If We Only Had the Time: How Security Teams Can Focus On What’s Important

Intelligent Security Orchestration and Automation hexadite.com
If We Only Had the Time:
How Security Teams Can Focus On What’s Important
Barak Klinghofer, Co-Founder and Chief Product Officer, Hexadite

Session
Overview
• Background
• Example 1: Alert from C&C Connection
• Example 2: Alert from Antivirus
• The Problem: Alert Volume and Resources
• Automating the 2 Previous Examples
• What to do with Your Newly Found Time
• Wrap Up

Barak Klinghofer
CURRENT
PREVIOUS
What I Did Why It Matters
My Background
Our entire reason for existing is to minimize
the time to investigate and remediate.
Lead technology strategy for a company
focused on going from alert to remediation in
minutes at scale.
Co-Founder &Chief Product
Officer, Hexadite
Cyber Solutions Architect
Elbit Systems
Senior Security Consultant
COMSEC
Elite Intelligence Unit
Israeli Defense Forces
Designed solutions for both public and private
sectors, and trained personnel in National
Cyber Security centers.
Reviewed companies’ security polices and
technologies for global organizations.
Helped in building a security team from the
ground up. From 0 to 100 in 4 years.
I’ve designed training systems to teach
cyber analysts how to rigorously investigate
and remediate cyber threats.
I understand how companies in all industries
approach cybersecurity and helped them
increase their security posture.
I worked hands-on to build a team to take on
IR challenges with high stakes.

Example 1:
Alert from
C&C
Connection

Alert from FireEye (C&C)
Begin Investigating
Alert
Accessing Endpoint Analyze Installed
Services and Drivers
Analyze Persistency Methods
10 Min. 17 Min. 1.5 Hr. 1.8 Hr.
15 Min. 28 Min. +Days
Search for Lateral Movement
Identify Endpoint Upload Forensics
Tools
Analyze Running
Processes
33 Min.
52
Min.
Analyze Open
Connections
1.6 Hr.
Analyze Recently
Created Files
1.9 Hr.
Analyze Installed
Certificates
Create Firewall
Block Rules
2 Hr.

Example 2:
Alert from
AV

Alert from AV
Begin Investigating
Alert
Locate malicious file Analyze Installed
Services and Drivers
Analyze Persistency Methods
10 Min. 20 Min. 1.5 Hr. 1.8 Hr.
15 Min. 21 Min. +Days
Finish Investigation
Access Endpoint Upload Forensics
Tools
Analyze Running
Processes
22 Min.
52
Min.
Analyze Open
Connections
1.6 Hr.
Analyze Recently
Created Files
1.9 Hr.
Search Firewall
Logs
Search for
Lateral Movement
2 Hr.
Email Alert

Intelligent Security Orchestration and Automation hexadite.comIntelligent Security Orchestration and Automation hexadite.com
Every Day
• How may of these ”easy” use cases do you see a day
within your organization?
• From our experience, SMEs see about 10-20 daily
• But what about all the rest?

The problem is the
increase in attacks.
The problem is the
increase in alerts.Source: EMA Research
The Problem

The Problem
• One cyber analyst can handle
roughly 10 alerts per day
• That’s 300 per month (…but
they generally take weekends
off)
• You’d need 150 cyber analysts
working 8 hr shifts to keep up 7
days a week
• That’s just with current alert
volume
• That won’t work
• This is what 500 alerts/day
looks like
• That’s 15,000 per month
• That’s a lot

Even 5% is Too Much
• One cyber analyst can handle
roughly 10 alerts per day
• You would still need 3 analysts
to handle just the critical alerts
• That’s after you’ve spent time
filtering, prioritizing
• Even if you’re able to filter out
95%, you’re still left with 25
critical alerts per day
• That’s 750 per month

Even 5% is Too Much
Even if 95% of alerts are commodity/benign, the 5% is still too
much to handle.

DEMO: Automating the Two Examples

What to do
with Your
Newly Found
Time

What to Do with Your Newly Found Time
• Optimize your process and methodology
• Analyze what’s falling through the cracks
• Customize your detection mechanisms
• Risk assessment – Go back and identify the gaps

Optimize your process and methodology
• Constant improvement
• Change your mindset from reactive to proactive
• When was the last time you reviewed your security
policy?
• How can you get your security policy to be more
business-oriented?
• What are you currently doing wrong? (We all have
things that we can and should change)

Analyze what’s falling through the cracks
• An automatic solution will never be able to do 100% of
the work
• Randomly double-check the automatic process, if
something is found update the process, keep improving
• Validate what was found
• Hunt!

Customize your detection mechanisms
• You now have a huge team to do the work, go back
review the statistics, recalibrate you detection solutions.
• Re-think prioritization, make sure it is needed
• What else did you pay for and never use?

Risk assessment –Identify the gaps
• It’s time to go back to the basics - Based on the results
where should we invest more, what is the right move?
• Business enablement should be always on our radar

Wrap-Up

Thank You!

If We Only Had the Time: How Security Teams Can Focus On What’s Important

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (19)

En vedette

En vedette (15)

Similaire à If We Only Had the Time: How Security Teams Can Focus On What’s Important

Similaire à If We Only Had the Time: How Security Teams Can Focus On What’s Important (20)

Plus de Nathan Burke

Plus de Nathan Burke (8)

Dernier

Dernier (20)

If We Only Had the Time: How Security Teams Can Focus On What’s Important

Notes de l'éditeur