SOAR! What is it good for? Absolutely everything. (1138)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right good morning everybody I know this is the last session so thanks for showing up I was chatting with some of the friends Friday last session last day of the conference I say before we jump in to use cases for so quick show of hands how many are familiar with soar what it is at a high level good because I'm not gonna in this session I'm not gonna cover in depth what Soros we have one slide here the goal of today's session is to share some of the use cases our customers and our partners are leveraging as far which we had not even anticipated when we started building the product and the whole power of the platform here you'll see is we are starting to see customers use it in a way which helps them more and more and they can build and extend the platform rather than us as the vendor having to extend the platform so Before we jump in like what soar and what use case is the core and I think the previous session if you were part of the previous session here which are not led was all about what data you get and what results you want why soar is actually a question which I've been asked by many customers like how did the space came to be around I mean why did the space in a matter of three years became such an important space and security and the reason is if you look at how sock or how security operations were operating there's a large number of data set which used to come in and people were expecting results whether it's to take an alert and go respond to it or take certain action and this big machine that you see in the mirror between the data and the result was very static in nature rules on some machine learning coming in there but the idea is to make do what you want from a customization perspective was very restrictive and that is where source stepped in which is the logic the rules are not just static rules that if/then than that it's a playbook it's a workflow and that is the power of so in terms of how the data resulted into problems and I it's very interesting like in a lot of spaces people says more data is better in the security space we saw challenges I mean this is some actual data from a survey which we did last year customers pointed out they get hundred and seventy four thousand alerts per week this is the log data that they're coming in now depending on your efficacy of the sim and your rules or your machine learning algorithms you might get less and you might be able to handle it but still no matter which customer I have talked to they drop a number of alerts on the floor without looking at them thirty plus point products and I think this is very interesting that these are not all security products right if you look at just the endpoint the sandbox the authentication to your firewall your network IPs may be combined into a next-generation firewall but effectively the products that you need to look at from either enriching the data or from responding to we saw 30-plus products in customer environments the last one is typically any real alert takes four days to respond to in fact even fishing reports in most of our customers took more than three days to go look at an investigate and a portal so pretty bad place from how fast can we respond to things and what the teams have to go through what a source deliver the the soul in my mind has three core value props one is orchestration and the idea of orchestration is whatever logic or workflow you have for handling an alert you could put it down into a workflow engine and automate it if it could be automated or even if it could not be automated at least its laid down in a playbook in a visual manner so that you are able to follow it step by step that orchestration piece needs to include not only automating the third-party products which is taking actions on them like blocking or pure enrichment but also should be able to interact with the end user or interact with the analyst for approval workflows for collecting more data and the third part of that orchestration engine it should be able to operate on the ticket or the case itself and they are very very different if you look at neighboring spaces whether it's workflow engines or the IT side this whole space called robotic process automation there are tools which just interact with the machines or other tools but they don't do anything with the end-user data collection getting approval workflows escalation approval workflows timers like hey the person did not respond to and there are other tools which only focus on the human workflows but do not work with the third-party products so it's important from an orchestration perspective to have all these pieces together now when it comes to automation and there's a lot of questions how is automation different from orchestration I think of automation as a as a subset of that whole orchestration flow and the idea is you should be able to autumn have automation scripts connecting with third-party tools the integrations should be extensible and what I mean by extensible is if in your environment there is a new tool which the soar products such as the misto do not interact integrate with out of the box can you as customer or partner build it yourself can you build that integration with an SDK so extensible automation is an important piece and then being able to execute those automations across each of these tools the third piece is more about the process more about the people and this is an important very very important aspect of soul which is case management collaboration the misto specifically was we could safely claim the first product in this space to kind of look at all these components and bring the ticketing and automation together I'll take and this is this is actually a very important piece which customers like no I already have a ticketing system in my own environment we are focused more on orchestration how would that work we absolutely integrate with every ticketing system out there whether it's ServiceNow from an IT perspective or in the security environments you have something else in the sock but the long-term