©2019 fireeye · future proof your security operations ... contextual intelligence ©2019 fireeye...
TRANSCRIPT
©2019 FireEye1
Future Proof Your Security Operations
Lawrence Li 李輝
©2019 FireEye©2019 FireEye
Challenges in Security Management
Lack of visibility:
101Days it takes
to discover a breach
Too many tools:
85Average number
of security tools used by a single company
Lack of context:
32Days it takes
to respond to a breach
Too many alerts:
10KSecurity alerts
occurring daily for an average company
©2019 FireEye©2019 FireEye
Current State
Using legacy SIEM technology to
centralize security operations
Lack of visibility across threat
vectors
Lack of context; inability to prioritize
threats
©2019 FireEye©2019 FireEye
Desired Outcomes
Accelerated response and
minimized impact of incidents
Holistic visibility and alert prioritization
across threat vectors
Centralized security management and
monitoring
©2019 FireEye©2019 FireEye
Required Capabilities
Automate response and perform inline
blocking
Consolidate process management,
technology and expertise
Centralize asset monitoring
Enrich alerts with contextual intelligence
©2019 FireEye
Typical Characters in the SOC
7
7
SOC Analyst
Responsibility: Triage, investigate and respond to alerts in a timely fashion.
Security Engineer
Responsibility: Supporting the SOC team with tools and scripts to help increase operational and triage efficacy.
SOC Manager
Responsibility: Implementing a security program that reduces threat exposure to the organization.
©2019 FireEye©2019 FireEye
TechnologySIEM to surface unseen threats
All major SOC use cases on a single pane of glassFireEye Helix
ProcessesAutomation of time consuming steps
Guided investigation and hunting capabilities to accelerate response
ExpertiseOrchestration playbooks that codify Mandiant’s best
practices
Integrated threat intelligence for contextual awareness
©2019 FireEye©2019 FireEye
FireEye Expertise
Mandiant Services Managed DefenseThreat Intelligence
FireEye Ecosystem
FireEye Helix Security Operations Platform
Security Information& Event Management
Orchestration& Automation
ContextualIntelligence
ComplianceReporting
Alerts / CaseManagement
Expertise On-DemandFireEye and Third Party Apps FireEye Market
FireEye Endpoint Security
Third-Party Solutions
FireEye Email Security
FireEye Network Security
©2019 FireEye©2019 FireEye
FireEye Helix in Action
Collect Match Automate Prioritize Investigate Remediate
©2019 FireEye©2019 FireEye11
▪ Real-time threat intelligence
▪ Codified expertise from FireEye
▪ Sub-Second search
▪ Single log source
▪ Guided investigations
▪ Compliance reporting
SIEM
FireEye and Third Party
Data Sources
Intelligence Rules Analytics Event index
Evidence Collector
Intelligence Endpoints FirewallsOperating Systems
©2019 FireEye©2019 FireEye12
Cloud Intelligence
VPN AccountMonitoring
Geo-InfeasibilityDetection
Credential Misuse
MisconfigurationDetection
Cloud ThreatAnalytics
Corporate Network
FireEye Network Security
FireEye Helix
Cloud Security
▪ Guard against credential abuse
▪ Single pane visibility across your
enterprise
▪ Prevent accidental misconfigurations that lead to attacker compromise
©2019 FireEye©2019 FireEye
TechnologySIEM to surface unseen threats
All major SOC use cases on a single pane of glassFireEye Helix
ProcessesAutomation of time consuming steps
Guided investigation and hunting capabilities to accelerate response
ExpertiseOrchestration playbooks that codify Mandiant’s best
practices
Integrated threat intelligence for contextual awareness
©2019 FireEye©2019 FireEye14
Security Orchestration
Other events remain in the
SIEM for reference
Hash/MD5 Analysis
Domain Analysis
URL Analysis
IP Analysis
Email Address Analysis
FireEye Validation
Analyst
Decision
Point
Higher Priority Incidents pulled
out and automatically
escalated
Endpoint containment
▪ 150+ pre-defined integration plug-ins
▪ 400+ pre-built playbooks
▪ Expertise codified by Mandiant
▪ Built-in playbook builder
▪ Role-based actions
©2019 FireEye
Typical Orchestration Use-cases
15
Orchestrate the abuse mailbox allowing for the automated analysis of suspicious emails
Check URLs, IPs, domains, emails addresses, and attachments (hashes) against intelligence sources
Alert information from FireEye MVX appliances or 3rd party sources enriched with context from iSIGHT intelligence
Often includes human-in-loop decision and integrated with ticketing system
IX GetMVX Alerts
Condition 4
Condition 2 & 3
HXContain Host
ASSIGN GROUP<GROUP>
ASKContain Host?
