SOARによるセキュリティ監視業務の効率化とSecOps /soar-and-secops

&GGFDUJWF4FDVSJUZ.POJUPSJOHCZ 40"3BOE4FD0QT $PPLQBE*OD 5FDI%FQBSUNFOU 4FDVSJUZ5FBN-FBEFS .BTBZPTIJ.J[VUBOJ ਫ୩ਖ਼ܚ 5IV
$0%&#-6&

5PEBZ`T"HFOEB w8IBUJT40"3 w40"3$BTF4UVEZ w4FDVSJUZCZ4PGUXBSF&OHJOFFSJOH

8IPBSFZPV w1I%ʢ.FEJBBOE(PWFSOBODFʣ wʙ*#.+BQBO w 3FTFBSDIBOEEFWFMPQNFOUPGTFDVSJUZQSPEVDUTFSWJDF FH4*&. w "OBMZTUPG40$ 4FDVSJUZ0QFSBUJPO$FOUFS
wʙ$PPLQBE*OD w 4FDVSJUZ5FBN-FBEFS w %FWFMPQNFOUBOEPQFSBUJPOPGJOUFSOBMTFDVSJUZJOGSBTUSVDUVSF w $4*35 *OGPSNBUJPO4FDVSJUZ$PNNJUUFF .BTBZPTIJ.J[VUBOJ ਫ୩ਖ਼ܚ

#BDLHSPVOE

#BDLHSPVOEPGPVS$4*35 w-JNJUFEIVNBOSFTPVSDFT w 0OMZBDUJWFNFNCFST w 8PSLJOHGPSOPUPOMZJODJEFOUSFTQPOTFCVUBMTPDPNQBOZSJTLNBOBHFNFOU w'PDVTJOHPOl4FDVSJUZ.POJUPSJOHz w (VBSESBJM OPU(BUFLFFQFS
w 1SFWFOUUPCSBLFCVTJOFTTBDUJWJUJFTCZTFDVSJUZSVMFT w $BQBCJMJUZPGEFUFDUJOHTFDVSJUZCSFBDIBOEJOWFTUJHBUJPO

$PNQPOFOUTPG4FDVSJUZ.POJUPSJOH -PHHJOH "MFSUJOH "OUJ7JSVT &%3 &OEQPJOU %FUFDUJPO3FTQPOTF /FUXPSLCBTFE*%4 JOUSVTJPO%FUFDUJPO4ZTUFN
4ZTUFN4FSWJDF-PHT 8"' 8FC"QQMJDBUJPO'JSFXBMM "VEJU-PHT /FUXPSL-PHT 4FOTPS .BOBHFS -PH.BOBHFS 4*&. 4FDVSJUZ*OGPSNBUJPO&WFOU.BOBHFS

$ZDMFPG4FDVSJUZ.POJUPSJOH 0CTFSWBUJPO %FUFDUJPO 3FTQPOTF (BUIFSJOHTFDVSJUZ FWFOUTGSPNPXO TZTUFNFOWJSPONFOU %FUFDUJOHQPUFOUJBM PGTFDVSJUZCSFBDICZ
PCTFSWFEFWFOU T +VEHJOHTFWFSJUZPG UIFEFUFDUFEBMFSUCZ JOWFTUJHBUJPO w 1SFTFSWJOHFWJEFODFT w .JUJHBUJOHEBNBHF 4FOTPST 4*&. /FFECJHNBOQPXFS 5SJBHF "TTFTTNFOU

