2023 SOC/SOAR Solutions Forum

Thank you so much for joining us today.

 What’s Happening, and When?
Time Check Out This Morning’s Sessions

10:30AM ET Kickoff & Welcome Message

Chris Crowley, SANS Institute

10:45AM ET Advanced Sandboxing – Supercharging your SOC

Andrew Maguire, VMRay
Michael Bourton, VMRay

11:20AM ET Uniting Data That Matters Using SOAR

Andy Shepherd, Google Cloud

11:55AM ET Break
 What’s Happening, and When?

Time Check Out This Afternoon’s Sessions

12:10PM ET What does it take to be successful at SecOps Automation?
Jane Goh, Palo Alto
12:45PM ET Sustaining a Successful SOC: A Panel on Technology, Productive People,
and Effective Strategy
Chris Crowley, SANS Institute
Michael Bourton, VMRay
Jane Goh, Palo Alto
Andy Shepherd, Google Cloud
1:30PM ET Wrap up
Chris Crowley, SANS Institute
 Code of Conduct
SANS strives to create an atmosphere of learning, growth, and community. We
value the participation and input, in this event and in the industry, of people of
all genders, sexual identities, cultural and socioeconomic backgrounds, races,
ethnicities, nationalities, religions, and ages.

Please support this atmosphere with respectful behavior and speech. This
applies to all online interactions including the event Slack channel and in
Zoom.

If you witness or experience anything contrary to these guidelines, please tell

us at: forums@sans.org
 Join the Slack Workspace
Converse with fellow attendees, SANS Chairperson, and invited
speakers here:

Join in on all the action here:

sansurl.com/forums
 Important Slack Channels to Visit Today
#00-help – Having technical difficulties? Let us know here, we’re ready to help!

#01-announcements – Visit this channel to learn about upcoming events and important announcements!

#02-discussion – Converse with fellow attendees, our SANS Chairperson, and invited guest speakers who are also
attending or presenting today!

#04-business-card-swap-meet - Drop your LinkedIn or Twitter handles in this channel to connect with fellow
industry professionals!

Check Out Our New Slack Channels

#06-Contests – Participate in different contest for a chance to win some awesome prizes!

#07-Pets – Show off your fur baby for laughs and likes!
 Q&A in Zoom
If you’re not joining us on
Slack, please use Zoom’s Q&A
window to submit questions
to our presenters.

Type your question, include

then name of the presenter if
the question is for a specific
speaker, and then click send!
Thank You to Our Sponsors for
Bringing Us All Together Today!
SANS: Advanced Sandboxing
Supercharging Your SOC
Our Presenters Today

Andrew Maguire Michael Bourton

Product Marketing Technical Field Operations
Security Service Providers EMEA
Agenda

• Who is VMRay?

• SOC Challenges & Economy of Service

• Sandbox Technology Isn’t Created Equal

• A Word About Sandbox Evasion…

• Supercharging The Sandbox

• False Positives
• URL Scanning
• Threat Hunting
• Building Rules

• Demonstration

• Q&A
Who is VMRay?

Automating Malware Triage and Analysis VMRay Solutions

Company Overview

A cloud and on-premise advanced threat detection and Manual Malware Triage and Phishing Analysis
analysis platform.

VMRay enables enterprise and service provider SOC

teams to analyze and extract the IOCs of previously
unknown, highly evasive malware to quickly mitigate Automated Threat Detection and Analysis
current and future threats.

With VMRay’s ability to scale and automate Tier 1 / 2

triage in high volume alert environments, SOC teams
can improve economy of service to meet SLA’s with Manual & Automated Threat Intelligence Extraction
fewer skilled malware Analysts.

12
 Analyst Burnout a “Real Issue”

• Investments in SOC automation helping alleviate Analyst burnout

• 54% of the respondents said they were feeling burned out in

their jobs

• 64% of respondents said alert and investigation fatigue

plays a major role in burnout, it’s a “real issue”

• 37% of respondents described how investigative workflows

are being slowed by a reliance on repetitive tasks and tools
that aren’t interoperable

• 46% said workload is contributing to exposure of regulatory

risk, don’t have time to understand new regulations

Source: DFIR Survey – Magnet Forensics 2023

 Root Causes of Analyst Burnout

What is going to fix this?

