Professional Documents
Culture Documents
Chasing Alerts
Chasing Alerts
16 April 2019
#CiscoConnectSG
From Chasing Alerts to Hunting Threats
What makes an Effective SOC is Evolving
Peter Baurichter
Manager ASEAN Security Services, Cisco
Security challenges go deeper than technology
2 million cybersecurity positions are projected to go unfilled by 2019*
Early detection
Low impact
Time
Industry average Industry average Average cost
detection time for a time to contain of a data
breach a breach breach
Threat Centric
Analyst Tasks Automation
Threat Centric
Creating SIEM rules Programing the requirements
Advanced
Advanced Reporting: KPIs,
Security Analytics KRIs
Enhance Threat
Detection and
Advanced Case Response
Threat Hunting and
Management Deception
We believe security systems should empower your
people to investigate and respond to threats faster
HQ
Network
Data Center
Roaming Users
Admin
SOC Architecture
Evaluate, build and maintain a successful
SOC with Cisco SOC Advisory Services
Architecture and
Strategy
design
Assessments and
Planning
Testing
to ensure
to guide development
effectiveness
Reference SOC Architecture CERT(s)
Dark web
Local agencies
Social networks
Foreign
agencies
Major institutes
Service
Engineering Development Governance
management
Accelerate your SOC
with Cisco Security technologies
Local agencies
Social networks
Foreign
agencies
Major institutes
Service
Engineering Development Governance
management
Why is automation critical in
today’s SOC?
Automation of the SOC aims to
streamlines a series of time consuming,
repetitive, manual tasks into cohesive and
automated playbooks.
Automating the SOC Tasks
Escalation and
Notification Case Management
Analysis and
Automation Data Enrichment
Investigation
A high alert is An L1 analyst The analyst access The analyst The analyst opens a
generated attends the alert Microsoft AD to retrieves threat intel case and assigns to
retrieve user information about a L2
information URL (virus total)
• What if we can save 10 minutes
per alert?
• How many alerts can we optimize?
PLAYBOOKS
TO RUN COURSES OF ACTIONS
FOR YOU SECURITY TEAM WITH
A SIMPLE CLICK
DECISION
Execute Playbook
automatically or
manually.
If proven, pivot
Formulate a Look for it in the Research and and expand the
hypothesis environment optimize scope; follow the
hunting process
If not proven,
Develop new
optimize and go
detection content
back
Deception for Better Detection
and Hunting
Focused on Internal Compromises
• Nothing superficial!
• Identify attacker lateral movement and reconnaissance activity targeting production-critical
systems
• Embedded (deep) within the applications. Examples:
• AD admin accounts (honey) with hashes available on systems in the network
• SQL admin accounts (honey) with (honey) tables access
• etc.
• Deception should be linked with detection, hunting and response.
• The practice should be heavily governed!
• Possible source of “light” threat intelligence (IOCS and TTPs)
• Link that with the broad threat intelligence (ex. decoy documents leaking outside the organization
detected through TI or decoy documents calling home!)
What if?
About Us
The Cisco Security Incident Response Services team is comprised of an international
ensemble of seasoned cyber security professionals possessing extensive experience in a
variety of disciplines such as computer crime investigations, incident response, malware
analysis, threat intelligence and more.
Proactive Emergency
Proactive Threat IR Readiness IR Plans & Playbooks Emergency
Table Top
Hunting Assessment Incident Response
Exercise
-contact with your
dedicated senior IR
pro within 4 hrs
-deploy within 24
hrs
350+
A Winning Combination Full Time Threat Intel
Researchers
MILLIONS
Of Telemetry
Deep Telemetry Agents
During an
Seasoned incident
Investigators 4
Global Data
Centers
Law
Enforcement Deep & Dark 100+
Interaction Web Research Threat Intelligence
Partners
Reverse Signature
Engineer Creation 1100+
Malware Threat Traps
Collaboration
On-Demand