Security Automation For Malware Alerts - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

Security Automation For Malware Alerts

Description:

Security automation can take care of the entire data collection process and present analysts with actionable information in a fraction of the time it would take them to manually aggregate the necessary details. Security automation and orchestration can save time by taking charge of sending the suspicious files to the sandbox environment, obtaining the results, and delivering them to your screen in a concise report. Read More - – PowerPoint PPT presentation

Number of Views:3

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Security Automation For Malware Alerts


1
Security Automation
  • for Malware Alerts

2
Introduction
  • Automating the triage and incident response for
    malware alerts. Here we will discuss the steps to
    automate some of the most common SOC processes.

3
Why Malware?
  • Malware makes our list for two main reasons.
    First, malware alerts have inherently low
    fidelity, especially in large organizations. The
    sheer volume of malware-related alerts can easily
    inundate SOC teams, who need to correlate data
    from various sources/alerts to gain context but
    are faced with low signal-to-noise ratios.

4
Malware Infections
  • Because some malware infections can contaminate
    several systems in a very short period of time,
    quick response is an absolute necessity. If the
    malware has worm-like attributes, it can spread
    through you network, and even to adjoining
    networks, in just a matter of hours.

5
Automation For Malware
  • Security automation can take care of the entire
    data collection process and present analysts with
    actionable information in a fraction of the time
    it would take them to manually aggregate the
    necessary details. Instead of spending a lot of
    time on a swivel-chair interface for data
    integration/correlation, analysts can view all
    the information they need through a single pane
    of glass and go straight to decision-making.

6
Data Gathering
  • Before SOC teams can respond to a malware alert,
    they need to go through a time-consuming and
    tedious process that begins with data gathering
    and user or host enrichment. Raw data from a
    single or even a handful of malware alerts is not
    enough to provide actionable information.

7
Threat Intelligence Data
  • Youll also need to compare the data you just
    gathered with your threat intelligence and web
    intelligence. What do they say about the hash you
    just obtained? Is it associated with a known
    malware? What do they say about the URL you
    discovered the suspected malware was connecting
    to? Is it a known CC server?

8
Security Integrations
  • To get all that information and obtain the best
    context, youll have to run the suspected malware
    through a series of scans, tests and a host of
    other procedures on security orchestration
    integration.
  • VirusTotal for a hash
  • SEP (Symantec Endpoint Protection) for additional
    context
  • Nessus for vulnerability information
  • SSCM to get context from asset information
  • And so on

9
Automated Analysis
  • As not all malware (zero-day threats in
    particular) can be detected through signature and
    basic heuristic-based scans, youll often need to
    send the file to a sandbox like Cuckoo for
    further analysis.
  • Security automation and orchestration can save
    time by taking charge of sending the suspicious
    files to the sandbox environment, obtaining the
    results, and delivering them to your screen in a
    concise report.

10
First-level Determination
  • First-level determination refers to that stage
    wherein analysts make an initial assessment based
    on the information gathered from the previous two
    stages and then arrive at a decision. Although
    some organizations might opt to do this manually,
    i.e. leaving the decision-making to the analyst,
    its also something that can be completely
    delegated to automation solutions that leverage
    machine learning-powered analytics platforms.

11
Deeper Investigation
  • Some cases require deeper investigation. This
    would typically entail things like looking into
    your endpoint tools to obtain other pieces of
    information
  • What were the other hosts (if any) in the
    organization where the hash in question
    manifested?
  • What were the activities going on in those
    endpoints over the last 10 minutes when that
    specific alert was generated?
  • Who were the end users logged in?
  • What network connections were involved?

12
Feedback/Remediation
  • Last but not the least is the feedback/remediation
    stage. At this stage, SOC teams typically
    perform a series of tasks that improve the
    organizations security posture - blacklisting
    the hash or URL, performing an intelligence
    update, updating security sensors, re-imaging
    systems, and so on. All these - you guessed it -
    can be partially or fully automated, depending on
    the policies within your organization.

13
Conclusion
  • Analysts devote so much time processing malware
    alerts. But a substantial portion of that time is
    consumed by mundane tasks such as data
    collection, basic analysis, forwarding of files,
    and several others that can actually be delegated
    to malware security automation.
About PowerShow.com