ntxissacsc5

1. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Shifting from “Incident”
to “Continuous” Response
Bill White CISSP, CISA, CRISC
Information Security Architecture
Nov 10, 2017

2. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Disclaimer:
The opinions and content expressed in this presentation are my
own and should not be assumed to be in alignment with those of
my employer.

3. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Incident Response:
An organized approach to addressing and managing
the aftermath of a security breach or attack (also
known as an incident). The goal is to handle the
situation in a way that limits damage and reduces
recovery time and costs.
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command &
Control (C2)
Internal
Reconnaissance
Privileged
Operations
Internal Pivot
Maintain
Presence
Mission
Objectives
How?
Kill the attacker as early as possible in the Cyber Attack
Lifecycle

4. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Incident Response:
An organized approach to addressing and managing
the aftermath of a security breach or attack (also
known as an incident). The goal is to handle the
situation in a way that limits damage and reduces
recovery time and costs.
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command &
Control (C2)
Internal
Reconnaissance
Privileged
Operations
Internal Pivot
Maintain
Presence
Mission
Objectives
No, Really, How?
• Really! Find them and stop them!
• Take the knowledge you just gained and watch for
that to happen again.
• AGGREGATION of intelligence is the key!

5. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command &
Control (C2)
Internal
Reconnaissance
Privileged
Operations
Internal Pivot
Maintain
Presence
Mission
Objectives
This IP address has been
scanning the perimeter
A new exploit is identified in
the wild
A email was delivered with a file
attachment
Application error on
workstation
Powershell execution or new
executable
Anomalous DNS traffic
detected

6. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
The core of the next-generation security protection process will be continuous,
pervasive monitoring and visibility that is constantly analyzed for indications of
compromise.
“Designing an Adaptive Security Architecture for Protection from Advanced Attacks,” by Neil MacDonald and Peter Firstbrook, 12 February 2014, refreshed 28
January 2016, ID G00259490, https://www.gartner.com/doc/2665515/designing-adaptive-security- architecture-protection

7. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Security Monitoring will encompass as many layers of the IT stack as possible
including network activity, endpoints, system interactions, application
transactions and user activity.
The design and benefit of joining the foundational elements of intelligence,
context, and correlation with an adaptive architecture will be explored.
Intelligence Driven
Adaptive Security Architecture
Continuous
Monitoring
& Analytics
Continuous
Monitoring
Embedded
Analytics
ThreatIntelligence
CommunityIntelligence
VendorLabs
Policy
VulnerabilityScans
Context

8. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
This presentation will provide
security related scenarios where
centralized security data analytics
and adaptive security architecture
are used to respond in a dynamic
way to enable this next
generation security protection.
Cyberspace
Enterprise
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Access ControlAccess Control
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Associate
BYOD
Associate
BYOD
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Corporate Mobil
Endpoint
Corporate Mobil
Endpoint
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
FirewallFirewall
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
ProxyProxy
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Data ProtectionData Protection
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Applications
Applications
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Infrastructure
Infrastructure
Externally
Supplied
Security Intel
and Assets
Externally
Supplied
Security Intel
and Assets
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
Advanced
Detective
Controls
Advanced
Detective
Controls
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
VPN
ThreatsThreats CustomersCustomers
VendorsVendors
AssociatesAssociates
· On alert, it performs Enterprise-defined
policy based operations (i.e. a particular
analytic workflow) to enrich the alert
· It queries internal or external data sources
for sightings of similar behavior, file
hashes, etc
· In the case of a malware file, it may send
the file to a file detonation service
· It determines whether further action is
required
· If further action is required, it passes an
action alert to the Decision-Making Engine
· Otherwise, it logs its activities
Policy Engine
Enrichment and
Analytics Engine
Decision Making
Engine
Response/
Action Engine
· Acts on notification of a Security Event.
· Compares event to Enterprise-defined
policies
· Determines if a security event requires
further action
· On further action, passes the security
event to the Enrichment/Analytic engine
as an alert
· Otherwise, it logs the security event
· On action alert, it determines which
Enterprise-defined policy based Course of
Actions (COA(s)) are appropriate
· A selected COA might block all traffic from
a specific internet address or quarantine a
specific host system
· Enterprise policies and processes may
require notification and involvement of a
human decision maker
· No enterprise COA might exist for a given
action alert and it may initiate a manual
workflow via CSDC
· On selection, it passes the selected COA(s)
to the Response Engine
· The Response Engine translates the COA
into a machine translatable execution
workflow
· It sends this workflow to the Output
Framework
· On receipt of a workflow, the Output
Framework translates the workflow into
device-specific response actions and sends
to the appropriate enterprise sensors and
controls
· Asset Data· Asset Data
Threats and
Vulnerabilities
Business Value
and Context
Security and
Operational
· SIEM Alert Data· SIEM Alert Data
· Vulnerability Data· Vulnerability Data
· Endpoint and Network Protection· Endpoint and Network Protection
· Data Loss Incidents· Data Loss Incidents
· Vendor Threat Intelligence· Vendor Threat Intelligence
· Community Intelligence· Community Intelligence
· Organizational Data· Organizational Data
· User Data· User Data
· Role and Privilege Data· Role and Privilege Data
· HR Data· HR Data
· Legal and Regulatory Data· Legal and Regulatory Data
· Geolocation Data· Geolocation Data
· Authentication Data· Authentication Data
· Security Data· Security Data
· Endpoint and Network Data· Endpoint and Network Data
· Application Log Data· Application Log Data
· File and Data Movement Data· File and Data Movement Data
· Remote Access Data· Remote Access Data
· Physical Access Data· Physical Access Data
· Enterprise Information Security Policy· Enterprise Information Security Policy
· Enterprise and Information Security Standards· Enterprise and Information Security Standards
SIEMSIEM

9. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
We will look behind the curtain of "marketecture" to the real and aspirational
solutions for a SOC that will likely materialize as vendor products mature over
the next few years.

10. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
What makes up the next generation of security protection?
“Integrated Adaptive Cyber Defense (IACD) Baseline Reference Architecture”, Johns Hopkins Applied Physics Laboratory
https://secwww.jhuapl.edu/IACD/Resources/Architecture/IACD%20Baseline%20Reference%20Architecture%20-%20Final%20PR.pdf

11. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
The first step occurs when the Sensor/Control Interface receives notification of
a Security Event from enterprise sensors.
Based on enterprise-defined policies and processes, the Policy Engine will
determine that either the security event requires further action or it does not.
If further action is required, it will pass the security event information to the
Enrichment/ Analytic Framework as an alert. Otherwise, it will simply log the
security event.
Sensor (source)
Sensor (source)
Sensor (source)
Sensor (source)
Sensor (source)
Sensor / Control
InterfaceSecurity
Event
Policy Engine
ALERT
Aggregation
Analytics
Policy EnginePolicy Engine

12. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Enrichment and Analytic Framework receives an alert, it will perform any number of
operations (i.e. a particular analytic workflow) to enrich the alert information.
Based on the enriched information and enterprise policies and processes, the Analytic
Framework will determine whether further action is required or not.
If further action is required, it will pass the enriched information as an action alert to the
Decision-Making Engine. If no further action is required, it will simply log its activities.
Policy Engine Enrichment and Analytics Engine
ALERT
Sandbox Analytics
Full Packet Capture
3rd
Party Analytics
Asset/Information Query
Vulnerability Query
Aggregation
Decision
Policy EnginePolicy Engine Enrichment EngineEnrichment Engine

13. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Decision-Making Engine will determine what Course of Action
(COA) is appropriate
For example, a selected COA might block all traffic from a specific
internet address or quarantine a specific host system.
It is possible that enterprise policies and processes require the
notification and involvement of a human decision maker.
It is also possible that no enterprise COA exists for a given action
alert and the Decision-Making Engine may simply initiate a manual
workflow via SOC.
Once a COA is selected, the Decision-Making Engine will pass the
selected COA(s) to the Response Engine.
Decision-Making EngineResponse / Action Engine
Courses of
Action
Enrichment and Analytics Engine
Action Alert
Decision EngineDecision EngineAction EngineAction Engine

14. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
The Response/Action Engine
translates the COA into a machine
translatable execution workflow,
which it sends to the Sensor
interface.
Upon receipt of an execution
workflow, the Sensor Interface
translates the workflow into
device-specific response actions
that it sends to the appropriate
enterprise sensors and controls.
Sensor /
Control
Interface
Control
Control (Action
Point)
Policy Engine
Response / Action Engine
Response
Action
Work Flow
Decision-Making Engine
Courses of
Action
Action EngineAction Engine

15. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
An Basic Example
Policy:
• Is the laptop in the authorized
asset inventory?
• Is the laptop configured and
patched to standards?
Analytics:
• Retrieve asset history from CMDB
or ARM
• Retrieve vulnerability information
on this asset from VM
Decision:
• Allow DHCP to complete
• Move the asset to the remediation
network for mitigation
Action:
• Do or do not. There is no try.
IDASA Framework
Is this asset in
inventory?
Does it meet
baseline config?
Remediation Network
Patch Management
YES
NO
YES
NO
EWR
Domain
CMDB
Service Ticket
Laptop Connects
to the network
DHCP
CSDC

16. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Another Basic Example
Policy:
• High Risk User?
• High Risk Geo?
• Prior Authentication Risk?
• New Asset?
IDASA Framework
Is this a
high-risk
user?
Authentication
Domain
High Risk Users
YES
NO
Authentication Remediation Steps
* Challenge/response
* MFA
Fail Geo Testing?
Security
Analytics
High Prior
Failed
Attempts?
NO
YES
Different
Device?
YES
NO
YES
AuthorizationNO
Analytics:
• Retrieve credential memberships
• Retrieve IP history
• Retrieve authentication history
• Retrieve asset information
Decision:
Allow, Step Up Authentication, Send to
remediation network

17. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
A Mature Example
Policy:
• Approved executable?
• Normal?
• Privileged?
Analytics:
• Retrieve asset inventory
• Retrieve executable history
• Retrieve user/action history
Decision:
• Run the executable in sandbox
• Send Executable to malware
analytics
• Enable full packet capture
• Step up authentication
Executable
Is this an
approved
application?
User Behavior
Analytics
YES
NO
YES
NO
Sandbox
Application
Malware
Analysis
Open Service
Ticket
Applications
Sandbox
Application
Full Packet
Capture
Elevated HIDS
Updated/Additional Intel
CMDB
Auth
Remediation
YES
Security
Analytics
Is this normal
usage?
Priv
Operation?

18. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Intelligence Driven Adaptive Security Architecture
Time to mature
• Focus on addressing specific use cases while
building the engines
• Leverage automation and orchestration
• Fail CLOSED! (throw unknowns back to
humans for analysis and decision)
Advantages
• Detect, Respond, Recover at machine speed
• Free up analysts to address complex incidents
• Focus on gathering intelligence to feed
analytics
Stop being reactive!
Change from
“Incident Response”
to
“Continuous Response”

19. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Shifting from
“Incident” to “Continuous” Response
QUESTIONS?
By: Bill White CISSP, CISA, CRISC
@riskofinfosec

20. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
20
Thank you