This document summarizes a webinar presented by Rich Lang and Tammy Sexton of Maricopa Community Colleges and LogicHub on security automation. It discusses how the colleges were dealing with a high volume of suspicious login alerts through manual processes. It then describes how they implemented an automated workflow using LogicHub to more efficiently triage alerts, notify users, and document responses. The workflow integrates data from various security tools to more quickly and accurately respond to potential threats while reducing the workload on security teams.
This document summarizes a webinar presented by Rich Lang and Tammy Sexton of Maricopa Community Colleges and LogicHub on security automation. It discusses how the colleges were dealing with a high volume of suspicious login alerts through manual processes. It then describes how they implemented an automated workflow using LogicHub to more efficiently triage alerts, notify users, and document responses. The workflow integrates data from various security tools to more quickly and accurately respond to potential threats while reducing the workload on security teams.
This document summarizes a webinar presented by Rich Lang and Tammy Sexton of Maricopa Community Colleges and LogicHub on security automation. It discusses how the colleges were dealing with a high volume of suspicious login alerts through manual processes. It then describes how they implemented an automated workflow using LogicHub to more efficiently triage alerts, notify users, and document responses. The workflow integrates data from various security tools to more quickly and accurately respond to potential threats while reducing the workload on security teams.
This document summarizes a webinar presented by Rich Lang and Tammy Sexton of Maricopa Community Colleges and LogicHub on security automation. It discusses how the colleges were dealing with a high volume of suspicious login alerts through manual processes. It then describes how they implemented an automated workflow using LogicHub to more efficiently triage alerts, notify users, and document responses. The workflow integrates data from various security tools to more quickly and accurately respond to potential threats while reducing the workload on security teams.
Technical Director: Information Technology Vice President Security & Planning LogicHub Maricopa Community Colleges
Watch the full webinar replay
PHISHING HIGHER-ED SOC AUTOMATION SOC AUTOMATION • 2016 data – Higher Education hit across the country Phishing attacks • https://www.universitybusiness.com/article/college- cyber-attacks-don-t-take-bait • Important update from your IT Helpdesk – please login and update your profile. • TOR, Anonymous Proxies used by threat actors • Postmortem review / findings SOC AUTOMATION
User Lucky (user.lucky@mysite.edu)
SOC AUTOMATION • Google’s recommendation for stopping suspicious logins: • Ask the user if they remember signing in.
• Have them check their last account activity.
• If you can’t establish the legitimacy of the
signin- follow the Admin security checklist.
• Google Cloud Support can’t investigate alerts
as they are considered sensitive and potentially private. SOC AUTOMATION • So what were you doing on the night of Friday the 13th 2 AM at IP address 10.10.1.20.
• Do you frequently log in from the Ukraine, Iraq or Brazil?
• Have you checked your last login activity?
• I noticed you are using a free proxy service.
• Are you aware your home computer may be infected?
SOC AUTOMATION
• Avg daily number of employee Suspicious Logins – 50
• Avg daily number of student suspicious logins – 200
SOC AUTOMATION • The alert is sent from Sumo Logic into LogicHub. • Sumo Logic , CrowdStrike, LogicHub, • Twilio • This flow captures the work that would be done manually if we had the resources 17
SOC AUTOMATION
• A text message is sent via Twillio.
• This flow can be modified, Example: add action to send a text message to IT security if the user is an admin, a financial aid processor, or has access to wire transfers • Any action can be 24x7 or just during the work day or school year. 18
SOC AUTOMATION • LogicHub created an action that opens a case in ServiceNow for purposes of the POC. • In the test case, Lucky User had responded “yes” to the text which is automatically documented in the case that LogicHub automatically opened • This action could be easily modified to our Case Management System via API access SOC AUTOMATION • Lucky User - The Information Security Office has received notification of suspicious activity from your account. IP: 72.216.244.24 Login Time: 2018-06- 12T14:17:30.000Z Please reply with “Y” or “YES” if this WAS you. Please reply with a “N” or “NO” if this WAS NOT you. Maricopa Community Colleges will never ask you for your password, and you may contact the Information Security Office to verify the validity of this message at 480-7xx-xxxx or informationsecurity@mysite.edu. SOC AUTOMATION • Because the user has not entered a mobile phone number, we are resetting their password. Time: 2018-06-12T21:33:18.000Z UTC Name: Lucky User Title: Music Instruction Hrly Suspicious login from: , United States Login IP: 2600:8800:2c00:e430:4577:2b1d:f130:5a3f • Because the user did not respond, we reset their password Time: 2018-06-12T16:21:22.000Z UTC Name: Ima Teepot Title: Tech Support Specialist Suspicious login from: Ashburn, United States Login IP: 54.208.84.215 SOC AUTOMATION
Best Practices
Validate Data Integration Sources
Enlist Peers to Test the System
Scope The Prototype
Set Your Expectations
Fail Fast SOC AUTOMATION
Lessons Learned
Consider Event Timing / Synchronization
Build in Error Handling
Enlist Communications Team
Start with Modest Workflow
LogicHub Automates: Logic
Alert Triage Reduce false positives by 95%
Incident Response Reduce response times (MTTR)
Threat Hunting Detect unknown threats
Next Generation Security Automation:
•Founded in 2015 •Headquarters: Mountain View, CA Traditional SOA Vendors
Human Feedback Cloud Logs Any API enabled system LogicHub Integrations 90+ and counting, including: Investigative Ticketing Systems Threat Intelligence Vulnerability Remote Access Management
Identity Management Cloud
AWS Cloud Trail
VPC Flow Logs
freegeoip Messaging ICANN WHOIS SIEMs Endpoint
dig ET Intelligence LogicHub Sample Use Cases Thank You!
