BACK TO SPEAKERS
He has previously been a Systems Administrator, a government Anti-Spam enforcer/botnet fighter, a bank threat intelligence manager and a penetration tester. He still keeps his tech skills sharp and spends most of his time devising new technical solutions to old problems
TUTORIAL: Open Source Security Orchestration - Automating the Boring Stuff
Technical Level (3 being the highest score): 2
Organisations have an increasing number of detective controls in their information security environments. With more and more logs and monitoring there can only be more events to investigate and triage.
In this tutorial Cosive will show participants how they can use open source tooling to automate the contextualisation and remediation of security threats in their environment.
The agenda will include:
1. Installing and configuring the tools
2. Basic automation concepts
3. Creating workflows
4. Debugging workflows
5. Developing end to end playbooks for common security incidents (suspicious executables, phishing emails)
6. Developing integrations for currently unsupported systems
This is a hands-on course with a bare minimum of presenting.
Our intention is to make sure that 75% of this does not really require any programming experience and a minimum of systems administration but having some SOC fundamentals and basic Linux will definitely help.
We’re still solidifying tooling but it will either be based on StackStorm - a general purpose automation engine with a wide range of supported integrations) or WALKOFF - NSA released software that is cleaner to work with but has less supported integrations.
Running Your SOC Playbooks as Code
Technical Level (3 being the highest score): 2
Security Orchestration, Automation and Response (aka SOAR)
* What are we looking to automate?
* Orchestrate many specialised systems (e.g. Hive, Cortex, MISP, TIP, ServiceNow, JIRA, etc etc)
* No way every system can integrate directly with every other system
* Orchestration system vs the cluster of duct tape scripts you have today
* Replacing analyst repetition
* Supporting analyst complex investigation
* Typical workflows to target
* Tracking and enforcing workflows within the team (did we end up handling everything?)
* Making workflows consistent (did we handle everything in the same way?)
SOAR vs regular orchestration
* How does it differ?
* How do SOAR systems work together with regular orchestration?
Commercial options (brief summary)
* Demisto
* Phantom
* Swimlane
Open source options (more depth, with demos)
* NSA Walkoff
* Stackstorm
* Ansible (specialised roles for secops coming - pending release)
Considerations for running SOAR platforms
* A long term, ongoing project - start simple and iterate
* Fast moving plugin community in line with integration target system releases
* Maintenance
* Testing playbooks pre-release
* Testing playbooks post-release
* Uncommon integrations - do you need developers?
* Keeping automation pipelines sane and monitored
* Do they still perform the way initially intended?
* Do you already have clearly defined non-automated processes?
Presentation video can be found HERE
Kayne Naughton
Cosive
Kayne is a technologist and the Managing Director at Cosive.He has previously been a Systems Administrator, a government Anti-Spam enforcer/botnet fighter, a bank threat intelligence manager and a penetration tester. He still keeps his tech skills sharp and spends most of his time devising new technical solutions to old problems
TUTORIAL: Open Source Security Orchestration - Automating the Boring Stuff
Technical Level (3 being the highest score): 2
Organisations have an increasing number of detective controls in their information security environments. With more and more logs and monitoring there can only be more events to investigate and triage.
In this tutorial Cosive will show participants how they can use open source tooling to automate the contextualisation and remediation of security threats in their environment.
The agenda will include:
1. Installing and configuring the tools
2. Basic automation concepts
3. Creating workflows
4. Debugging workflows
5. Developing end to end playbooks for common security incidents (suspicious executables, phishing emails)
6. Developing integrations for currently unsupported systems
This is a hands-on course with a bare minimum of presenting.
Our intention is to make sure that 75% of this does not really require any programming experience and a minimum of systems administration but having some SOC fundamentals and basic Linux will definitely help.
We’re still solidifying tooling but it will either be based on StackStorm - a general purpose automation engine with a wide range of supported integrations) or WALKOFF - NSA released software that is cleaner to work with but has less supported integrations.
Running Your SOC Playbooks as Code
Technical Level (3 being the highest score): 2
Security Orchestration, Automation and Response (aka SOAR)
* What are we looking to automate?
* Orchestrate many specialised systems (e.g. Hive, Cortex, MISP, TIP, ServiceNow, JIRA, etc etc)
* No way every system can integrate directly with every other system
* Orchestration system vs the cluster of duct tape scripts you have today
* Replacing analyst repetition
* Supporting analyst complex investigation
* Typical workflows to target
* Tracking and enforcing workflows within the team (did we end up handling everything?)
* Making workflows consistent (did we handle everything in the same way?)
SOAR vs regular orchestration
* How does it differ?
* How do SOAR systems work together with regular orchestration?
Commercial options (brief summary)
* Demisto
* Phantom
* Swimlane
Open source options (more depth, with demos)
* NSA Walkoff
* Stackstorm
* Ansible (specialised roles for secops coming - pending release)
Considerations for running SOAR platforms
* A long term, ongoing project - start simple and iterate
* Fast moving plugin community in line with integration target system releases
* Maintenance
* Testing playbooks pre-release
* Testing playbooks post-release
* Uncommon integrations - do you need developers?
* Keeping automation pipelines sane and monitored
* Do they still perform the way initially intended?
* Do you already have clearly defined non-automated processes?
Presentation video can be found HERE