value of tying automation and ticketing is immense once you start based on the data that is coming in from third-party products and automation if you are able to change the escalation of the ticket change who the ticket is assigned to rolls they become super important and then vice versa which is if you change something in the ticket can you trigger a workflow can you run an automation when a field changes so the whole point of keeping tickets separate where an analyst puts in the notes and other pieces and keeping the automation separate is very inefficient and that is why from a soar perspective these come together and so it becomes the platform where once the alert is generated from your data platform of choice same context data lake's some other elasticsearch from there on after the journey of the alert all the way till that alert is investigated closed collaboration talking with your peers that all happens in the soar platform talking of the word communication and collaboration and this is somewhat unique to us there's a very important concept we emphasize with our customers and it's super powerful once customers start to uses this concept of chat ops all the integrations that exist are not only available in a PlayBook format but you're able to interactively launch them so I can go to a bot so we call it D bot and run a command says go to active directory and get user details for this particular user go to my firewall and see if this particular IP is blocked or not based on rules these are actions which could either run automatically in a playbook or an analyst can trigger it with a bot in a communicative manner it's chat-up so structured commands could be triggered so that's that's an essence what a soar platform is and overall it is a platform which ties together there's another phrase we're starting to use the operating system for your security operations everything from the point the alert is generated the analyst can do in this one place all documental all are digital now here are some use cases which we have seen pretty much majority of these use cases started with some sort of an alert obviously the incident management and security operations was the first place all kind of alert so we integrate with seminar analytics EDR solutions cloud security alerts no matter what your alerts are we integrate with those we bring them in playback runs and then we are able to either enrich or respond across the tool set let's talk of some of the use cases here right so typically from an incident management perspective ears of course seen the phishing being the most common use case pretty much everybody has a problem that there's tons of phishing alerts which come in large organization even in millions in a month and being able to respond effectively to them is one big piece we're not just fishing any type of alert that your sim generates common use case cloud security vulnerability and the OT use cases are somewhat they're still in the same category I would say which is alert response cloud security is a very interesting one so we started to integrate with cloud platforms about a year and a half ago and what we saw was a ton ton of responses from a cloud security perspective go to the infrastructure so how do you respond to an alert which says you have a public world world open policy for an s3 bucket you need to go shut down that bucket policies and that's a response to the AWS infrastructure so we started to see that a lot of the cloud security responses need to go back to the AWS infrastructure as such so we integrate with not only the security tools but the infrastructure tools themselves to be able to do those things and there's lots and lots of use cases on the cloud security side including open s3 bucket including open ports when you see of a security group but then a new VM is spin up some of our customers call them policy violations more than the threat violations and then their threat related alerts on the security cloud security side like hey somebody's using an AWS instance for Bitcoin mining right and a perfect example where there's no data loss but it's still the machine is being misused and in that scenario how do you respond effectively the vulnerability management is another area and I don't have a dedicated slide on this but we have seen many customers now start to use us for vulnerability management and response what that means is if you look at an e typical organization and there was a presentation done at the Ignite USA by one of our customers West yet it's available on YouTube you should look it up the idea is the vulnerability management tools generate a report which says these are the devices that are vulnerable and typically in a large organization you will have multiple departments each running their vulnerability management tools on their apps because they need to schedule it that report needs to be then centrally consolidated by the vulnerability management team prioritized which is effective which is important based on the asset criticality after you have prioritized that then you need to take it back to IT and they will trigger patching now this flow takes a lot of time typically almost a month if even if you have a dedicated person doing this because they're all these disconnected sources the data needs to be downloaded into Excel sheets managed map prioritized all of that stuff mess and by the time you deliver 8yt your next vulnerability scan is run so you're easily a month month and a half behind what you want this they automated with the playbook effectively it connects to all your vulnerability scanners brings the data back in connects to your asset source whether it's Active Directory or some other asset database uses the criticality there to prioritize then goes either opens a ticket well then it actually ask an analyst to go review and approve because you don't want that human in the loop to go look at what are we pushing then either it can trigger some patches if you think integrated with the patching system or it opens IT tickets in ServiceNow or whatever but still with the right relevant data so the whole point of human collecting