• Make Sure All Alerts Actionable Too Many EDR Manual Malware
• Automation False Positives & Phishing Triage
• Integrated vs. Silo’d Tools
• Alert Coalescing
• Enriched Telemetry Data

Analyst Burnout Too Many

Lack of Skilled
= High Turnover Malware Alerts
SOC Resources
to Handle

“Taxing 10 hour shifts Open to Unique

Consolidating &
incur a mental debt” Curating
Threats
Little Proactive
Source: MDR SOC Analyst Threat Data
Defenses

14
Alert & Investigation Fatigue By The Numbers

Number of alerts received by the

11,000 average security operations team

each day
SOURCE: THE 2020 STATE OF SECURITY, FORRESTER

Percentage of IT Teams that

admit to ignoring many lower
priority alerts
SOURCE: STATE OF SEC OPS IN 2021, FORRESTER
67%
15
Alert & Investigation Fatigue By The Numbers

25%+ Percent of security alerts fielded by

organizations that are false positives
SOURCE: INFOSECURITY GROUP

10 Hours Per Week Average Security

Analyst Spends Responding To False
Positive Alerts
SOURCE: DEEP INSTINCT

$25,896 Yearly Cost of False Positive Alerts

Per Analyst @$49 Per Hour (Avg.)
SOURCE: INFOSECURITY GROUP

16
Economy of Service, Reducing SOC MTTD & MTTR

SIEM / SOAR
Alerts

False Positive / True Positive Reduction

17
Sandbox Technology Isn’t Created Equal

Feature VMRay Any Vendor Any Vendor

Hypervisor Sandbox Software Emulation Sandbox Hardware Emulation Sandbox

Evasion Resistant Yes (Hypervisor) No (Agent-Based) No (Virtual Driver)

Data Analysis Overload No Unnecessary Information Records All Information Including System Records All Information Including System

Noise Free Reports Yes No No

High Precision Yes No No

Scalable, Low TCO Yes Yes No

 A Word About Sandbox Evasion…

• Today’s modern malware families utilize

evasion techniques to avoid detection by
compensating controls such as AV, IDS/IPS

• Static signatures and heuristic algorithms have

difficulty detecting previously unknown
malware

• Payload detonation in a sandbox environment Raccoon v2

is currently the only way to identify new evasive
malware / advanced phishing attacks

• Evasive malware also written to identify

sandbox environments to avoid revealing
payload / IOCs

• Unsuccessful payload activation = considered

benign, threat remains in the Enterprise
environment
Extensible Sandbox Platform

• Why is Sandbox Technology Important to The SOC?

• Ransomware as a service (RaaS)

• Zero-Day exploits for sale on the Dark Web

• Open source obfuscation tools

• Cheap and fast URL generation

• Remote working
Agents

• Agent has static name? Easiest to detect

• Agent changes name? Lets search for its behavior.
• New attack vector? Does your agent monitor for this?

Find an agent, or agent like behavior.

Shutdown.

• Commonly uses hooking. Think MITM with code

• Three common uses for hooking:
Blocking calls
Monitoring calls
Modifying calls
Agents

• To understand hooking:
• DLL – Dynamic-Link Library: Shared code.
• API – Application Programming Interface: Software with a distinct function.
• IAT – Import Address Table: Records the addresses of functions imported
from DLLs.

• Find the address in the IAT

• Replace the IAT address with one pointing to your code
• Redirect back to the original code (if needed)

I recommend “Learning Malware Analysis” – Packtpub. ISBN-13 978-1788392501

Automation

Key Considerations When Automating Malware Triage and Phishing Analysis

• Does your sandbox need you to interact?

• How realistic is any automatic interaction?
• Does the automation come with an agent?
False Positives

• How often do your existing tools capture something harmless?

• Firewall blocking URLs
• Word/Excel documents with macros
• EDR behavioral analysis blocking sys admin tools (I'm looking at you,
sysinternals)

1. x86_64-w64-mingw32-gcc -o peSample test.c

2. upx –o packedSample.exe peSample.exe
3. Profit
False Positives

• Extract a selection of events from a tool such as EDR

• Submit those for rescanning through VMRay
• Use settings such as triage and potentially just use dynamic analysis
• Record levels of false positives among tools
• Does this tool need to be replaced?
• What is the reliability level?
• Rinse and repeat.
 URL Scanning

Every site uses a CDN. One URL

can end up showing dozens of
URLs on a firewall.

