyst identify the alerted endpoint ? (Not always as trivial as you would imagine)
Some organization will go an re-image the endpoint (what if there were to 2 endpoint or 20 or 200 or 2000…. Were do you draw the line).
Will re-image the endpoint solve the problem?
For other organizations the analyst will not to go and investigate
Access the endpoint and verify if something happens (What does that mean?)
Use the forensics tools you have, (To search for what?)
Analyze all running process
We should give an example on how would you analyze running process (I will provide some screen shots)
Analyze all files created/modified/deleted? In the attach timeframe
Analyze all open connections?
Analyze all known persistency methods (Auto-runs, Scheduled tasks ,etc.)?
Analyze installed certificates,
What else should I Analyze ? (Does the word should analyze got effort as part of it ?)
Analyze memory? What should I search for?
Go back to your firewall logs and search for incoming and outgoing connection in the time of the attack
Check what local credentials are stored and if a lateral movement was preformed (How do I do that?)
And few other task …
And this is a simple flow ()
Your endpoint AV alert you about a malicious file that was identified.
Analyst open the alert
In most cases if the AV removed the “Threat” the analyst will skip that alert (Wrong move)
If the threat was not removed (and even if it was removed by the AV) the analyst will identify the alerted endpoint
The analyst will access the endpoint and try to locate the malicious file
If the file is identified the analyst will try to delete the file (Not that easy in some cases )
The next step is to identify if something else happed, how would the analyst do that ?
Use the forensics tools you have, (To search for what?)
Analyze all running process
Analyze all files created/modified/deleted? In the attach timeframe
Analyze all open connections?
Analyze all known persistency methods (Auto-runs, Scheduled tasks ,etc.)?
Analyze memory? What should I search for?
Go back to your firewall logs and search for incoming and outgoing connection in the time of the attack
Check what local credentials are stored and if a lateral movement was preformed
And few other task …
Overall time and effort ….. (This is why we try to filter those alerts by using the vulnerabilites scanners)
We should say something about that this number is usually after filtering AKA prioritizations.
Should we add another slide about that 90% or more of the attacks are commodity ? We can show our statistics
Even if we have a way to remove 95% of the noise, it’s still not manageable.
We should say something about that this number is usually after filtering AKA prioritizations.
Should we add another slide about that 90% or more of the attacks are commodity ? We can show our statistics
Even if we have a way to remove 95% of the noise, it’s still not manageable.