Effective Security Monitoring by SOAR and SecOps presented at CODEBLUE2020 2020

by Masayoshi Mizutani,

Summary : In security monitoring, sensors collecting suspicious events and SIEM (Security Information & Event Manager) detecting alerts by combining these events are getting a lot of attention. However, in actual operation, investigations and risk management after detection are more important tasks. Because the workload of these tasks is usually higher. In order to reduce this workload, products and services called SOAR (Security Orchestration, Automation and Response) have begun to emerge as a framework for automating the collection of threat information and investigation of compromised resources that are required after alert detection. By using such a framework, it becomes easier to respond to changes in business and security situations. To archive the structure, it is important not to divide a development team of infrastructure and an operation team.In this talk, I will introduce the approach of security monitoring work efficiency improvement based on DeepAlert, which is a SOAR framework that the speaker himself built. DeepAlert is abstracted into three steps: investigation of alert related information, risk evaluation of alerts, and response to alerts, and we will introduce how each contributes to reduction of load in monitoring work. Also, when utilizing SOAR, it will be possible to expect more flexible and quick responses by integrating the infrastructure and operations as much as possible. I would like to discuss “SecOps”, that is incorporating the culture of software development into security operations, and the future of cybersecurity countermeasure teams.