Keynote: Running Your SOC Playbooks as Code

May 31, 2019
AusCERT 2019

Keynote Speaker

This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

About this event

Security Orchestration, Automation and Response (aka SOAR)

  • What are we looking to automate?
  • Orchestrate many specialised systems (e.g. Hive, Cortex, MISP, TIP, ServiceNow, JIRA, etc etc)
  • No way every system can integrate directly with every other system
  • Orchestration system vs the cluster of duct tape scripts you have today
  • Replacing analyst repetition
  • Supporting analyst complex investigation
  • Typical workflows to target
  • Tracking and enforcing workflows within the team (did we end up handling everything?)
  • Making workflows consistent (did we handle everything in the same way?)

SOAR vs regular orchestration

  • How does it differ?
  • How do SOAR systems work together with regular orchestration?

Commercial options (brief summary)

  • Demisto
  • Phantom
  • Swimlane

Open source options (more depth, with demos)

  • NSA Walkoff
  • Stackstorm
  • Ansible (specialised roles for secops coming - pending release)

Considerations for running SOAR platforms

  • A long term, ongoing project - start simple and iterate
  • Fast moving plugin community in line with integration target system releases
  • Maintenance
  • Testing playbooks pre-release
  • Testing playbooks post-release
  • Uncommon integrations - do you need developers?
  • Keeping automation pipelines sane and monitored
  • Do they still perform the way initially intended?
  • Do you already have clearly defined non-automated processes?