Presentation is loading. Please wait.

Presentation is loading. Please wait.

Coordinated Security Response

Published byFrantišek Dostál Modified over 5 years ago

Similar presentations

Presentation on theme: "Coordinated Security Response"— Presentation transcript:

1 Coordinated Security Response
A CACAO Introduction ( Bret Jordan, Allan Thomson March 19, 2019 Today we are going to talk about Collaborative Automated Course of Action Operations (CACAO) for Cyber Security.

2 Why CACAO - Threat Detection and Mitigation Today
Threats Threat Actors and Intrusion Sets are advancing Number of attacks are increasing Attack surface is growing More valuable electronic data and connected systems Defense Manual and reactive Solutions are siloed Organizations become system integrators with mixed results Many different groups inside an organizations are part of the response No easy way to share threat response expertise Organizations need to respond in machine relevant time across multiple coordinated systems ISACs and ISAOs could disseminate solutions with Threat Intelligence

3 What is CACAO? Collaborative Automated Course of Action Operations for Cyber Security A standard that defines structured and machine parsable playbooks Creation of those playbooks Distribution of those playbooks across systems Monitoring of those playbooks and their results It includes documenting and describing the steps needed to prevent, mitigate, remediate, and monitor responses to a threat, an attack, or an incident What it is not... This is not a standard for sharing arbitrary content or data This is not about documenting an incident, indicators of compromise, or threat actor behavior

4 Coordinated Security Response in 5 Steps
Definition Where a Coordinated Response is defined based on various inputs both automated and manually derived Verification Where a Coordinated Response is reviewed for accuracy and correctness. It is optionally verified in an environment that can verify by executing the project in a way that provides an additional level of verification Distribution Where a Coordinated Response is distributed to the systems that will execute it. Distribution includes checking that the Coordinated Response has been deployed correctly and follows rules defined within the project for atomic transactions Execution Where a Coordinated Response is evaluated by one or more security infrastructure systems and execution events are communicated to the monitoring step Monitoring Where a Coordinated Response execution is monitored and metrics are determined on the COA Project to enable further refinement or improvement to the definition Talk about the 5 steps that a coordinatred threat response capability requires and explain why we broke it into 5 This will lead into the next slide that talks about the system components...etc.

5 CACAO Overview - System
Architecture goals for coordinated threat response System Level Identify roles and requirements of system architectural components Interface Level Identify key requirements for interfaces across components Protocol Level Identify protocols that can/must transport CACAO content securely Schema Level A standard JSON structure for COAs / Playbooks Introduce the system architecture Introduce the key roles and functional components of CACAO and segue into next slide

6 CACAO Overview - Roles Security Analyst
Senior role where the person performs analysis of all available threat intelligence; malware research; active threats that may be relevant to their environment to determine a set of recommended steps to both detect and respond to threats Aware of the capabilities of the organization to respond where they have knowledge of the security infrastructure deployed on both network; servers and endpoints as well as the services running on those systems Security Analyst Senior role that oversees and manages the security operations of the network May work closely with the Security Analyst to determine response playbooks to proactively manage risk in the enterprise environment. May either define COA Projects themselves or review/refine COA Projects defined by the Security Analyst SecOps Project Admin Focused on responding to an active threat to the enterprise where they have limited time to respond and most of their actions are focused on mitigation and remediation Any outcomes and results of the incident may be fed back into the other 2 teams involved to enable enhancement future responses that reduce the risk of threat incidents Incident Responder Talk to the roles and why this matters to the CACAO projects

7 CACAO Overview - Interfaces
Architecture goals for coordinated threat response System Level Identify roles and requirements of system architectural components Interface Level Identify key requirements for interfaces across components Protocol Level Identify protocols that can/must transport CACAO content securely Schema Level A standard JSON structure for COAs / Playbooks Talk to what interfaces do and their roles Talk about different interfaces do in a distribution system (orchestrator) vs execution machine

8 CACAO Overview - Protocols
Architecture goals for coordinated threat response System Level Identify roles and requirements of system architectural components Interface Level Identify key requirements for interfaces across components Protocol Level Identify protocols that can/must transport CACAO content securely Schema Level A standard JSON structure for COAs / Playbooks Talk to the protocols involved and why its not 1 protocol and not necessarily just HTTP

9 CACAO Overview - Schema(s)
Architecture goals for coordinated threat response System Level Identify roles and requirements of system architectural components Interface Level Identify key requirements for interfaces across components Protocol Level Identify protocols that can/must transport CACAO content securely Schema Level A standard JSON structure for COAs / Playbooks Talk to what needs to be in the schema; why each schema may be broken down by product, technology, process and function

