Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SOARによるセキュリティ監視業務の効率化とSecOps /soar-and-secops

2ca9e6e68b43a796a8add2bcb9bbad2e?s=47 Masayoshi Mizutani
October 29, 2020
Technology
0
510

SOARによるセキュリティ監視業務の効率化とSecOps /soar-and-secops

CODE BLUE 2020での登壇資料です

2ca9e6e68b43a796a8add2bcb9bbad2e?s=128

Masayoshi Mizutani

October 29, 2020
Tweet

More Decks by Masayoshi Mizutani

See All by Masayoshi Mizutani
2ca9e6e68b43a796a8add2bcb9bbad2e?s=48 mizutani
0
390
2ca9e6e68b43a796a8add2bcb9bbad2e?s=48 mizutani
4
2.1k
2ca9e6e68b43a796a8add2bcb9bbad2e?s=48 mizutani
1
330
2ca9e6e68b43a796a8add2bcb9bbad2e?s=48 mizutani
1
4k
2ca9e6e68b43a796a8add2bcb9bbad2e?s=48 mizutani
3
2k
2ca9e6e68b43a796a8add2bcb9bbad2e?s=48 mizutani
4
1.8k
2ca9e6e68b43a796a8add2bcb9bbad2e?s=48 mizutani
3
2.6k
2ca9e6e68b43a796a8add2bcb9bbad2e?s=48 mizutani
3
1.6k
2ca9e6e68b43a796a8add2bcb9bbad2e?s=48 mizutani
0
310

Other Decks in Technology

See All in Technology
98a2aff83d5731c9e153a3f221fc08ab?s=48 kazkanda
0
250
64a4ba69d50590e592cd8e572454daa8?s=48 olegkovalov
1
350
71c9ebde850996d2533c5df4df2c93c6?s=48 opdavies
0
2.5k
275fa343348e7dd4f5f7abfe09bb19d4?s=48 nishiodens
0
320
525442fc70ca92f82ae503f826956137?s=48 finengine
0
370
Dc35998459997f1063eab4194fcb4531?s=48 mars_eu
0
180
3d9e7f071ee9e03cbb088e64fae76fec?s=48 komik699
0
130
D8e79ab09f15e69d600c00131bf7d2a9?s=48 yfutamura
0
730
3b02ffcc638b9cde6cb1bb458a926b15?s=48 yukiarrr
1
350
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
0
160
E10d51de51c08e913216385be87dc1ca?s=48 pongzu
2
290
9b2600a82821673d9d0f03cc6f7bc56e?s=48 kloudleinc
0
120

Featured

See All Featured
91cefdf141106fa10674aae74ce05890?s=48 yeseniaperezcruz
302
32k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
56
5.5k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
116
10k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
220
15k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
479
150k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
495
110k
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
23
3.9k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
221
15k
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
208
10k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
23
1.3k
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
26
2.2k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
12
750

Transcript

  1. &GGFDUJWF4FDVSJUZ.POJUPSJOHCZ 40"3BOE4FD0QT $PPLQBE*OD 5FDI%FQBSUNFOU 4FDVSJUZ5FBN-FBEFS .BTBZPTIJ.J[VUBOJ ਫ୩ਖ਼ܚ  5IV 

    $0%&#-6&

  2. 5PEBZ`T"HFOEB w8IBUJT40"3  w40"3$BTF4UVEZ w4FDVSJUZCZ4PGUXBSF&OHJOFFSJOH 

  3. 8IPBSFZPV w1I%ʢ.FEJBBOE(PWFSOBODFʣ wʙ*#.+BQBO w 3FTFBSDIBOEEFWFMPQNFOUPGTFDVSJUZQSPEVDUTFSWJDF FH4*&.  w "OBMZTUPG40$ 4FDVSJUZ0QFSBUJPO$FOUFS

     wʙ$PPLQBE*OD w 4FDVSJUZ5FBN-FBEFS w %FWFMPQNFOUBOEPQFSBUJPOPGJOUFSOBMTFDVSJUZJOGSBTUSVDUVSF w $4*35 *OGPSNBUJPO4FDVSJUZ$PNNJUUFF  .BTBZPTIJ.J[VUBOJ ਫ୩ਖ਼ܚ

  4. #BDLHSPVOE 

  5. #BDLHSPVOEPGPVS$4*35 w-JNJUFEIVNBOSFTPVSDFT w 0OMZBDUJWFNFNCFST w 8PSLJOHGPSOPUPOMZJODJEFOUSFTQPOTFCVUBMTPDPNQBOZSJTLNBOBHFNFOU w'PDVTJOHPOl4FDVSJUZ.POJUPSJOHz w (VBSESBJM OPU(BUFLFFQFS

    w 1SFWFOUUPCSBLFCVTJOFTTBDUJWJUJFTCZTFDVSJUZSVMFT w $BQBCJMJUZPGEFUFDUJOHTFDVSJUZCSFBDIBOEJOWFTUJHBUJPO 

  6. $PNQPOFOUTPG4FDVSJUZ.POJUPSJOH  -PHHJOH "MFSUJOH "OUJ7JSVT &%3 &OEQPJOU %FUFDUJPO3FTQPOTF /FUXPSLCBTFE*%4 JOUSVTJPO%FUFDUJPO4ZTUFN

    4ZTUFN4FSWJDF-PHT 8"' 8FC"QQMJDBUJPO'JSFXBMM "VEJU-PHT /FUXPSL-PHT 4FOTPS .BOBHFS -PH.BOBHFS 4*&. 4FDVSJUZ*OGPSNBUJPO&WFOU.BOBHFS

  7. $ZDMFPG4FDVSJUZ.POJUPSJOH  0CTFSWBUJPO %FUFDUJPO 3FTQPOTF (BUIFSJOHTFDVSJUZ FWFOUTGSPNPXO TZTUFNFOWJSPONFOU %FUFDUJOHQPUFOUJBM PGTFDVSJUZCSFBDICZ

    PCTFSWFEFWFOU T +VEHJOHTFWFSJUZPG UIFEFUFDUFEBMFSUCZ JOWFTUJHBUJPO w 1SFTFSWJOHFWJEFODFT w .JUJHBUJOHEBNBHF 4FOTPST 4*&. /FFECJHNBOQPXFS 5SJBHF "TTFTTNFOU

  8. 40"3 4FDVSJUZ0SDIFTUSBUJPO "VUPNBUJPOBOE3FTQPOTF 

  9.  %FUFDUJPO  5SJBHF  3FTQPOTF 40"3 4FDVSJUZ0SDIFTUSBUJPO "VUPNBUJPOBOE3FTQPOTF 

    40"3 "MFSUJOH1SPEVDU FH4*&. 0UIFS1SPEVDUT 4FSWJDFT 0UIFS1SPEVDUT 4FSWJDFT 4FDVSJUZ "MFSU *OGPSNBUJPO SFMBUFEUIFBMFSU $IBOHF DPOpHVSBUJPO w"VUPNBUJPOGPS5SJBHFBOE3FTQPOTF1IBTFTJO4FDVSJUZ .POJUPSJOHXJUI7BSJPVT1SPEVDUTBOE4FSWJDFT w 0SJHJOBMMZDPJOFECZ(BSUOFSJOUIFJSSFQPSU /PW   w %FpOJUJPOJTTMJHIUMZEJ⒎FSFOUCZFBDITFDVSJUZWFOEPS

  10. 40"3 WFSZTJNQMF 6TF$BTF  4*&. *1BEESFTT SFQVUBUJPOTFSWJDF "84 Detect suspicious

    activities in a EC2 instance on AWS One of IP addresses is Command & Control Server!! Take snapshot and quarantine the instance Inquiry about communicated IP addresses 7BSJPVT -PHT 1MBZCPPL 3VOCPPL FUD 40"3

  11. #FOFpUPG40"3 w4BWJOH-BCPSXPSLMPBE w 'VMMBVUPNBUFEUSJBHF SFTQPOTFGPSLOPXOBMFSUT w 3FEVDJOHXPSLMPBEPGUSJBHFGPSVOLOPXOBMFSUT w"EWBOUBHFT w )FMQGVMGPSBCVTZBOBMZTUCZNBLJOHBMFSUIBOEMJOHFBTZ

    w %POPUIFTJUBUFUPBEENPOJUPSJOHPGOFXBMFSUT 

  12. 40"3$BTF4UVEZ 4FDVSJUZ.POJUPSJOH"VUPNBUJPO 

  13. 5FDIOJDBM$IBMMFOHFTPG40"3JNQMFNFOUBUJPO w'MFYJCJMJUZ w )PXDBOXFEFTDSJCFDPNQMJDBUFEXPSLqPX  w 1SPQSJFUBSZMBOHVBHFEPFT/05XPSL w &DPTZTUFN w

    .BJOUFOBODFBCJMJUZ w&YUFOTJCJMJUZ w .BOZWBSJPVTPSDIFTUSBUJPOTFSWJDFTBOEQSPEVDUT w *OUFHSBUJPOXJUIJOUFSOBMTFSWJDFTBOEQSPEVDUT w"CTUSBDUJPO w 8PSLqPXNPEFMT w %BUBNPEFMT 

  14. %FFQ"MFSU w0VSPSJHJOBM40"3 GSBNFXPSL w *NQMFNFOUXJUI"84$%, w 5ISFFNBJOTUFQT w  *OTQFDUJPO&OSJDIQBSBNFUFST

    w  3FWJFX&WBMVBUFTFWFSJUZ w  &NJU5BLFBDUJPO w 4UBSUFEEFWFMPQNFOUBUFBSMZ   IUUQTHJUIVCDPNEFFQBMFSUEFFQBMFSU

  15. %FFQ"MFSU4UBDL <4UFQ>*OTQFDUJPO&OSJDIQBSBNFUFST w'SPNFYUFSOBMEBUBTPVSDF w 3FQVUBUJPOTFSWJDFT 7JSVT5PUBM )ZCSJE"OBMZTJT VSMTDBOJP FUD 

    w'SPNJOUFSOBMEBUBTPVSDF w 4FSWJDFBOETZTUFNMPHT (4VJUF "[VSF"% "84 *OUFSOBMTFSWFST  w &OEQPJOUMPHT $SPXE4USJLF'BMDPO PTRVFSZ  4/4 /PUJpDBUJPO4FSWJDF 424 2VFVF4FSWJDF 7JSVT5PUBM 4UBDL VSMTDBOJP 4UBDL $MPVE5SBJM 4UBDL "MFSU

  16. <4UFQ>3FWJFX&WBMVBUFTFWFSJUZ w&WBMVBUJPOQPMJDZXSJUUFOJO(PPO"84-BNCEB w 4FFOPUPOMZTFDVSJUZBMFSUCVUBMTPFOSJDIFEEBUB w &WFOUVBMMZ DIPJDFTFWFSJUZGSPN4BGF 6ODMBTTJpFEBOE6SHFOU w1PMJDZJTNBOBHFEJO(JU)VC&OUFSQSJTF w

    3FWJFXBCMFDPEF w 5FTUBCMFDPEF w $IBOHFIJTUPSZNBOBHFNFOU  4FDVSJUZBT$PEF

  17. 3FWJFX1PMJDZ$IBOHFT  w$IBOHFCZ13 1VMM3FRVFTU  w 0O(JU)VC&OUFSQSJTF w 3FWJFXFECZBUFBNNFNCFS w

    $BODPNNFOUUPDPEF w $BOBQQSPWFPGDIBOHFT w $IBOHFNBOBHFNFOU *OUIFTBNFNBOOFSBT NPEFSOTPGUXBSFEFWFMPQNFOU $PNNFOU $IBOHFIJTUPSZ

  18. 5FTU1PMJDZ$IBOHFT  w5FTUCZ(FOFSBM'SBNFXPSLPG(P w 3FWJFX-BNCEB'VODUJPOJTJNQMFNFOUFE XJUITJNQMFJOQVUPVUQVU w *OQVU"MFSUBOE%BUB w 0VUQVU4FWFSJUZ

    w &BTZUPXSJUFVOJUUFTUCZTJNQMF*0 0SJHJOBM4FDVSJUZ"MFSU "OFOSJDIFEQBSBNFUFS GSPNJOUFSOBMEBUBTPVSDF "MTP *OUIFTBNFNBOOFSBT NPEFSOTPGUXBSFEFWFMPQNFOU 3VOVOJUUFTU

  19. <4UFQ>&NJU5BLFBDUJPO w/PUJpDBUJPO w 4MBDL 1BHFS%VUZ 0CTPMFUFE  w*ODJEFOU5JDLFU$SFBUJPO w (JU)VC&OUFSQSJTF

    w2VBSBOUJOFBOE&WJEFODF1SFTFSWBUJPO 0QUJPOBM  w 4IVUEPXOOFUXPSLCZFOEQPJOUTFDVSJUZTFSWJDF w 4IVUEPXOOFUXPSLBOEUBLFTOBQTIPUCZDMPVEQSPWJEFS`TGVODUJPO w 8FEPOPURVBSBOUJOFGPSOPXCFDBVTFMPXGSFRVFOU 

  20. *NQSPWF4FDVSJUZ.POJUPSJOH0QFSBUJPOCZ40"3 w3FEVDJOHBOVNCFSPGUSJBHFSFTQPOTF w 0WFSDBTFTBSFDMPTFEBVUPNBUJDBMMZ SFTVMUT  w3FEVDJOHUJNFUPUSJBHF w "OBOBMZTUTUBSUTUSJBHFQIBTFXJUIFOSJDIFEBMFSUJOGPSNBUJPO w-PXDPTU

    w "WFSBHFEBZ 

  21. 4FDVSJUZCZ 4PGUXBSF&OHJOFFSJOH 

  22. 40"3JT(PPE&YBNQMFPG4PGUXBSF&OHJOFFSJOH w4FDVSJUZNPOJUPSJOHTZTUFNNVTUCFVQEBUFEDPOUJOVPVTMZ w $IBOHJOHTUBUVTPGPSHBOJ[BUJPO w $IBOHJOHBUUBDLFS`TUSFOE w $IBOHJOHDBQBCJMJUZPGTFOTPSBOEBMFSUEFUFDUPS w'PSDPOUJOVPVTSFJOGPSDFNFOUMPPQPG40"3ʜ w

    %FWFMPQNFOUPGOFXGFBUVSFT w 6QEBUF pYBOESFJOGPSDFQPMJDJFT w $POUJOVPVT*OUFHSBUJPO w $POUJOVPVT%FMJWFSZ  .PEFSO%FW0QT UFDIOJRVFTBSFBQQMJBCMF

  23. 4FD0QT w"QQMZ%FW0QTQSJODJQMFTUP4FDVSJUZTZTUFNT w -JLF.-0QT BQQMZ%FW0QTQSJODJQMFTUP.-TZTUFNT  w %FW4FD0QTNFBOTlTFDVSJUZDIFDLJO$*QJQFMJOFzJOHFOFSBM w#VJMEBOEPQFSBUFZPVSTFDVSJUZTZTUFNCZZPVSPXO TFMG

    w 5PBSDIJWFTDBMBCJMJUZ FYUFOTJCJMJUZ BHJMJUZBOEDBQBCJMJUZ w 'PSNPOJUPSJOH DPNQMJBODF SJTLNBOBHFNFOU FUD w 1SJPSFYBNQMFT/FUqJY -JCFSUZ.VUVBM FUD 

  24. $BTF4UVEZ43& w4JUF3FMJBCJMJUZ&OHJOFFSJOH &OHJOFFS  w "EJTDJQMJOFUIBUJODPSQPSBUFTBTQFDUTPGTPGUXBSFFOHJOFFSJOHBOE BQQMJFTUIFNUPJOGSBTUSVDUVSFBOEPQFSBUJPOTQSPCMFNT GSPN8JLJQFEJB  w'SPN(PPHMF#PPL

    w lKeeping operational work (i.e., toil) below 50% of each SRE’s timez w lReducing toil and scaling up services is the ‘Engineering’ ” w 5IFZDPOUJOVPVTMZJNQSPWFTUIFJSXPSLTCZTPGUXBSFFOHJOFFSJOH "MMQSJODJQMFTPG43&BSFOPUSFRVJSFEJOTFDVSJUZ DPOUFYU CVUXFDBOMFBSONPSFGSPNUIFN 

  25. "QQSPBDIUP4FD0QT GSPNNZFYQFSJFODF w$IBOHFUIFDVMUVSF w 'VMMDPNNJUNFOUGPSPQFSBUJPOBMXPSLTJTCBE w $IBOHFEGSPNUPQ MFBEFSPSNBOBHFS  w#PUIPGEFWFMPQNFOUTLJMMTBOETFDVSJUZLOPXMFEHFT

    BSFSFRVJSFE w ,FFQZPVSNPUJWBUJPOGPSJOGPSNBUJPOTFDVSJUZ w -FBSOGSPNNPEFSOTPGUXBSFEFWFMPQNFOUUFDIOJRVFT 

  26. $PODMVTJPO w40"3JTBDPODFQUPGBVUPNBUJPOBOEPSDIFTUSBUJPOJO USJBHFBOESFTQPOTFQIBTFTJOTFDVSJUZNPOJUPSJOH w%FFQ"MFSUJT$PPLQBEPXOFE40"3GSBNFXPSLXJUI TFSWFSMFTTBSDIJUFDUVSFPO"84 w &WBMVBUFTFWFSJUZXJUIJOUFSOBMFYUFSOBMEBUBTPVSDFBOEUBLFBDUJPO w 6TFNPEFSOTPGUXBSFEFWFMPQNFOUUFDIOJRVFTUPNBOBHFQPMJDZ w4FD0QTDPODFQUNBZCFDPNFNPSFJNQPSUBOU

    w 40"3JTBHPPEFYBNQMFUIBU4FD0QTDPODFQUXPSLTXFMM w 4FD0QTDBOIFMQTPUIFSTZTUFNBUJ[BUJPO 

  27. 5IBOLZPV