Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Effective Incident ResponseSecurity Orchestration and Automation (SOAR)
Miguel Carrero
Tammy Tolbert
MicroFocus ArcSight and Siemplify™
• Addressing the needs of SOCs, including:• Relieving resource constraints by automating routine/repeatable
tasks
• Consistency in handling of incidents through workflow automation
• Extending reach to other enterprise tools to take action
• Extending reach to other tools to gather additional information
• Siemplify Integrations supported for both ArcSight ESM and Investigate
INVESTIGATION
Helping analysts make faster, better decisions through visualization, context and more
REPORTING AND INSIGHTS
Measuring and tracking SOC KPIs to improve operations
SOC WORKBENCH
Managing a broad spectrum of SOC activities beyond playbooks and alert handling
SOAR Building Blocks
ORCHESTRATION & AUTOMATION
Integrations, playbooks, playbook builder, machine Learning
company confidential
The Only Powerfully Simple SOAR Platform
Simple and Intuitive SOC Workbench
loved by analysts
Powerful automation and
orchestration engine that can be
highly customized
Life Today – Without Security Orchestration
Detect
Security
Tools
ArcSight ESM/
ArcSight UBA
Correlate &
Alert
Data
Gathering
/ Triage
ArcSight
Investigate
Analysis &
Decision
Response
Report
Revise &
Improve
Life with Siemplify SOAR
Detect
Security
Tools
ArcSight ESM/
ArcSight UBA
Correlate &
Alert
Data
Gathering
/ Triage
ArcSight
Investigate
Analysis &
Decision
Response
Report
Revise &
Improve!
E F F I C I E N C Y S A V I N G S
Siemplify – MicroFocus Integration
Delivering the Intelligent SOC With Siemplify and ArchSight
• Cluster, Enrich, and Contextualize alerts
• Consistently execute security processes and workflows
• Automate and optimize machine driven and human response
• Deliver comprehensive SOC visibility, case management, KPI’s a business intelligence
• Contextually enhance ArcSight cases and accelerate investigations
Use Case – Siemplify and ArcSight ESM
• Attacker gains access to network (via phishing email)
• Attacker delivers malicious payload
• Attacker tries to escalate privilege by guessing admin password (3 failed attempts)
- ArcSight records, analyzes and passes this information to Siemplify
• Siemplify visually maps and correlates all three events above and allows the SOC analyst to analyze the threat and respond by blocking the URLs, hashes as well as disable the account and close the ticket
Information Passed by ArchSight to Siemplify
Failed Login Alerts correlated by ArcSight
and passed to Siemplify
What the Analyst Sees in Siemplify
Phishing Email with
Suspicious
attachment
Malware
Detected
Added ContextAutomated response
using pre-defined
playbooks
Multiple
failed logins
Additional
Entity based
Context
How Siemplify Correlates These Events Through Visual Investigation
Malicious Playload
Failed Login
Attempts
Suspicious Email
Automated Response with Siemplify
Malicious Playload
Block URL and Hash Disable Account
Playbook to handle Phishing threats
Automated Actions to
Speed up Response
120+ Integrations
Pre-packaged with our expertise Easily extensible with yours
80+ Playbooks
The Siemplify SOAR Platform
Alert clustering =
up to 80% case reduction
Intuitive, visual and
FAST investigation
Same analyst works a
threat-oriented case
Playbooks run on a single
threat-oriented case
Manage day-to-day
security operations from
a single workbench
Only Siemplify Delivers
Work fewer cases and focus on
what matters the most with
streamlined case handling
Make faster, more accurate
decisions with rapid case
investigations to reduce dwell
time and MTTR
Go beyond automation to unify
your SOC on a platform built on
deep security operations
expertise
• Alert clustering• Case insights
• Case management
• Collaboration
• Crisis Management
3x OPERATIONAL EFFICIENCY AND 3x FASTER INVESTIGATION
COMAPRED TO OTHER SOAR SOLUTIONS!
Faster Answers A Complete SOC Workbench
• ML-based threat prioritization
• An easy-to-use interface that
allows even entry-level analysts
to deliver high-value work
• Contextual analysis
• Visual investigation • Analytics and reporting
Maximum Operational Efficiency
Q&A
Thank You