Cosive
HELPS YOU FREE YOUR TIME TO WORK ON THE IMPORTANT PROBLEMS.
cosive_gradient_sine_background.png

Upcoming Events

Upcoming Events

 
Back to All Events

AusCERT 2019 Presentation

Running Your SOC Playbooks as Code

Security Orchestration, Automation and Response (aka SOAR)

  • What are we looking to automate?

  • Orchestrate many specialised systems (e.g. Hive, Cortex, MISP, TIP, ServiceNow, JIRA, etc etc)

  • No way every system can integrate directly with every other system

  • Orchestration system vs the cluster of duct tape scripts you have today

  • Replacing analyst repetition

  • Supporting analyst complex investigation

  • Typical workflows to target

  • Tracking and enforcing workflows within the team (did we end up handling everything?)

  • Making workflows consistent (did we handle everything in the same way?)

SOAR vs regular orchestration

  • How does it differ?

  • How do SOAR systems work together with regular orchestration?

Commercial options (brief summary)

  • Demisto

  • Phantom

  • Swimlane

Open source options (more depth, with demos)

  • NSA Walkoff

  • Stackstorm

  • Ansible (specialised roles for secops coming - pending release)

Considerations for running SOAR platforms

  • A long term, ongoing project - start simple and iterate

  • Fast moving plugin community in line with integration target system releases

  • Maintenance

  • Testing playbooks pre-release

  • Testing playbooks post-release

  • Uncommon integrations - do you need developers?

  • Keeping automation pipelines sane and monitored

  • Do they still perform the way initially intended?

  • Do you already have clearly defined non-automated processes?

Earlier Event: May 28
AusCERT 2019 Training