Automated Response in Cyber Security SOC with Actionable Threat Intelligence
“while its biggest weakness is lack of visibility: SOCs still can’t detect
previously unknown threats, which is a consistent problem across
many other SANS surveys. The survey also found a need for more
automation across the prevention, detection and response functions “
SANS: Threat Intelligence White Paper
Source:https://www.sans.org/reading-room/whitepapers/analyst/threat-intelligence-is-effectively-37282
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.
6 | © 2015, Palo Alto Networks. Confidential and Proprietary.
AutomatedScalable
SpecializedCollaboration
EXFILTRATION
CAPTURE
DISCOVERY
INFILTRATION
RESEARCH
Market
The Challenges of the CISO and CIO
Hacking-as-a-services
DDOS-as-a-services
Malware-as-a-services
Ransomware-as-a-servicesDNS Alert
Endpoint Alert
AV Alert
SMTP Alert
AV Alert
Web Alert
Web Alert
SMTP Alert
DNS Alert
AV Alert
DNS Alert
Web Alert
Endpoint Alert
$INCIDENT RESPONSE
Firewall, IPS, Proxy, APT, SSL
DETECTION
SIEM, Manual Correlation
Endpiont, DDOS, WAF, Email
People resourceManual ResponseComplexityHigh volume incident
RegulationComplianceGovernance
CISO
Challenges & Cyber Security SOC Requirements
6 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- Reduce attack surface- Prioritize critical threats
- Reduce false positive- Add attack contexts
- Accelerate incident handling workflows
and automated proactive response
VOLUME
Increased attack volume from
automated adversaries
ALERTS
Too many alerts from too many sources
without context
COMPLEXITY
Highly manual response with
complex workflows
Today’s Security Operation Center (SOC) Workflow
Firewall1,2,3,4
IPS
Proxy
APT
SIEM
3rd Threat Intel
Only IOC• IP• URL
• Domain
Endpoint
Security Log
Free community searchEg. Virus total, URL blacklist, malwaredomain
- Only some IOC provided- Less detailed
Search & QueryInvestigate
Summary Report
Security Admin
Inform Actions
Take actionsManually
Metrics for success
8 | © 2015, Palo Alto Networks. Confidential and Proprietary.
TIME TO
IDENTIFICATION
Decrease time to identify new, targeted
attack
TIME TO
ERADICATION
Speed mitigation without adding
specialized staff
How to improve security incident response operation workflow?
1. Using the global threat intelligence cloud
Malware
Signature(1Billions)
C&C/DNS
Signature(Million)
Threat Intelligence Cloud
WildFire
URL
Signature(Billion)
• Real-World attack from Wildfire, Industry’s largest
network-sandbox service.
• Cyber Threat Alliance: Sharing threat information
• 3rd party feed, closed and open-source intel
• Palo Alto Network Global Passive DNS Network
• Unit 42, TI and Research team
>15,000, WildFire global enterprise customersMalware/APT Feeds
3rd party
Passive DNS
Network
Threat Intelligence: Detecting the unknown… at scale
150M
samples/month
WildFire delivers over 100K new protections to customers per day
AutoFocus contains over 2 B files and over 500B artifacts (and growing)
Over 1000 AutoFocus tags add human-curated intelligence to over 80% of yearly malware incidents Known good files = Reduce FP
Known bad files = Reduce FN
Enriched Information
Demo: Context from Autofocus
12 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Context:
• Malware families
• Attack campaigns
• Exploits
• Malicious behavior
• Threat actors
Context:
• My org, My industry
and Global view
• Top Malware
• Top application
malware
• Top Src, Dst, Country
Context:
• Malware Dynamic &
Static analysis
• Malware behavior
• Indicator of attack and
compromise
• Top attack source,
destination and country- IP: 185.127.25.176
- Domain:iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- URphil-army.gotdns.org/4c4f4f50/archive/512321505.html
Using Large Global Threat Intelligence Source
Firewall 1,2,3,4
IPS
Proxy
APT
SIEM
3rd Threat Intel feed
Only IOC• IP• URL
• Domain
Endpoint
Security Log
Provided Deep Info for Investigation- Threat actors- Malware Family- Adversary campaign
- Target Industries- Prioritize alerts- Malicious Behavior- Exploits techniques- Contexts: IP, Connectivity, Domain,
URL, Passive DNS, etc.
Search & Query
• Accurate Summary Report• More actionable actions
Security Admin
Inform & provide actionable controls
Take actionsManually
Threat Intelligence Feeds
Private Feeds
Threat Intelligence Platforms
Network Enforcers
End Point Enforcers
SIEM
• Aggregate and correlate TI feeds
• Automated enforcement of prevention-based control
2. Orchestrate Threat Intelligence and Enforce Preventions-based Control Automatically
Threat Intel Aggregator Architecture
Input: Threat Feeds
• OSINT• Commercial• Organization (CERT,
ISAC)• Autofocus
Processors
• IPv4/IPv6 aggregator• URL aggregator• Domain aggregator
Outputs
• JSON• STIX/TAXII• External
Dynamic List (EDL)
• Elastic Logstash
End Point Enforcers
Network EnforcersFW, IPS
SIEM
Reduce the False Positive by Correlating TI
IP____________
_______________
DNS____________
______________
URL____________
_____________
3’rd party Threat Intel
Cross check& Correlation
Export IOC
End Point Enforcers
Network EnforcersFW, IPS
SIEM
Orchestrate TI and Automated Enforce Prevention-based Control
Firewall 1,2,3,4
IPS
Proxy
APT
SIEM
Endpoint
Security Log
Provided Deep Info for Investigation- Threat actors- Malware Family- Adversary campaign
- Target Industries- Prioritize alerts- Malicious Behavior- Exploits techniques- Contexts: IP, Connectivity, Domain,
URL, Passive DNS, etc.
Search & Query
• Accurate Summary Report• More actionable actions
Security Admin
IP_____
__________
__________
__
DNS_____
__________
__________
_
URL_____
__________
__________
3’rd party Threat Intel
IOC FeedJSON, STIX
Cross Check &IOC Export
Automated poll IOC for prevention
Watchlist&
Traceback
API Call
JSON, STIX
How it Works
On Premise
Cloud
End Point SIEM Firewall Proxies Local MineMeld
MineMeld
TIConsolidator
AutoFocus
3rd Party TI FeedThreat Intelligence
SamplesContextMatch
Cross CheckSearch
Indicator Store
WildFireThreat Big Data
Automated prevention control
ActionableThreat IntelExport
Legacy AV controls
Intrusion prevention
Sandboxing
SIEM
Workflow complexity
Next-generation
Security Platform
FULL VISIBILITY
ALL LOCATION
PREVENT ZERO-DAY THREATS
SPEED SECURITY ANALYSIS
WORKFLOWSFirewall
Stateful inspection
Legacy AV controls
Firewall
Stateful inspection
Web Security
Gateway (Proxy)
Intrusion prevention
Legacy AV controls
Firewall
Stateful inspection
Web Security
Gateway (Proxy)
Legacy security responses increase complexityWhy Do We Need Security Platform?
Key Benefits
2. Reduce complexity
3. Decrease numbers of event per second
5. Reduce false positive events
4. Reduce log storage
1. Provide full visibility and prevention on all risk locations
7. Accelerate incident handling & response workflow
6. Improve detection, response & forensic times