this data that's not needed super fast so in a matter of hours from the vulnerability scan data coming in you have the right information to the IT teams to be able to go patch these systems so that becomes an extremely extremely powerful use case and then some of our customers on the operations technology side oil and natural gas customers are starting to deploy this in Portilla environments where they were similar to vulnerability detections or device discovery but the responses might be different with these terms of use cases again from that so that's a what I would say we are calling I'm calling them conventional use cases because we have seen them customers implemented them now let's look at some use cases which are somewhat different somewhat also peripherally including security teams not the sock teams but they do include the security teams and they go out but Before we jump into use cases it's it's interesting I mean I I sat down and did this exercise internally and then with the customers like why are people using soar to go address use cases which we did not answer this anticipate and there's actually like really four core components why we see this is a really powerful way to automate an orchestrate one the way we built the soar platform demister platform is open an extensible building an integration with whatever is extremely easy and I actually mean whatever we internally and will not get into the use cases we have done internally but even when a customer one of the customer use cases they integrated with the travel portal system to figure out where the employee is currently right now and that information that is the employee in the home base or is they traveling to an international location is very powerful security can use that in a lot of different ways and they're integrated with the travel management system for that so the point is open extensible integrations based on API can help you really really automate use cases or go to use cases which are not traditional in their workflow logic if you are able to make the workflow engine flexible and modular not just tied to the very specific security data where it can take data or transform it build logic around those use conditions that's a very important piece so integrations let you connect to different systems to call api gender-equality lets you go build workflow across third piece which goes to more ticketing in case management side is can you have customizable layouts why is that important let's say you're going into use cases and we're going to see some of these use cases which is you need to display the right set of information to the you analyst at the right time and if the layout of that data that you see is not flexible enough then those use cases are not that powerful because you can automate stuff but how you present the information to the user needs to be completely different and this is one of the powerful things if you look at the de Mestral product a phishing incident looks completely different then a malware incident because the data that you need to show the user for a phishing incident is what was the from address for phishing what domain did it originate from what is the email body versus in malware you need what system was affected who's the owner of that system what OS is that system and if you can represent this in completely different layouts and you can expand to use cases use cases including non security use cases ID use cases because how you see the data it's completely different so integrations workflow logic and then how is the data laid out is super important the fourth reason is very very much I call it engineering reason but a very powerful reason why like how we architected the product affects us to go into other areas is the content to change all those three different pieces is separate from the product which means if you want to go into a new arena or do a new use case or change the layout you don't need to come to the product name to change the code that is configurable and we call it content you can change any of those three things build a new content pack and export it and deliver it to a customer if you are a partner developing this and or you can move from one system to another so this modularity of decoupling the product and the content is very important so if we send a new release of product next time the content modifications that you made changing the playbook the layout the integrations are not affected they're not over it in and that distinction I do not think many products out there make which is any of these use case modifications and the layouts and other pieces are treated as content including dashboards and they're not tied to a product release so your rep cycle could be much faster we can build new content that's much faster so these are really the core tenants of why now if you take a soar platform you can start to go to many many many different use cases let's see what yours cases are they're employee onboarding and it's very interesting I did not expect this because this use case typically is a blend of HR IT security when you onboard and off-board an employee it touches everybody and that is why it's actually a big problem so if you look at the challenges it's endless manual tickets right I mean we actually are working with a customer they on board or off board 800 employee / contractors a month 800 a month employer contractors and the time effectively there and the standardization that you need is crazy because if you do not off board employee in a consistent manner you might leave services even if like this is even if you have a very strong single sign-on and I am process there will be systems which are not connected to SSO there will be things that you need to do from an off boarding perspective in some systems you may want to from an off boarding perspective you may want to take the data and move that data into a different directory so employee a customer playbook example was when you upload an employee the Box account that they may have for the file sharing you might want to take that data and take that data give it to the manager of that employee or you