How many staff can you dedicate

to checking URLs?

26
 URL Scanning

VMRay provides full configuration of API keys

URLs can contain sensitive information:

www.mileycyrus.com/contactmiley?question=can%20I%20be%20your%20backup%20dancer?&from
=Michael%20Bourton

Recursion is essential. Common attacks start with Google workspace

(or other online workspace), document contains a URL, then redirects…
URL Scanning
 Building rules

• How easily can you

add rules?

• Are they using an

open standard such
as YARA?

• YARA rules contain

string definitions
and a condition
Building Rules

Will search for valid

base64 strings, and
match if they decode to
our strings
DEMO
Why do SOC Teams Like Working With Us?
Our integrations help augment the existing tech stack

SIEM SOAR Threat Intelligence

Microsoft Sentinel

EDR / XDR

Microsoft Defender
for Endpoints
Q&A
Thank You!

34
Poll Questions – Incident Response

Does your current operations solution Are you struggling to scale your business
automatically correlate related alerts due to challenges like increased customer
into a single threat-centric case demand, talent shortage, etc.?
management system?

Yes No Yes No

On average, how long does it take Does your IR team currently use
to triage and analyze one malware sample? sandbox technology to validate SOAR alerts
and extract IOCs?

< 15 minutes 15 min – 1 hour

1 – 4 hours 5 – 8+ hours
Yes No
Thank you so much for joining this session with
Andrew Maguire, VMRay
Michael Bourton, VMRay

For additional conversation and discussion, please visit the

#02-discussion Slack channel!
 Proprietary + Confidential

Uniting Data That Matters

Using SOAR

March 2023
 Proprietary + Confidential

Optimizing SOC performance via SOAR insights

Follow along for a cheat sheet…

 Proprietary + Confidential

1 Orchestrate disparate tools using playbooks

● Automate repetitive and manual tasks

● Create current and effective workflows

that make sense for your organization

● Orchestrate hundreds of the tools you

rely on
 Proprietary + Confidential

2 Leverage business intelligence

● Identify gaps

● Reallocate resources

● Evolve existing processes

● Identify where to automate manual

processes
 Proprietary + Confidential

3 Unite the information that matters

● Combine contextually related alerts

● Determine the relationship between all

involved entities attached to an event,
product or source

● Collaborate with colleagues on every

case

● Identify and prioritize critical cases

 Proprietary + Confidential

Summary: Key Takeaways & Recommendations

1. Identify the processes you’d like to automate before starting the
SOAR buying process.

2. Track real-time SOC metrics and KPIs to uncover gaps and improve
processes.

3. Integrate and leverage context at every opportunity.

 Proprietary + Confidential

Demo
 Proprietary + Confidential

Questions & Answers

SecOps
Community

Visit Visit Visit

chronicle.security/contact-us chronicle.security/knowledge-base chronicle.security/secops-community
 Proprietary + Confidential

Thank you.
 Thank you so much for joining this session with

Andy Shepherd, Google Cloud

For additional conversation and discussion, please visit the

#02-discussion Slack channel!
 We are on a break!

2023 SOC/SOAR Solutions Forum

We will be back at 11:55am ET

Automating SecOps
What does it take?

Jane Goh
Principal Lead, Product Marketing
Cortex XSOAR

48 | © 2023 Palo Alto Networks, Inc. All rights reserved.

Agenda

Are you a good Defining your Practical use cases for Peer Insights
candidate for use cases quick wins
automation?

49 | © 2023 Palo Alto Networks, Inc. All rights reserved.

 Are you a good
candidate for
automation?

© 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential.
What Makes for a Successful Candidate?

Puts the time in to train

Defines a clear scope

for their first use case

Size doesn’t matter

51 | © 2023 Palo Alto Networks, Inc. All rights reserved.

