Scribd
Upload
131 views

Demisto - Confessions of A SOC Engineer

The document discusses the experiences of a SOC (Security Operations Center) engineer with implementing a Security Orchestration, Automation and Response (SOAR) platform. It describes how pre-SOAR, many tasks were manual and time-consuming, taking up 90% of analysts' time. With SOAR, workflows for common incidents like phishing, case management and Windows events were automated, reducing the average time spent per incident from 45 minutes to just 0-5 minutes. The engineer shares lessons learned about documenting use cases, change management, and tips for prioritizing integrations and dedicating resources to maximize SOAR benefits.

Uploaded by

Forense Orlando
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
131 views

Demisto - Confessions of A SOC Engineer

The document discusses the experiences of a SOC (Security Operations Center) engineer with implementing a Security Orchestration, Automation and Response (SOAR) platform. It describes how pre-SOAR, many tasks were manual and time-consuming, taking up 90% of analysts' time. With SOAR, workflows for common incidents like phishing, case management and Windows events were automated, reducing the average time spent per incident from 45 minutes to just 0-5 minutes. The engineer shares lessons learned about documenting use cases, change management, and tips for prioritizing integrations and dedicating resources to maximize SOAR benefits.

Uploaded by

Forense Orlando
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Confessions of a SOC Engineer

Housekeeping
• Ask questions by using text box in right hand area of the GoToWebinar
platform, as the audience will be on mute
• Everyone will receive recording and slides by Friday, September 27
• Speakers
○ Devin Johnstone, Sr. SOC Engineer

○ Ron Eddings, Customer Success Manager


Our SOC Story
Palo Alto Networks SOC
OUR SERVICES

● THREAT MONITORING ● THREAT HUNTING ● INCIDENT RESPONSE

WE SUPPORT

6k 20k 13
EMPLOYEES ENDPOINTS DATA CENTERS
Day in the Life of a Legacy SOC

Too Many Investigations are Repetitive


Low Fidelity Alerts Time-consuming Manual Tasks

Impact:
● Important threats missed ● 90%+ Analysts’ time ● Large SOC teams
● Continuous firefighting spent responding to ● High analyst turnover
alerts
Life Before SOAR - Confessions
● Automation was custom-coded and not scalable

● Automation was not being developed by the SOC engineers

● Focus on analysis, minimal containment and remediation

● No case management, automated correlation, de-duplication


Life with SOAR
● 3 years of custom automation - migrated in 3 weeks!

● Every SOC Engineer is now a “developer”

● No more ServiceNow

● 100% automated - multiple IR workflows

● The 30% rule - analyst time spent responding to alerts


A Sampling of Alerts & Playbooks
Incident Types Subplaybooks 3. Containment
1. Command and Control Alert
1. Upon Trigger a. Lock AD user account
2. Airwatch Alert
a. Calculate Severity b. Lock AD service account
3. Aperture Alert
b. Get JIRA ticket info c. EDL Block (IP/Domain/URL)
4. AWS Alert
c. Get user details d. PAN-DB re-categorization
5. Okta Alert
d. Get host details e. Block email sender
6. WinEvent Alert
2. Analysis f. Quarantine email
7. Tanium Signals Alert
a. URL Enrichment g. Quarantine files
8. Proofpoint Alert
b. Domain Enrichment h. Quarantine device
9. Spoof Report
c. User Enrichment 4. Eradication/Remediation
10. Traps/Wildfire Alert
d. Email Address Enrichment b. Re-image request
11. General Test Alert
e. Host Enrichment c. Search and destroy
12. Redlock Playbook
f. Attachment Enrichment d. External website takedown
13. RiskIQ Playbook
g. IP Enrichment e. Revoke physical badge access
Other Support h. Related email search f. Kill sessions
1. InfoSec Mailbox Support i. Related log search 5. Post-Incident
2. Security Disclosure Mailbox Support j. Forensic capture a. Metrics incl. effort
3. PhishMe Tests k. Ask user a question b. Record alert fidelity
4. Hunting c. Timeline
What We Handle in the SOC
Use Case - Case
Management
Case Management - Confessions
Pre SOAR With SOAR
● ServiceNow developers with ● Instant changes
long development cycle ● Built-in de-duplication and correlation
● Difficult to automate with ● Improved collaboration and tracking of
SOAR effort
● Non-standard integration
● Multiple screens
Use Case - Phishing
Phishing - Confessions
Pre-SOAR With SOAR
● Manual tasks: confirm evil with threat intel, ● Manual tasks 100% automated
correlate messages in the campaign, determine ● SOC Engineer kicks off as
impact, quarantine/delete messages, block sender, needed.
classify/block URL, classify attachments, notify
● Avg 0-5 minutes/incident
user, submit re-image request, reset credentials.
● Improves over time with
● Avg 45 minutes/incident
● 15 hours of phishing/month per SOC machine learning
Engineer (9 FTE)
**On average, 175 phishing reports/month
Phishing - the SOAR Evolution
SOAR After 1 Month SOAR After 6 Months
Phishing - Automate Common Attacks
Phishing - ID Common Manual Tasks
Use Case - Incident
Handling
Incident Handling - Confessions
Pre SOAR With SOAR
● Difficult to triage incidents ● Graphical workflow for following
● No war room for analyst notes Incident Response process
● Few opportunities to peer ● Detailed/Enriched incident data
review analyst efforts ● Improved collaboration and learning
opportunities
Use Case - Windows
Events
Windows Events - Confessions
Manual Tasks Before SOAR
● Contact user or account owner
● Attempt to identify unknown account owner
● Verify change record or ticket
● Correlate activity from logs (network, endpoint)
● Trigger forensic image capture
● Reset password
● Submit-re-image request.
To Sum Up
Confessions: Good, Bad, Ugly
Good
○ Far-reaching benefits

Bad
○ Resistance to Change

Ugly
○ Reliance on partners
Top 5 Tips
1. Document your use cases & integration requirements

2. Dedicate resources

3. Engage Customer Success

4. Prioritize

5. Change Management
Looking Forward...
Other Use Cases
● Red/Blue Team, Purple Team

● Hunting

● Vulnerability Management

● Governance, Risk & Compliance

● Human Resources
Additional Resources
● Dummies Guide

https://go.demisto.com/your-guide-to-security-orchestration

● Gartner SOAR Market Guide

https://go.demisto.com/the-hitchhikers-guide-to-soar-2019

● Free Edition

https://go.demisto.com/sign-up-for-demisto-free-edition

● Coming Soon...

5.0 Product Release Early October


Thank You
Q&A

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy