Embed Size (px)
Citation preview
Security Automation Case StudyMaricopa Community Colleges
Watch the full webinar replay
Your Speakers
Rich LangTechnical Director: Information Technology
Security & PlanningMaricopa Community Colleges
Tammy SextonVice President
LogicHub
Watch the full webinar replay
PHISHING HIGHER-EDSOC AUTOMATION
SOC AUTOMATION
• 2016 data – Higher Education hit across the country Phishing attacks
• https://www.universitybusiness.com/article/college-cyber-attacks-don-t-take-bait
• Important update from your IT Helpdesk – please login and update your profile.
• TOR, Anonymous Proxies used by threat actors• Postmortem review / findings
SOC AUTOMATION
• Google’s recommendation for stopping suspicious logins: • Ask the user if they remember signing in.
• Have them check their last account activity.
• If you can’t establish the legitimacy of the signin- follow the Admin security checklist.
• Google Cloud Support can’t investigate alerts as they are considered sensitive and potentially private.
SOC AUTOMATION
• So what were you doing on the night of Friday the 13th
2 AM at IP address 10.10.1.20.
• Do you frequently log in from the Ukraine, Iraq or Brazil?
• Have you checked your last login activity?
• I noticed you are using a free proxy service.
• Are you aware your home computer may be infected?
SOC AUTOMATION
• Avg daily number of employee Suspicious Logins – 50
• Avg daily number of student suspicious logins – 200
• Consider 250 events * 5 minutes / event handling Appx two FTE dedicated to Suspicious login eventsROI less than 2 months
SOC AUTOMATION
Save the patient!
Is the cure worse than the disease?
I am an adjunct faculty member traveling abroad through Europe and you just shut my access down at the airport !!!
I am your CIO presenting to the board via a kiosk and you just locked me out !!!
I am your board member, my wife installed a proxy service at home for privacy.
SOC AUTOMATION
Enter LogicHub for the SOC
If it has a webhook it can be automated.
SumoLogic great for log event triggers and integrated access to Gsuite API’s.
CrowdStrike to provide malware confidence scoring
SOC AUTOMATION
Lots of great data and event
management but how do we reach
the customer!
Twilio for the win. Right on their
phone.
SOC AUTOMATION
Push notifications
Webhooks
Threat Intelligence
SOC AUTOMATIONDetect
AssessRespond
Log
Close
SMS
Response
Action
SOC AUTOMATION
SOC AUTOMATION
16
• The alert is sent from Sumo Logic into LogicHub.
• Sumo Logic , CrowdStrike, LogicHub,
• Twilio• This flow captures the
work that would be done manually if we had the resources
SOC AUTOMATION
17
• A text message is sent via Twillio.• This flow can be modified, Example:
add action to send a text message to IT security if the user is an admin, a financial aid processor, or has access to wire transfers
• Any action can be 24x7 or just during the work day or school year.
SOC AUTOMATION
18
• LogicHub created an action that opens a case in ServiceNow for purposes of the POC.
• In the test case, Lucky User had responded “yes” to the text which is automatically documented in the case that LogicHub automatically opened
• This action could be easily modified to our Case Management System via API access
SOC AUTOMATION
• Lucky User - The Information Security Office has received notification of suspicious activity from your account. IP: 72.216.244.24 Login Time: 2018-06-12T14:17:30.000Z Please reply with “Y” or “YES” if this WAS you. Please reply with a “N” or “NO” if this WAS NOT you. Maricopa Community Colleges will never ask you for your password, and you may contact the Information Security Office to verify the validity of this message at 480-7xx-xxxx or [email protected].
SOC AUTOMATION
• Because the user has not entered a mobile phone number, we are resetting their password.Time: 2018-06-12T21:33:18.000Z UTCName: Lucky UserTitle: Music Instruction HrlySuspicious login from: , United StatesLogin IP: 2600:8800:2c00:e430:4577:2b1d:f130:5a3f
• Because the user did not respond, we reset their passwordTime: 2018-06-12T16:21:22.000Z UTCName: Ima TeepotTitle: Tech Support SpecialistSuspicious login from: Ashburn, United StatesLogin IP: 54.208.84.215
SOC AUTOMATION
Best Practices
Validate Data Integration Sources
Enlist Peers to Test the System
Scope The Prototype
Set Your Expectations
Fail Fast
SOC AUTOMATION
Lessons Learned
Consider Event Timing / Synchronization
Build in Error Handling
Enlist Communications Team
Start with Modest Workflow
LogicLogicHub Automates:
Reduce false positives by 95%Alert Triage
Reduce response times (MTTR)Incident Response
Detect unknown threatsThreat Hunting
Next Generation Security Automation:
( Security Events )
BILLIONS
Alerts
THOUSANDS
Eliminate False
Positives
HUNDREDS
Incidents
TENS
Ignored Notifications
Detection Rules
Traditional SOA Vendors
Threat Hunting Alert Triage Incident Response
•Founded in 2015•Headquarters: Mountain View, CA
Security Automation Platform:
Security Products
Case Management
Network Management
Any API enabled system
End-to-End Intelligent Automation for Detection and Response
Ing
estion
Fra
mew
ork
Alerts
Threat Intelligence
Cloud Logs
Security Products
Log Aggregators
SIEMs
Integ
ratio
n F
ram
ewo
rk
Automation Framework
Human Feedback
Deep Ranking
LogicHub Integrations90+ and counting, including:
Investigative
freegeoip
ICANN WHOIS
Ticketing Systems
SIEMs
Threat Intelligence Vulnerability Management
Remote Access
Identity Management
Messaging
Cloud
AWS Cloud Trail
VPC Flow Logs
Endpoint
ET Intelligencedig
LogicHub Sample Use Cases
Q & A
