Download
1 / 16
160 likes | 349 Views
Fidelis Cybersecurity Taking Back the SOC – Eliminating Alert Fatigue Bryan Geraldo – VP Services & Business Development. Who I Am…. What Percentage of Alerts Are Triaged Daily?. 30 %. 32 %. 21 %. 11 %. 6 %. of companies said less than 10% of alerts are triaged.
E N D
Fidelis CybersecurityTaking Back the SOC – Eliminating Alert FatigueBryan Geraldo – VP Services & Business Development
What Percentage of Alerts Are Triaged Daily? 30% 32% 21% 11% 6% of companies said less than 10% of alerts are triaged. of companies said between 11-24% of alerts are triaged. of companies said between 25-49% of alerts are triaged. of companies said between 50-75% of alerts are triaged. of companies said more than 75% of alerts are triaged. 83% of the companies triage less than 50% of the alerts. Reference: Fidelis (2018) Study: “Examining the State of Security Operations and How to Automate Threat Detection and Response.
More Interesting Statistics… Best-of-Breed vs. Consolidated Security Tool Environment Reference: Checkpoint Blog Post (2017) “https://blog.checkpoint.com/2017/07/31/re-thinking-cyber-consolidation-paradigm/” Reference: FireEye (2019) Ebook: “Nine Steps to Eliminate Alert Fatigue”
Remember that… • An Alert will not tell you what is good or bad. It just tells you something happened or something to look at. • The human should judge intent, because computers including AI cannot make the right judgement call.
What is my process… • My philosophy on how plan any Cyber Security endeavor: • “If I had an hour to solve a (major) problem, I’d spend 55 minutes thinking about the problem and 5 minutes thinking/implementing the solutions.” – Albert Einstein
How to Address the Solution • Step 1: Follow A well-known playbook, Profiling: • *Mass Attack due to: • Release of exploit code • New Malware in the wild • *Or Targeted Attack? Area of Focus to Conduct Analysis of Alerts.
How to Address the Solution Step 2: My solution is to “Determine 1) what to automate versus 2) what to have the analyst review using a combined Kill Chain and Pyramid of Pain model within an Eisenhower Matrix to help make decisions on activity.” Reference: Bianco, D. SANS DFIR Presentation (Feb 2019) : “Quality over Quantity, Determining your CTI Detection Efficacy”
How to Address the Solution Step 3: Look to Reduce Signal to Noise Ration by Reducing the Number of Alerts That You Must Validate: • Playbook: Network alert for a URL that is tied to a reported malicious Domain & seems to be connecting to PHP file. What tasks would you perform: • Is the VLAN of any importance/risk? • Look at DSI (Analyze Stream for specific content, such as commands, SQL commands) • Connect to host, look at common area(s) downloads and folder w/ Internet cache. • Look for start-up or scheduled tasks (Outside Profile) • Then tag the activity for later review. • Playbook: If an alert is tied to a Domain IOC that has a certain ThreatScore > 85 or is newer than 2 Weeks, then take action. • Look up IOC in VT or other CTI-based tool. • When was the last time the IOC was reported. • Have there been any associated 2nd level Hash, Domain, or IP pivots that have been reported? Within less than 15/30 days? • Have any of these 2nd level pivots also been found within the environment? • Then tag the activity for later review.
How to Address the Solution Step 4: How this looks in practice..
How to Address the Solution Step 5: What Tools/Data Sets Can You Use to Conduct Analysis Using the Fidelis Process. • Playbook/SOAR Tool • Include new intelligence to help with decision making or automation. • Application logs gathered via a SIEM. • Application logs in EDR. • EDR tool to help validate event of interest. • Deception to provide analysis/validation. • Network DPI and DSI • Deception to provide details on malicious activity.
How to Address the Solution Step 6: What Alerts Remains, Use the Following Fidelis’ Analysis Process (based on your available time and these priorities) – Remember Numbers (e.g. tickets closed) are Only Important if They Make an Impact: Tools + Exploit Artifact + Execute Domain Name + Exploit IP Address + Deliver
How to Address the Solution Step 7: Examples of Analysis • IOC tied to Alert fires, automate response or leave for the next shift to review, if they do not have pressing needs.. • Alert fires tied to weird process creation, investigate. • Playbook/SOAR Tool • Include new Intelligence to help with decision making or automation. • Application logs in EDR • Apache server shows connection from Windows workstations using Curl. • EDR shows usage of Windows events that illustrates Pass-the-Hash. • Show usages of Powershell tied to apache server. • Deception shows that the fake Domain Admin account is being used to log into to multiple Critical Systems (AD, Invoicing, etc) • DSI provides details on the Curl command which shows downloading a Powershell script. • Deception shows usage of fake Domain Admin account & access to .ssh file on fake system.
How to Address the Solution Network Provides Information Tied to Known IOC Activity. Step 7a: Examples of Analysis/Screenshots EDR Analysis: Review of Windows Events.x Network: DSI to Provide Visibility and Some Analysis on Activity. Deception: Provide Proof of Malicious Activity.
