Download as pdf or txt
Download as pdf or txt
You are on page 1of 37

Stellar Cyber for

SOC Analysts:
Workflow
Subtitle / Date
Initial Workflow
© 2021 Stellar Cyber, Inc. 3|
Traditional SOC Workflow
1. Collect Triggered Rules

2. Automated Analysis
SOC N
Escalate
Lv 1
3. Validation & Manual Analysis
SOC N N
Escalate Respond
4. Create Case Lv 2

Case Case

5. Respond SOC Lv 3
Respond
Close
6. Document
7. Improve the process

© 2021 Stellar Cyber, Inc. | 4


Leverage Machine Learning to Elevate Level 1

▪ Purpose of Level 1 Analyst: Triage


▪ ML and Rules perform 24x7
▪ Alerts form the base
▪ Incidents provide wider scope

© 2021 Stellar Cyber, Inc. | 5


Alert & Incident Workflow

▪ Alert Event Score – first filter


• Severity modified by Fidelity & TI
• XDR Kill Chain as shortcut Stellar Cyber Incident
Alerts Creation

N N
SOC Escalate Respond
▪ Case Tracking system useful for
tracking and coordinating activities Case Case
across teams
SOC
Escalation
Close

▪ During Investigation, add Alerts to


Incidents

© 2021 Stellar Cyber, Inc. | 7


Focus on “Big Rocks”

▪ Work Right to Left


▪ Limit Alert Score for first pass
• Iterative Process
▪ Avoid Duplicate Effort with Event
Status Filter

© 2021 Stellar Cyber, Inc. | 10


All Alerts Page

© 2021 Stellar Cyber, Inc. | 11


Alert Type Pages

▪ Notice: Searches and Filters maintained


▪ Bottom of page: the Alerts

© 2021 Stellar Cyber, Inc. | 12


Alert Panel

▪ Interflow -> Evidence


▪ Summary at top
• Alert score
(Severity, modified by Fidelity and Threat Intel)
• Frequency change (0 means <0.5)
▪ Details of Request and Response
▪ Enrichment included
▪ Searchable, readable

© 2021 Stellar Cyber, Inc. | 13


Internal vs. External Alert Types

▪ It matters where activities take place


• External IP / Port Scan – Initial Attempts, “knocking at the door”
• Internal IP / Port Scan – Exploration, beginning of Lateral Movement
• Effects SOC prioritization
▪ Some Alert Types only External
• User Login Location Anomaly
▪ Some Alert Types only Internal
• RDP Suspicious Logon Attempt

© 2021 Stellar Cyber, Inc. | 14


Internal User Login Failure Anomaly

▪ XDR Kill Chain location


▪ ATT&CK Tactic and Technique
▪ Quick description of Alert Type
▪ Light Bulb to jump to Documentation
• Documentation links to MITRE ATT&CK pages for Tactic and Technique

© 2021 Stellar Cyber, Inc. | 15


External User Agent Anomaly

▪ XDR Tactics and Techniques by Stellar Cyber’s Security Research Team


▪ Extending MITRE ATT&CK
• Tactic: XDR NBA
• Technique: XDR User Agent Anomaly

© 2021 Stellar Cyber, Inc. | 16


Alert Details: Actions

▪ Alternative to Bulk Actions


▪ Overlap in Event Status & Comments
▪ Create a Case
• Trigger An Email
• External Action > Run a Script
▪ Other External Actions?
• Issue of Policy and Contracts
• Are Connectors Configured?

© 2021 Stellar Cyber, Inc. | 20


Bulk Actions

▪ Your organization will have specific policies


• When to Escalate, How Cases are handled, What Response Actions are appropriate
▪ Set status to In Progress
▪ Set Assignee (or use Comments, or add to Incident)

© 2021 Stellar Cyber, Inc. | 21


Initial Workflow Review

▪ Leverage ML to triage Raw Events Raw Events


into Alerts
Alert Incident
▪ Leverage Filters to focus on most Creation Creation
significant Alerts
N
• Iterative process SOC Escalate Respond

▪ Leverage Event Status to reduce Case Case


duplicate work
▪ Leverage Bulk Edits

© 2021 Stellar Cyber, Inc. | 22


Incidents
© 2021 Stellar Cyber, Inc.23|
Incidents – A group of related Alerts

▪ Goal: Address Alert Fatigue


▪ Alerts related using Graph ML (AI)
▪ Incident represents an attack
▪ Groups many lower scored Alerts
• High score Alerts should still be
addressed
▪ Also able to manually group Alerts
Graph ML

▪ Based on Graph Theory: nodes, relationships (edges)


