Professional Documents
Culture Documents
Chasing Alerts
Chasing Alerts
Chasing Alerts
16 April 2019
#CiscoConnectSG
From Chasing Alerts to Hunting Threats
What makes an Effective SOC is Evolving
Peter Baurichter
Manager ASEAN Security Services, Cisco
Security challenges go deeper than technology
2 million cybersecurity positions are projected to go unfilled by 2019*
Early detection
Low impact
Time
Industry average Industry average Average cost
detection time for time to contain of a data
a breach a breach breach
Threat Centric
Analyst Tasks Automation
+ Threat intelligence
Consuming constituency data consumption
Threat Centric
Creating SIEM rules Programing the requirements
Advanced
Advanced Reporting: KPIs,
Security Analytics KRIs
Enhance Threat
Detection and
Advanced Case Response
Threat Hunting and
Management Deception
We believe security systems should empower your
people to investigate and respond to threats faster
HQ
Network
Data Center
Roaming Users
Admin
SOC Architecture
Evaluate, build and maintain a successful
SOC with Cisco SOC Advisory Services
Architecture and
Strategy
design
Assessments and
Planning
Testing
to ensure
to guide development
effectiveness
Reference SOC Architecture CERT(s)
Dark web
Local agencies
Social networks
Foreign
agencies
Major institutes
Service
Engineering Development Governance
management
Accelerate your SOC
with Cisco Security technologies
Local agencies
Social networks
Foreign
agencies
Major institutes
Service
Engineering Development Governance
management
Why is automation critical in
today’s SOC?
Automation of the SOC aims to
streamlines a series of time
consuming, repetitive, manual
tasks into cohesive and automated
playbooks.
Automating the SOC Tasks
Escalation and
Notification Case Management
Analysis and
Automation Data Enrichment
Investigation
A high alert is An L1 analyst The analyst access The analyst The analyst opens a
generated attends the alert Microsoft AD to retrieves threat case and assigns to
retrieve user intel information L2
information about a URL (virus
total)
• What if we can save 10 minutes
per alert?
• How many alerts can we optimize?
PLAYBOOKS
TO RUN COURSES OF ACTIONS
FOR YOU SECURITY TEAM WITH
A SIMPLE CLICK
DECISION
Execute Playbook
automatically or
manually.
If proven, pivot
Formulate a Look for it in the Research and and expand the
hypothesis environment optimize scope; follow the
hunting process
Proactive Emergency
MILLIONS
Of Telemetry
Deep Telemetry Agents
During an
Seasoned incident
Investigators 4
Global Data
Centers
Law
Enforcement Deep & Dark 100+
Interaction Web Research Threat Intelligence
Partners
Reverse Signature
Engineer Creation 1100+
Malware Threat Traps
Collaboration
On-Demand