40"3 4FDVSJUZ0SDIFTUSBUJPO "VUPNBUJPOBOE3FTQPOTF

%FUFDUJPO 5SJBHF 3FTQPOTF 40"3 4FDVSJUZ0SDIFTUSBUJPO "VUPNBUJPOBOE3FTQPOTF
40"3 "MFSUJOH1SPEVDU FH4*&. 0UIFS1SPEVDUT 4FSWJDFT 0UIFS1SPEVDUT 4FSWJDFT 4FDVSJUZ "MFSU *OGPSNBUJPO SFMBUFEUIFBMFSU $IBOHF DPOpHVSBUJPO w"VUPNBUJPOGPS5SJBHFBOE3FTQPOTF1IBTFTJO4FDVSJUZ .POJUPSJOHXJUI7BSJPVT1SPEVDUTBOE4FSWJDFT w 0SJHJOBMMZDPJOFECZ(BSUOFSJOUIFJSSFQPSU /PW w %FpOJUJPOJTTMJHIUMZEJ⒎FSFOUCZFBDITFDVSJUZWFOEPS

40"3 WFSZTJNQMF 6TF$BTF 4*&. *1BEESFTT SFQVUBUJPOTFSWJDF "84 Detect suspicious
activities in a EC2 instance on AWS One of IP addresses is Command & Control Server!! Take snapshot and quarantine the instance Inquiry about communicated IP addresses 7BSJPVT -PHT 1MBZCPPL 3VOCPPL FUD 40"3

#FOFpUPG40"3 w4BWJOH-BCPSXPSLMPBE w 'VMMBVUPNBUFEUSJBHF SFTQPOTFGPSLOPXOBMFSUT w 3FEVDJOHXPSLMPBEPGUSJBHFGPSVOLOPXOBMFSUT w"EWBOUBHFT w )FMQGVMGPSBCVTZBOBMZTUCZNBLJOHBMFSUIBOEMJOHFBTZ
w %POPUIFTJUBUFUPBEENPOJUPSJOHPGOFXBMFSUT

40"3$BTF4UVEZ 4FDVSJUZ.POJUPSJOH"VUPNBUJPO

5FDIOJDBM$IBMMFOHFTPG40"3JNQMFNFOUBUJPO w'MFYJCJMJUZ w )PXDBOXFEFTDSJCFDPNQMJDBUFEXPSLqPX w 1SPQSJFUBSZMBOHVBHFEPFT/05XPSL w &DPTZTUFN w
.BJOUFOBODFBCJMJUZ w&YUFOTJCJMJUZ w .BOZWBSJPVTPSDIFTUSBUJPOTFSWJDFTBOEQSPEVDUT w *OUFHSBUJPOXJUIJOUFSOBMTFSWJDFTBOEQSPEVDUT w"CTUSBDUJPO w 8PSLqPXNPEFMT w %BUBNPEFMT

%FFQ"MFSU w0VSPSJHJOBM40"3 GSBNFXPSL w *NQMFNFOUXJUI"84$%, w 5ISFFNBJOTUFQT w *OTQFDUJPO&OSJDIQBSBNFUFST
w 3FWJFX&WBMVBUFTFWFSJUZ w &NJU5BLFBDUJPO w 4UBSUFEEFWFMPQNFOUBUFBSMZ IUUQTHJUIVCDPNEFFQBMFSUEFFQBMFSU

%FFQ"MFSU4UBDL <4UFQ>*OTQFDUJPO&OSJDIQBSBNFUFST w'SPNFYUFSOBMEBUBTPVSDF w 3FQVUBUJPOTFSWJDFT 7JSVT5PUBM )ZCSJE"OBMZTJT VSMTDBOJP FUD
w'SPNJOUFSOBMEBUBTPVSDF w 4FSWJDFBOETZTUFNMPHT (4VJUF "[VSF"% "84 *OUFSOBMTFSWFST w &OEQPJOUMPHT $SPXE4USJLF'BMDPO PTRVFSZ 4/4 /PUJpDBUJPO4FSWJDF 424 2VFVF4FSWJDF 7JSVT5PUBM 4UBDL VSMTDBOJP 4UBDL $MPVE5SBJM 4UBDL "MFSU

