Effective Incident ResponseSecurity Orchestration and Automation (SOAR)

Miguel Carrero

Tammy Tolbert

MicroFocus ArcSight and Siemplify™

• Addressing the needs of SOCs, including:• Relieving resource constraints by automating routine/repeatable

tasks

• Consistency in handling of incidents through workflow automation

• Extending reach to other enterprise tools to take action

• Extending reach to other tools to gather additional information

• Siemplify Integrations supported for both ArcSight ESM and Investigate

INVESTIGATION

Helping analysts make faster, better decisions through visualization, context and more

REPORTING AND INSIGHTS

Measuring and tracking SOC KPIs to improve operations

SOC WORKBENCH

Managing a broad spectrum of SOC activities beyond playbooks and alert handling

SOAR Building Blocks

ORCHESTRATION & AUTOMATION

Integrations, playbooks, playbook builder, machine Learning

company confidential

The Only Powerfully Simple SOAR Platform

Simple and Intuitive SOC Workbench

loved by analysts

Powerful automation and

orchestration engine that can be

highly customized

Life Today – Without Security Orchestration

Detect

Security

Tools

ArcSight ESM/

ArcSight UBA

Correlate &

Alert

Data

Gathering

/ Triage

ArcSight

Investigate

Analysis &

Decision

Response

Report

Revise &

Improve

Life with Siemplify SOAR

Detect

Security

Tools

ArcSight ESM/

ArcSight UBA

Correlate &

Alert

Data

Gathering

/ Triage

ArcSight

Investigate

Analysis &

Decision

Response

Report

Revise &

Improve!

E F F I C I E N C Y S A V I N G S

Siemplify – MicroFocus Integration

Delivering the Intelligent SOC With Siemplify and ArchSight

• Cluster, Enrich, and Contextualize alerts

• Consistently execute security processes and workflows

• Automate and optimize machine driven and human response

• Deliver comprehensive SOC visibility, case management, KPI’s a business intelligence

• Contextually enhance ArcSight cases and accelerate investigations

Use Case – Siemplify and ArcSight ESM

• Attacker gains access to network (via phishing email)

• Attacker delivers malicious payload

• Attacker tries to escalate privilege by guessing admin password (3 failed attempts)

- ArcSight records, analyzes and passes this information to Siemplify

• Siemplify visually maps and correlates all three events above and allows the SOC analyst to analyze the threat and respond by blocking the URLs, hashes as well as disable the account and close the ticket

Information Passed by ArchSight to Siemplify

Failed Login Alerts correlated by ArcSight

and passed to Siemplify

What the Analyst Sees in Siemplify

Phishing Email with

Suspicious

attachment

Malware

Detected

Added ContextAutomated response

using pre-defined

playbooks

Multiple

failed logins

Additional

Entity based

Context

How Siemplify Correlates These Events Through Visual Investigation

Malicious Playload

Failed Login

Attempts

Suspicious Email

Automated Response with Siemplify

Malicious Playload

Block URL and Hash Disable Account

Playbook to handle Phishing threats

Automated Actions to

Speed up Response

120+ Integrations

Pre-packaged with our expertise Easily extensible with yours

80+ Playbooks

The Siemplify SOAR Platform

Alert clustering =

up to 80% case reduction

Intuitive, visual and

FAST investigation

Same analyst works a

threat-oriented case

Playbooks run on a single

threat-oriented case

Manage day-to-day

security operations from

a single workbench

Only Siemplify Delivers

Work fewer cases and focus on

what matters the most with

streamlined case handling

Make faster, more accurate

decisions with rapid case

investigations to reduce dwell

time and MTTR

Go beyond automation to unify

your SOC on a platform built on

deep security operations

expertise

• Alert clustering• Case insights

• Case management

• Collaboration

• Crisis Management

3x OPERATIONAL EFFICIENCY AND 3x FASTER INVESTIGATION

COMAPRED TO OTHER SOAR SOLUTIONS!

Faster Answers A Complete SOC Workbench

• ML-based threat prioritization

• An easy-to-use interface that

allows even entry-level analysts

to deliver high-value work

• Contextual analysis

• Visual investigation • Analytics and reporting

Maximum Operational Efficiency

Q&A

Thank You