▪ Graphs ML finds interesting relationships in big data

© 2021 Stellar Cyber, Inc. | 25


Incident Progression

▪ Alerts are found to be related Alerts


T1
• Relationships by Entities, Signals, Raw
Events, Alerts
T2
▪ More related Alerts created
• Incident Score increases T3

▪ SOC takes Action


T4
• Contain Host, Block on Firewall
Response
▪ Remediation / Cleanup (as needed)
Time
▪ Close Incident, close case

Underlying Attack

© 2021 Stellar Cyber, Inc. | 26


Incident Properties

▪ User adjustable Name - Default name first Alert added


▪ Incident ID – Tenant name and sequential number
▪ Status – New, In Progress, Cancelled, Resolved
▪ Priority – Assigned by organization
▪ Assignee – from Users on system
▪ Tags
▪ Summary – generated by Stellar Cyber
▪ Description – added by users
▪ Metrics

© 2021 Stellar Cyber, Inc. | 29


Incident Analyze Window
▪ Displays the Graph of the Incident
▪ Observables – some vendors call artifacts
• User
• Host
• External_host
• Service
• URL
• File
• Process
• Registry
▪ Timeline

© 2021 Stellar Cyber, Inc. | 30


Alerts & Incidents Used Together

▪ Analyst pulls Alerts and Incidents Alert Creation


Incident Creation
• High score Alerts pulled immediately
• Incidents aggregate Alerts
▪ Different Organizations will have
different thresholds
• Which Alerts are handled immediately
SOC
• What Incident Score to consider
▪ Alert & Incident workflow separate
▪ Incidents provide context for Alerts

© 2021 Stellar Cyber, Inc. | 31


Incident Workflow
© 2021 Stellar Cyber, Inc.32|
Incidents Dashboard

▪ Grid View or Table View


▪ One click navigation
▪ Quick Filters
• Priority (default Medium)
• Assignee
• Tags (don’t overdo it)

© 2021 Stellar Cyber, Inc. | 34


Set Status and Assign

▪ Assign It
• Create a User as a Queue?
▪ Adjust Priority (if needed)
▪ When Analysis begins, set Status to In Progress
▪ Description for notes
▪ Consider policy for renaming Incidents
▪ Consider policy for when to mark
Resolved / Cancelled
• Too soon, no grouping

© 2021 Stellar Cyber, Inc. | 35


Propagating to Alerts in Incident

© 2021 Stellar Cyber, Inc. | 36


Investigation
Workflow
© 2021 Stellar Cyber, Inc.37|
Focus on “Big Rocks”

▪ Work Right to Left


▪ Focus on Status: In Progress
▪ Focus on Assigned Alerts?
▪ Clear other filters
▪ Some teams prefer Custom
Dashboard

© 2021 Stellar Cyber, Inc. | 38


Alert Details

▪ Via More Info for Alert


1. Check Overview
2. Check Key Fields

© 2021 Stellar Cyber, Inc. | 39


Alert Details – Additional Information

4. Use the various tools to gain more


context (if needed)
a. Watch your Filters and Queries
b. Src IP and Dst IP are keys
5. Dive into Interflow record
6. Review Original Records
(if available)
7. Remember your other tools
a. http://google.com/safebrowsing/diagnostic?site=?
b. https://www.shodan.io/

© 2021 Stellar Cyber, Inc. | 40


Take Action

▪ Add Comments, or email Case system


(as defined by your policy)
▪ Limit further damage
• Connectors available?
• Know your network

▪ Close Alert
• Define your policy
• Status: Ignored – no actions taken
• Status: Closed – actions taken
• Track Recovery Phase in Case

© 2021 Stellar Cyber, Inc. | 43


Incident
Investigation
Workflow
© 2021 Stellar Cyber, Inc.45|
Analyze Workspace - Observables

▪ Everything grouped
▪ Quick pivot to related details
▪ Diagram of Observables (artifacts)
• User • URL
• Host • File
• External_host • Process
• Service • Registry

▪ Connected by Alerts (edges)

© 2021 Stellar Cyber, Inc. | 46


Analyze Workspace - Timeline

▪ Focus on Alerts
▪ icon for Alert Detail window

▪ Or use Alerts Workspace


• Bulk Actions
– Comments
– Remove from Incident
• Policy question:
Mark Alerts as status “In Progress”?

© 2021 Stellar Cyber, Inc. | 47


Take Action

▪ Actions taken at Alert level


• Tenant requirements still apply
▪ Alert history consistent

© 2021 Stellar Cyber, Inc. | 48


Close Out Incident

▪ Define your policy


▪ Status: Cancelled – no actions taken
▪ Status: Resolved – actions taken

▪ Track Recovery Phase in Case

© 2021 Stellar Cyber, Inc. | 49


www.stellarcyber.ai

You might also like