<4UFQ>3FWJFX&WBMVBUFTFWFSJUZ w&WBMVBUJPOQPMJDZXSJUUFOJO(PPO"84-BNCEB w 4FFOPUPOMZTFDVSJUZBMFSUCVUBMTPFOSJDIFEEBUB w &WFOUVBMMZ DIPJDFTFWFSJUZGSPN4BGF 6ODMBTTJpFEBOE6SHFOU w1PMJDZJTNBOBHFEJO(JU)VC&OUFSQSJTF w
3FWJFXBCMFDPEF w 5FTUBCMFDPEF w $IBOHFIJTUPSZNBOBHFNFOU 4FDVSJUZBT$PEF

3FWJFX1PMJDZ$IBOHFT w$IBOHFCZ13 1VMM3FRVFTU w 0O(JU)VC&OUFSQSJTF w 3FWJFXFECZBUFBNNFNCFS w
$BODPNNFOUUPDPEF w $BOBQQSPWFPGDIBOHFT w $IBOHFNBOBHFNFOU *OUIFTBNFNBOOFSBT NPEFSOTPGUXBSFEFWFMPQNFOU $PNNFOU $IBOHFIJTUPSZ

5FTU1PMJDZ$IBOHFT w5FTUCZ(FOFSBM'SBNFXPSLPG(P w 3FWJFX-BNCEB'VODUJPOJTJNQMFNFOUFE XJUITJNQMFJOQVUPVUQVU w *OQVU"MFSUBOE%BUB w 0VUQVU4FWFSJUZ
w &BTZUPXSJUFVOJUUFTUCZTJNQMF*0 0SJHJOBM4FDVSJUZ"MFSU "OFOSJDIFEQBSBNFUFS GSPNJOUFSOBMEBUBTPVSDF "MTP *OUIFTBNFNBOOFSBT NPEFSOTPGUXBSFEFWFMPQNFOU 3VOVOJUUFTU

<4UFQ>&NJU5BLFBDUJPO w/PUJpDBUJPO w 4MBDL 1BHFS%VUZ 0CTPMFUFE w*ODJEFOU5JDLFU$SFBUJPO w (JU)VC&OUFSQSJTF
w2VBSBOUJOFBOE&WJEFODF1SFTFSWBUJPO 0QUJPOBM w 4IVUEPXOOFUXPSLCZFOEQPJOUTFDVSJUZTFSWJDF w 4IVUEPXOOFUXPSLBOEUBLFTOBQTIPUCZDMPVEQSPWJEFS`TGVODUJPO w 8FEPOPURVBSBOUJOFGPSOPXCFDBVTFMPXGSFRVFOU

*NQSPWF4FDVSJUZ.POJUPSJOH0QFSBUJPOCZ40"3 w3FEVDJOHBOVNCFSPGUSJBHFSFTQPOTF w 0WFSDBTFTBSFDMPTFEBVUPNBUJDBMMZ SFTVMUT w3FEVDJOHUJNFUPUSJBHF w "OBOBMZTUTUBSUTUSJBHFQIBTFXJUIFOSJDIFEBMFSUJOGPSNBUJPO w-PXDPTU
w "WFSBHFEBZ

4FDVSJUZCZ 4PGUXBSF&OHJOFFSJOH

40"3JT(PPE&YBNQMFPG4PGUXBSF&OHJOFFSJOH w4FDVSJUZNPOJUPSJOHTZTUFNNVTUCFVQEBUFEDPOUJOVPVTMZ w $IBOHJOHTUBUVTPGPSHBOJ[BUJPO w $IBOHJOHBUUBDLFS`TUSFOE w $IBOHJOHDBQBCJMJUZPGTFOTPSBOEBMFSUEFUFDUPS w'PSDPOUJOVPVTSFJOGPSDFNFOUMPPQPG40"3ʜ w
%FWFMPQNFOUPGOFXGFBUVSFT w 6QEBUF pYBOESFJOGPSDFQPMJDJFT w $POUJOVPVT*OUFHSBUJPO w $POUJOVPVT%FMJWFSZ .PEFSO%FW0QT UFDIOJRVFTBSFBQQMJBCMF