 Defining your use
cases

© 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential.
Defining Your Use Cases

License requirements Manual steps

Use case name End user interaction

Triggers Deduplication logic

Incident structure and mapping Third party integrations

Incident response process Incident structure

Enrichment Peer review

53 | © 2023 Palo Alto Networks, Inc. All rights reserved.
 Let’s Take a Look
at Some Popular
Content Packs

© 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential.
Some Playbooks to Kickstart Your Automation Journey

1 2 3 4

Default Playbook Common Playbooks Phishing Malware

5 6 7

Email Incidents and integrations Free Threat Intelligence

Communications health checks Management feeds

55 | © 2023 Palo Alto Networks, Inc. All rights reserved.

The Telemetry Data

~600
Global XSOAR Customers

56 | © 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
Content Packs are Critical Building Blocks to Your Success

Top 10 Content Packs In Use Across Customers

6% 1 CommonPlaybooks 6 CortexXDR
of all top level
playbooks are part of a
2 Phishing 7 QRadar
content pack

DefaultPlaybook IntegrationsAnd
3 8
60% IncidentsHealthCheck

of all sub-playbooks 4 VirusTotal-Private_API 9 Campaign

are playbooks that
come as part of a Palo_Alto_Networks_
content pack 5 10 CuckooSandbox
WildFire

57 | © 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
Three Phases for Becoming an Automation Leader

First Playbook 30 Days 90 Days 180 Days

Ever Executed Later Later Later

POC Early Adoption Automation Leadership

58 | © 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
Understanding the Customer Journey from POC to 6 Months

POC Early Adoption Automation Leadership

Top Level Playbooks Top Level Playbooks Top Level Playbooks
Created: 4.68 Created: 6.68 Created: 9.15

59 | © 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
Recommendations

POC Early Adoption Automation Leadership

Install and integrate the “Default” playbook

Familiarize with the playbooks in the “CommonPlaybooks”

content pack

Start building out your alert management pipeline

60 | © 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
Recommendations

POC Early Adoption Automation Leadership

Continue developing your alert management pipeline

Focus on playbook creation as a software

development process

61 | © 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
Recommendations

POC Early Adoption Automation Leadership

Start integrating with

your crown jewels such
as Splunk

62 | © 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
 Who Are We?

© 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential.
 900+
Third-party
tools SIEM Tools People API

Playbook-driven automation

Marketplace
Cortex XSOAR Community
Ecosystem

Real-time Case Threat Intel

Automation & Orchestration
Collaboration Management Management

Threat
Alerts Intel feeds

SIEM Cortex Cortex Xpanse Strata IOT Prisma Mail Other Sources ISAC Open Source Premium Unit42
XDR NGFW
The World’s Most Comprehensive SOAR Ecosystem
This means we’ve probably got your SOC tools covered

Endpoint Analytics &

Security SIEM

Malware Cloud
Analysis Security

Messaging Threat
Intelligence

Network Cortex® XSOAR Vulnerability

Management
Security

900+ integrations
Identity
& Access ISTM
Management

Email
Other
Security
Cortex XSOAR: Automate Across Your Operations

Network/IT Ops
SOC Automation Extended Security Automation
Automation

Endpoint Security Network Operations

Phishing Response

Ticketing & Case

Ransomware Response Vulnerability Remediation Management

Malware Investigation IOT Security User/access provisioning

Threat Cloud Security

Intel Management Policy Compliance
 Resources to Get
You Started
Cortex Marketplace
https://cortex.marketplace.pan.dev/marketplace/

SOAR ROI Tool

http://go.paloaltonetworks.com/xsoarroi

Attend our Hands-On

Workshop http://go.paloaltonetworks.com/xsoarhow

© 2022 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential.
 Thank you so much for joining this session with

Jane Goh, Palo Alto

For additional conversation and discussion, please visit the
#02-discussion Slack channel!
 Next Up:

Panel: Sustaining a Successful SOC: A Panel on Technology, Productive

People, and Effective Strategy

Chris Crowley, SANS Institute

Jane Goh, Palo Alto
Michael Bourton, VMRay
Andy Shepherd, Google Cloud

For additional conversation and discussion, please visit the

#02-discussion Slack channel!
 Thank you so much for joining this session with:

Chris Crowley, SANS Institute

Jane Goh, Palo Alto
Michael Bourton, VMRay
Andy Shepherd, Google Cloud

For additional conversation and discussion, please visit the

#02-discussion Slack channel!