may want to take that data or archive it for compliance purposes depending on your industry my point is it's not only just turning up that account there is data implication there the pieces from an onboarding of coding perspective so a standard repeatable automatable process becomes very very very important so here is an example of the playbook this is simplistic in nature I didn't want to show every step but from an onboarding perspective and this we have seen customers using it this we have seen we use it internally demister assign an onboarding tasks so start when your HR system triggers it you're signing it an HR representative creating an email address that could be a different environment checking Salesforce if you need it or not based on the Department of the employee going and creating those accounts setting up travel account setting up admin tasks some of these would still be manual but documenting them becomes very powerful to say account created in this system account creating the system tying it to I am and mapping it all of those pieces could be automated and centralized now again the the the purpose of this session is to kind of showcase some of the use cases that customers have done this is not a playbook that is in the system out of the box because this kind of use case is very very very custom to the organization a smaller company would do it differently than a larger company but the point is this is an example of a use case which affects everybody a lot of our customers are starting to do it and they would start with either only focusing on the IT system side or identity side on how do you map the accounts and our could go broader so smaller customers would go broader larger customers would take only piece of employee onboarding and go run that so that's kind of one use case which we are starting to see emerge more and more across the board second use cases user access and then I think this user access basically is when you get a user access alert multiple failure people call it multiple failed login attempts as well this is this used this you could classify that as a typical sock use case but it sometimes is not right you do not want to do a full investigation or a multiple failed login a time you might want to use an end user for this so this came up quite often as well in customers which is maybe it's an inner quest attempt right the person might try the V password wrong three times because they recently changed it maybe it's an entry point for bigger attacks and then as you have a global employee base how do you contact them how do the communication happen with the employee becomes interesting so this is a playbook which again another customer did and very powerful you start by saying if you see multiple failure login attempt can you go out of band to the employee either by a slack or text messaging and ask them is it you who tried to log in from this new device and failed and in most cases if you already have that communication channel which is an out-of-band communication channel like a slack or a text message then you're able to easily validate whether the employee made a mistake and typed it in or they actually are being compromised because somebody else is attacking them and based on the result of what the employee responds you could go either reset the password or say hey transition the alert to a security person to go investigate either which way so this one looks extremely simple but the point here is the volume of such alerts we have seen the self-service that hey I can set my two factor auth by myself is a lot of those another slight modification of this I have seen every september/october new iPhone new Android phones are released and employee come in to reset my entire two-factor all so that is not like a failure scenario but a slight modification to this which is hey I have a new phone I need to set my two-factor often and in that scenario they come in you can make that complete self-service they come in find an issue we pick up the dempster picks up the issue from service now or whatever your internal service management tool is take that go to your to factor auth reset that gets delivered to employees nobody needs to ever touch that so this whole access management and access dealing from an end-user perspective can absolutely help reduce the load of something that is not does not require a human intervention so that's another one let's talk ssl certificate and this one has been a use case which only a handful of customers have tried but very interesting again showing the modularity and extension of the platform ssl certificate management so this use case was a medical technology company which provides the backend backbone to connect any pharmacy and hospitals so there are large organization in us which connects the Walgreens and CVS s of the world to the hospitals so basically they provide the software stack and when a prescription flows from a hospital to the pharmacy it runs on that now of course since they provide this backbone they need to provide the SSL certificate issued to the hospitals to the pharmacies they expire regularly so the challenges was the following they were having trouble maintaining the integrity of SSL certificate across these endpoints and how would they make sure that the don't expire and cause service outage so before the certificate expires can you notify generate a new one deliver it to the right person so there was a lot of manual housekeeping work going on here - just pulling that in this case they integrated with Venna phi which maintains all their certificates store you would query that regularly and says give me all these certificates that are gonna expire in the next 30 days then based on that certificate metadata they would go query from salesforce in this case or whatever the CRM is who is the owner of that certificate which customer do I need to go notify that this certificate is going to expire inform that user and hopefully they go update it if they don't update it then keep checking the status and escalate so this interesting use case includes the approval workflow reminding the user workflow connecting