4FD0QT w"QQMZ%FW0QTQSJODJQMFTUP4FDVSJUZTZTUFNT w -JLF.-0QT BQQMZ%FW0QTQSJODJQMFTUP.-TZTUFNT w %FW4FD0QTNFBOTlTFDVSJUZDIFDLJO$*QJQFMJOFzJOHFOFSBM w#VJMEBOEPQFSBUFZPVSTFDVSJUZTZTUFNCZZPVSPXO TFMG
w 5PBSDIJWFTDBMBCJMJUZ FYUFOTJCJMJUZ BHJMJUZBOEDBQBCJMJUZ w 'PSNPOJUPSJOH DPNQMJBODF SJTLNBOBHFNFOU FUD w 1SJPSFYBNQMFT/FUqJY -JCFSUZ.VUVBM FUD

$BTF4UVEZ43& w4JUF3FMJBCJMJUZ&OHJOFFSJOH &OHJOFFS w "EJTDJQMJOFUIBUJODPSQPSBUFTBTQFDUTPGTPGUXBSFFOHJOFFSJOHBOE BQQMJFTUIFNUPJOGSBTUSVDUVSFBOEPQFSBUJPOTQSPCMFNT GSPN8JLJQFEJB w'SPN(PPHMF#PPL
w lKeeping operational work (i.e., toil) below 50% of each SRE’s timez w lReducing toil and scaling up services is the ‘Engineering’ ” w 5IFZDPOUJOVPVTMZJNQSPWFTUIFJSXPSLTCZTPGUXBSFFOHJOFFSJOH "MMQSJODJQMFTPG43&BSFOPUSFRVJSFEJOTFDVSJUZ DPOUFYU CVUXFDBOMFBSONPSFGSPNUIFN

"QQSPBDIUP4FD0QT GSPNNZFYQFSJFODF w$IBOHFUIFDVMUVSF w 'VMMDPNNJUNFOUGPSPQFSBUJPOBMXPSLTJTCBE w $IBOHFEGSPNUPQ MFBEFSPSNBOBHFS w#PUIPGEFWFMPQNFOUTLJMMTBOETFDVSJUZLOPXMFEHFT
BSFSFRVJSFE w ,FFQZPVSNPUJWBUJPOGPSJOGPSNBUJPOTFDVSJUZ w -FBSOGSPNNPEFSOTPGUXBSFEFWFMPQNFOUUFDIOJRVFT

$PODMVTJPO w40"3JTBDPODFQUPGBVUPNBUJPOBOEPSDIFTUSBUJPOJO USJBHFBOESFTQPOTFQIBTFTJOTFDVSJUZNPOJUPSJOH w%FFQ"MFSUJT$PPLQBEPXOFE40"3GSBNFXPSLXJUI TFSWFSMFTTBSDIJUFDUVSFPO"84 w &WBMVBUFTFWFSJUZXJUIJOUFSOBMFYUFSOBMEBUBTPVSDFBOEUBLFBDUJPO w 6TFNPEFSOTPGUXBSFEFWFMPQNFOUUFDIOJRVFTUPNBOBHFQPMJDZ w4FD0QTDPODFQUNBZCFDPNFNPSFJNQPSUBOU
w 40"3JTBHPPEFYBNQMFUIBU4FD0QTDPODFQUXPSLTXFMM w 4FD0QTDBOIFMQTPUIFSTZTUFNBUJ[BUJPO

