Effective Incident Response Security Orchestration and Automation - PowerPoint PPT Presentation

Effective Incident Response Security Orchestration and Automation (SOAR) Miguel Carrero Tammy Tolbert

MicroFocus ArcSight and Siemplify™ • Addressing the needs of SOCs, including: • Relieving resource constraints by automating routine/repeatable tasks • Consistency in handling of incidents through workflow automation • Extending reach to other enterprise tools to take action • Extending reach to other tools to gather additional information • Siemplify Integrations supported for both ArcSight ESM and Investigate

SOAR Building Blocks INVESTIGATION ORCHESTRATION & AUTOMATION Helping analysts make faster, Integrations, playbooks, playbook better decisions through builder, machine Learning visualization, context and more SOC WORKBENCH REPORTING AND INSIGHTS Managing a broad spectrum of Measuring and tracking SOC SOC activities beyond playbooks KPIs to improve operations and alert handling company confidential

The Only Powerfully erfully Si Simple mple SOAR Platform Simple and Intuitive SOC Workbench Powerful automation and loved by analysts orchestration engine that can be highly customized

Life Today – Without Security Orchestration Data Detect Revise & Gathering Response Security Improve / Triage Tools Report ArcSight ArcSight ESM/ Investigate ArcSight UBA Analysis & Correlate & Decision Alert

Life with Siemplify SOAR Data Detect Revise & Response Gathering Security Improve! / Triage Tools E F F I C I E N C Y S AV I N G S Report ArcSight ArcSight ESM/ Investigate ArcSight UBA Analysis & Correlate & Decision Alert

Siemplify – MicroFocus Integration

Delivering the Intelligent SOC With Siemplify and ArchSight • Cluster, Enrich, and Contextualize alerts • Consistently execute security processes and workflows • Automate and optimize machine driven and human response • Deliver comprehensive SOC visibility, case management, KPI’s a business intelligence • Contextually enhance ArcSight cases and accelerate investigations

Use Case – Siemplify and ArcSight ESM • Attacker gains access to network (via phishing email) • Attacker delivers malicious payload • Attacker tries to escalate privilege by guessing admin password (3 failed attempts) - ArcSight records, analyzes and passes this information to Siemplify • Siemplify visually maps and correlates all three events above and allows the SOC analyst to analyze the threat and respond by blocking the URLs, hashes as well as disable the account and close the ticket

Information Passed by ArchSight to Siemplify Failed Login Alerts correlated by ArcSight and passed to Siemplify

What the Analyst Sees in Siemplify Multiple Malware Phishing Email with failed logins Detected Suspicious attachment Additional Entity based Context Automated response Added Context using pre-defined playbooks

How Siemplify Correlates These Events Through Visual Investigation Malicious Playload Suspicious Email Failed Login Attempts

Automated Response with Siemplify Playbook to handle Phishing threats Malicious Playload Block URL and Hash Disable Account Automated Actions to Speed up Response

Pre-packaged with our expertise Easily extensible with yours 120+ Integrations 80+ Playbooks

The Siemplify SOAR Platform Alert clustering = Same analyst works a Playbooks run on a single Intuitive, visual and Manage day-to-day up to 80% case reduction threat-oriented case threat-oriented case FAST investigation security operations from a single workbench

Only Siemplify Delivers 3x OPERATIONAL EFFICIENCY AND 3x FASTER INVESTIGATION COMAPRED TO OTHER SOAR SOLUTIONS! Maximum Operational Efficiency Faster Answers A Complete SOC Workbench Go beyond automation to unify Make faster, more accurate Work fewer cases and focus on your SOC on a platform built on decisions with rapid case what matters the most with deep security operations investigations to reduce dwell streamlined case handling expertise time and MTTR • Case management • Alert clustering • Case insights • Collaboration • ML-based threat prioritization • Contextual analysis • Crisis Management • An easy-to-use interface that • Visual investigation allows even entry-level analysts • Analytics and reporting to deliver high-value work

Q&A

Thank You