to systems all-in-one a perfect example from an orchestration where you need the human touch reminder collecting the response back that they update or not and then bullying in the pulling in the security tools to do that so this particular use case from their perspective was helping avoid all the manual work but also avoid the outage of the if somebody has to do this manually they need to be really really thorough that certificate does not expire and cause some sort of a system problem and they were able to run this very very very effectively the next one is gdpr breach notification an example where not about automation but about the process from a problem perspective I I don't need to educate this group on the problem statement and I think just the breach notification piece in that scenario is very very cumbersome in this case and this playbook is part of our standard product we actually had research research team go look at and figure out what needs to be done the reason why I included this example is because this is a perfect example of a process in a workflow rather than machine automation so the amount of automation that we do here is somewhat limited but this is an example of a playbook to walk through an analyst step by step of what they need to do from a notification perspective so it's the process side is the human side and what this PlayBook did was notifying the DPO of suspected data breach confirming if the DPO to confirm if the breach has occurred or not and if they did then what happens if they if they if it was no then close the incident confirming risk to individuals and there are SL is involved here which is important so the system can actually track so if we notified at this time did we get a response by this time so measuring the time between different stages of an incident measuring the time between different steps tying that back to the SLA which your compliance regulation requires super important and it's not just gdpr it's now CCPA in California and in other places other data privacy requirements the idea is the system being flexible enough to even go for pure process and measuring the SLA is of different steps of the process so this is an example where it could be other compliance processes we have seen customers internal quarterly audit compliance processes running this so the process site could be managed as well because this is a generic workflow engine another use case and this is a customer out of San Francisco compliance use case but this compliance use case is evaluating the technology vendors as they onboard new technology vendors they need to go through a checklist right so vendor on boarding this is a GRC like use case and the big idea and the big problems there is this various level of vendor risk so they have a vendor assessment questionnaire certain set of questions how and that is the question that they use to evaluate and once they evaluate they need to maintain all of that information centrally of what did the vendor submit in a large organization this is done in a GRC system and that is a hugely manual process how the data is collected how its analyzed there is no automation to analyze the data even if it is collected very well and this becomes a big problem so this particular customer is using us for the vendor onboarding and the playbook is somewhat like this so they engage the requester they send the form they mr. lets them send a form or they integrate with whatever their other form management system is and says is this is the set of questions I need you to answer the vendor fills in that that data comes in here based on the input you have automations to assign a vendor risk and if it is a high risk vendor then you set an SLA for somebody to go review what was missing what is the risk and then they can update the vendor is based on that meeting or they can completely say hey we are not going to engage with this vendor because it's high risk and if it is not a high risk vendor then you send them to a steering team or your internal team whatever it is approve the vendor give them an email address and other pieces typical workflow important piece again this is a perfect example where you use the data flow capabilities and looking at the data that comes back assigning risk changing the risk of the ticket itself so the workflow operating on and working on the ticket itself becomes an important piece rather than an integration with security to so those are the coal use cases that we are starting to emerge and starting to see emerge there is a tons of other use cases which we are using is internally so but so we have seen internally we use it for some of the DevOps purposes integrating with ansible and doing other things the goal of this session is not to kind of say hey go use this as the automation platform across the environment the point is within these security teams when we initially envisioned soar the whole idea of doing an alert response we are starting to see customers leverage this in other security teams which are not allowed response use cases there are scheduled tasks monthly tasks that you would want to do which involve doing different pieces of automation and a platform like Domestos able to extend to those use cases very effectively so that's all I had in the presentation we have some time for any questions that you might have so I would love to take questions from the audience does it have yes overlaps between the sword and other solutions for example they are talking about surface management discs most of now solutions they provide automation sim solution there is some tasks you mentioned that already covered in in same solution correlation risk management vendor risk management so you focus on something I mean overlap between those I believe there are many many use cases for example phishing simulation we are suffering from being investigating and wasting our analyst time in checking phishing simulation rings I believe there are many many use cases would be beneficial I mean rather than having those things yeah so so that's actually interesting right so I think the couple of things you mentioned here right one