10 CACAO Overview - Verification
Ability for an actor who has created or updated a COA Project Definition to validate that the project will execute correctly once deployed in an operational environment Verification includes All COA Project Sequence Elements are connected so that the complete sequence will complete when executed All COA Project Conditional Elements have connections to defined COA Project Steps Each COA Project Step is well-formed and parses correctly according to the COA Project JSON schema Talk to the need for verification and what it entails More advanced verification may take place but those advanced verification processes are considered out of scope for this specification

11 CACAO Overview - Operational Goals
Operational goals for coordinated threat response Allow for manual (e.g. human-performed), process, and automatic actions Integration with other security systems E.g. Cyber Threat Intelligence; Identity; Risk Management This will allow pivoting, sharing, collaboration, and enrichment Provide preventative, mitigative, and remediation solutions that are measurable and scalable Talk to the operational challenges that cacao needs to embrace and solve

12 CACAO Operational Requirements
Workflow Multiple Actions Perform multiple steps across many different pieces of infrastructure Sequencing of Actions Actions often have to be done in a very specific order Temporal Logic Perform actions at certain times or after a certain amount of time has passed after the previous action Conditional Logic Perform actions based on outcomes or state Product Support Versioning Support playbook and system component versioning System Targeting Support specific machines, operating systems & software Security Support best practices in SDLC and deployment including full data protection, integrity and authentication Transport Support both directed delivery and publish/subscribe solutions

13 Examples

14 Individual Enterprise Response - Fuzzy PandaX
Quarantine system to a sandbox VLAN Delete run at start reg keys and triggers Reboot into SafeMode Kill process 3 then 1 then 2 Delete temp files Delete compromised files from the system Delete other Reg keys Reboot system in to safe mode Verify processes do not restart Patch AV system Run updated AV scan Patch OS Run additional on-demand special AV scanners Reboot system to normal mode Move system out of sandbox VLAN in to a restricted watch VLAN

15 Collaboration Example - Industry Wide Response
An organization create a series of commands that mitigate malware "PandaX" An ISAC, banks, & enterprises sign parts of the solution for mitigating PandaX

16 Getting Involved Prague IETF https://www.ietf.org/how/meetings/104/
Subscribe to List List Draft Document

17

Download ppt "Coordinated Security Response"

Similar presentations

SACM Terminology Nancy Cam-Winget, David Waltermire, March.

SACM Terminology Nancy Cam-Winget, David Waltermire, March.
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Norman Endpoint Protection Advanced security made easy.

Norman Endpoint Protection Advanced security made easy.
The World's Most Secured Browsing Solution COCKPIT4i is a radically new, powerful solution that protects against the security risks posed by exposure to.

The World's Most Secured Browsing Solution COCKPIT4i is a radically new, powerful solution that protects against the security risks posed by exposure to.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Model Bank Testing Accelerators “Ready-to-use” test scenarios to reduce effort, time and money.

Model Bank Testing Accelerators “Ready-to-use” test scenarios to reduce effort, time and money.
1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.

1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.
הקריה למחקר גרעיני - נגב Nuclear Research Center – Negev (NRCN) Society of Electrical and Electronics Engineers in Israel (SEEEI) 2012 Eran Salfati, Amir.

הקריה למחקר גרעיני - נגב Nuclear Research Center – Negev (NRCN) Society of Electrical and Electronics Engineers in Israel (SEEEI) 2012 Eran Salfati, Amir.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Chapter © 2006 The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/ Irwin Chapter 7 IT INFRASTRUCTURES Business-Driven Technologies 7.

Chapter © 2006 The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/ Irwin Chapter 7 IT INFRASTRUCTURES Business-Driven Technologies 7.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
PAGE Intelligence Meets Vulnerability Management NYC ISSA January 24, 2013.

PAGE Intelligence Meets Vulnerability Management NYC ISSA January 24, 2013.
Systems Analysis and Design in a Changing World, Fourth Edition

Systems Analysis and Design in a Changing World, Fourth Edition
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
1 The XMSF Profile Overlay to the FEDEP Dr. Katherine L. Morse, SAIC Mr. Robert Lutz, JHU APL

1 The XMSF Profile Overlay to the FEDEP Dr. Katherine L. Morse, SAIC Mr. Robert Lutz, JHU APL
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Surveillance and Security Systems Cyber Security Integration.

Surveillance and Security Systems Cyber Security Integration.
SIEM Rotem Mesika System security engineering 372.2.5204.

SIEM Rotem Mesika System security engineering

Similar presentations

Ads by Google