»Automation in modern Incident Detection & Response (IDR) process«
2019-05-17, 11:00–11:40, Main Hall
Incident Detection & Response requires People - to Think, Tools - to provide data and analytics and Processes - to avoid fuckups and assure the quality. But with more alerts, analysis takes more time, decisions and moreover - actions need to be taken immediately. Attackers actively use automation, so Defenders should also optimize their processes.
In our presentation, we'd like to share with the community our lessons learned during building and running advanced IDR practice. Our focus would be on practical moments, the challenges we faced and the simple working solutions we discovered.
I'd share how we automate some routine, and why knowledge of Python + API is vital these days for any security professional, how this simple skills can help to feed analyst with key insight to take a proper desition and action (!) in a reasonable time.
We will talk about scenarios for massive investigations on 1000+ endpoints, share practical tips how through applying “Assume a Breach” and "Zero Trust" frameworks organizations can improve their cybersecurity capabilities, what can be integrated/automated with what, how security controls ecosystem should pass information and get commands for action from available security systems and application.
We plan to challenge the audience with simple but vital questions that will help to establish a good communication bridge to make this delivery effective and valuable for engineers to improve their defense. We'd like to discuss also a variety of actions to be taken after the incident is confirmed. In our demo, we'd use popular tools like Cisco ASA IPS (Firepower), Splunk ES, Phantom as SOAR, Anomali as TI.
Come and take it.