is I think clearly there is an overlap when when you think of in any other space also when you build a platform which is generally and modular it will have overlaps with point solutions and we have seen this in our customers right risk right I mean this always has been a risk dashboard in every same out there as I mentioned I think this goes back to that slide which had those four reasons why surah is interesting for other areas is because if a point solution serves the purpose in a very very restricted manner because it's not that modular that's fine I don't say that you guys move to so just for the sake of moving to saw the power of soar being used for this comes in from the modularity and the customizability and that is actually the most important piece because yes you can absolutely do risk assessment in your GRC solution but are you able to do automated go to a security tool and bring in some more data into the GRC are you able to do all the workflow management and communications maybe maybe not and if it is not doable there then you need to move to a generic automation platform and I think this is what's happening across the industry if you see the reason why the workflow systems are coming into play is because if it is a very fixed predefined workflow which the vendor defined works for an organization good that's the world we have been living in but if it is not meeting the need that is when the sort polite platforms expand so you start with a cookiecutter use case and you expand from there and that is the that is where you'll see overlaps and I think the right way to make that decision is does the fixed solution that you get in that one product meet the need or not and there by the way phishing is a good example where pretty much any anti-phishing solution out there I'm not going to name vendors they all have automation build them in fact some of them actually call it soul for phishing and that's that's exactly the point which is its soul for phishing it only means the phishing needs as soon as that phishing the incident needs to tie to a malware and do more than that it does not work so the point is how can you do this module early with large number of integrations with large number of playbox which are completely customizable individual or staff who could work oh that is actually a bit good sure I'll repeat the question who's the right individual or the staff to work on sword I think this is evolving I'll give examples from what these successful implementations we have seen in our customers it also varies on the size of the customer and how much resources you can put in I strongly recommend that if you are an organization who's going to go use sword for use cases which are beyond come pre pre built in to have actually a person whose title is a sword engineer a security engineer security automation engineer you name your title security ninja call them whatever you want to call them but the mindset there is a developer mindset they don't need to be a very strong software developer they should know coding best practices even better if they know Python that's awesome but have a dedicated person whose job is to customize to build playbooks now the benefit of that is it says hey you're gonna add a headcount to me we have seen what happens is when there is this person doing this they kind of go pick up the next use case so you will find immediate savings because their job is to automate so they're gonna go ahead and says hey here's another use case that I can help you automate here's another use case that I can help you automate we have seen some customers in a matter of like five six weeks they have seventeen or so different play books across different use cases when there is a person whose job is to build automations now that may not work in smaller organizations and in these smaller organizations what we have seen happened more often is what they would do is they would take the sock engineer and they are the ones who are starting with this works fine because I think most of the use cases when you start with SOG but if you are really an organization who needs to go beyond to use cases like these consider putting us or engineer will it be I mean to say I'm caring about a small organization or let us say medium there are many many challenge I mean temperament all of these advanced protection solutions so will it be I mean if we are let us say for example mrs. P so will it be an easy to assign one guy who saw to say consultant just plug and play do we same use cases here and there or he should understand the whole environment I think that's actually a fantastic question so this question was about MSSP and the question is whether you assign one person who kind of builds use cases across the environment or go understand each I think it depends I would actually recommend gold use cases across build the same piece with modularity and customization in the play box so you can say pause here ask the question do not automate fully end-to-end try to do it generally in a generic manner the PlayBook should be gen direct because these systems again it is the misto lets you build a playbook in the master tenant from an MSSP and then trickle it down to each tenant build that generate go there half place for supply books or general general tasks which in the sub tenant could do differently the end point tool might be different but that playbook could be defined as a playbook which can work with different end point tools so there is a fortunate you drew it generally it's not one size fits all though it will depend on the how different the environments are there thanks of course other questions oh I think I did a better job than I expected no questions well thank you everybody I know it's end of day feel free to reach out to me on the team I didn't put in my email address it's easy Rishi at Palo Alto Networks happy to answer questions I'll be around after the session as well thank you [Applause]

Info

Channel: Palo Alto Networks Ignite

Views: 5,580

Rating: 4.8461537 out of 5

Keywords:

Id: YrguxEIp9VI

Channel Id: undefined

Length: 45min 57sec (2757 seconds)

Published: Wed Dec 11 2019