Assign FormNX ALERT SUMMARY
Condition 5
Condition 6
Condition 1 ASSIGN GROUP<GROUP>
Close Case Close Case
FireEye Interval Adapter:IMAP (checkMailbox)
Local CommandCREATE HASH
Condition 1
Condition 3
Condition 2
ASSIGN GROUP<GROUP>
Condition 4 & 5
Virus TotalLOOKUP URL
Conversion FunctionEXTRACT DOMAIN
Virus TotalLOOKUP DOMAIN
iSight ThreatscapeLOOKUP DOMAIN
Virus TotalLOOKUP HASH
iSight ThreatscapeLOOKUP HASH
ASSIGN GROUP<GROUP>
ASSIGN GROUP<GROUP>
Conditions:
11 & 12 & 13 & 14 & 15 & 16
Conditions: 6 or 7 or 8 or 9 or 10
Assign FormTHREAT INTEL HASH LOOKUP
Assign FormTHREAT INTEL URL LOOKUP
Assign FormTHREAT INTEL DOMAIN LOOKUP
Assign FormNOT RFC822
Assign FormNO URL AND ATTACHMENT
IMAPparseAttachmentAsEmail
Close Case
IX GetMVX Alerts
Condition 4 ExtractDOMAIN
Condition 13
iSightLOOKUP IP
iSightLOOKUP HASH
ExtractDOMAIN
ExtractDOMAIN
iSightLOOKUP DOMAIN
iSightLOOKUP DOMAIN
iSightLOOKUP DOMAIN
iSightLOOKUP DOMAIN
Condition 7
Condition 8
Condition 9
Condition 10
Condition 11
Condition 12
Assign FormEX ALERT SUMMARY
Assign FormNX ALERT SUMMARY
Condition 14
Condition 1
Condition 2
Condition 3
Condition 5
Condition 6
QUESTION 1
Condition 16
Assign Group<GROUP>
Condition 17
Assign Group<GROUP>
Assign FormTHREAT INTEL DOMAIN
Assign FormTHREAT INTEL DOMAIN
Assign FormTHREAT INTEL DOMAIN
Assign FormTHREAT INTEL DOMAIN
Assign FormTHREAT INTEL IP
Assign FormTHREAT INTEL HASH
Close Case
Automate immediate endpoint containment
Often integrated with enrichment and human-in-the-loop options
Utilize plug-ins with FireEye HX
Abuse Mailbox Alert Enrichment Endpoint Containment
©2019 FireEye©2019 FireEye
TechnologySIEM to surface unseen threats
All major SOC use cases on a single pane of glassFireEye Helix
ProcessesAutomation of time consuming steps
Guided investigation and hunting capabilities to accelerate response
ExpertiseOrchestration playbooks that codify Mandiant’s best
practices
Integrated threat intelligence for contextual awareness
©2019 FireEye©2019 FireEye
Expertise on Demand
▪ Amplify your team with side-by-side
access to proven skills and threat insight
▪ Increase situational awareness via daily news analysis, quarterly threat briefings and finished threat intelligence
▪ Advance your security program and capabilities via training and consulting services
▪ Gain a single, trusted partner with unrivaled breadth and depth of cyber
security experience and skills
©2019 FireEye©2019 FireEye18
©2019 FireEye
FireEye Security Suite
2000100 TOUSERS
$ Per User
FireEye
Security Suite
FireEye Network Security
FireEye Endpoint Security
FireEye Email Security
FireEye Helix
©2019 FireEye
2019 Security Bundle – Special offer
▪ 2019 Security promotion (per user @ year)
▪ Target 100 - 2000 User
20
TW$1500TW$3500
TW$3100 TW$1500
Thank You