5IBOLZPV

SOARによるセキュリティ監視業務の効率化とSecOps /soar-and-secops

SOARによるセキュリティ監視業務の効率化とSecOps /soar-and-secops

Masayoshi Mizutani

More Decks by Masayoshi Mizutani

Other Decks in Technology

Featured

Transcript

&GGFDUJWF4FDVSJUZ.POJUPSJOHCZ 40"3BOE4FD0QT $PPLQBE*OD 5FDI%FQBSUNFOU 4FDVSJUZ5FBN-FBEFS .BTBZPTIJ.J[VUBOJ ਫ୩ਖ਼ܚ 5IV

5PEBZ`T"HFOEB w8IBUJT40"3 w40"3$BTF4UVEZ w4FDVSJUZCZ4PGUXBSF&OHJOFFSJOH

8IPBSFZPV w1I%ʢ.FEJBBOE(PWFSOBODFʣ wʙ#.+BQBO w 3FTFBSDIBOEEFWFMPQNFOUPGTFDVSJUZQSPEVDUTFSWJDF FH4&. w "OBMZTUPG40$ 4FDVSJUZ0QFSBUJPO$FOUFS

#BDLHSPVOE

#BDLHSPVOEPGPVS$4*35 w-JNJUFEIVNBOSFTPVSDFT w 0OMZBDUJWFNFNCFST w 8PSLJOHGPSOPUPOMZJODJEFOUSFTQPOTFCVUBMTPDPNQBOZSJTLNBOBHFNFOU w'PDVTJOHPOl4FDVSJUZ.POJUPSJOHz w (VBSESBJM OPU(BUFLFFQFS

$PNQPOFOUTPG4FDVSJUZ.POJUPSJOH -PHHJOH "MFSUJOH "OUJ7JSVT &%3 &OEQPJOU %FUFDUJPO3FTQPOTF /FUXPSLCBTFE*%4 JOUSVTJPO%FUFDUJPO4ZTUFN

$ZDMFPG4FDVSJUZ.POJUPSJOH 0CTFSWBUJPO %FUFDUJPO 3FTQPOTF (BUIFSJOHTFDVSJUZ FWFOUTGSPNPXO TZTUFNFOWJSPONFOU %FUFDUJOHQPUFOUJBM PGTFDVSJUZCSFBDICZ

40"3 4FDVSJUZ0SDIFTUSBUJPO "VUPNBUJPOBOE3FTQPOTF

%FUFDUJPO 5SJBHF 3FTQPOTF 40"3 4FDVSJUZ0SDIFTUSBUJPO "VUPNBUJPOBOE3FTQPOTF

40"3 WFSZTJNQMF 6TF$BTF 4&. 1BEESFTT SFQVUBUJPOTFSWJDF "84 Detect suspicious

#FOFpUPG40"3 w4BWJOH-BCPSXPSLMPBE w 'VMMBVUPNBUFEUSJBHF SFTQPOTFGPSLOPXOBMFSUT w 3FEVDJOHXPSLMPBEPGUSJBHFGPSVOLOPXOBMFSUT w"EWBOUBHFT w )FMQGVMGPSBCVTZBOBMZTUCZNBLJOHBMFSUIBOEMJOHFBTZ

40"3$BTF4UVEZ 4FDVSJUZ.POJUPSJOH"VUPNBUJPO

5FDIOJDBM$IBMMFOHFTPG40"3JNQMFNFOUBUJPO w'MFYJCJMJUZ w )PXDBOXFEFTDSJCFDPNQMJDBUFEXPSLqPX w 1SPQSJFUBSZMBOHVBHFEPFT/05XPSL w &DPTZTUFN w

%FFQ"MFSU w0VSPSJHJOBM40"3 GSBNFXPSL w NQMFNFOUXJUI"84$%, w 5ISFFNBJOTUFQT w OTQFDUJPO&OSJDIQBSBNFUFST

%FFQ"MFSU4UBDL <4UFQ>*OTQFDUJPO&OSJDIQBSBNFUFST w'SPNFYUFSOBMEBUBTPVSDF w 3FQVUBUJPOTFSWJDFT 7JSVT5PUBM )ZCSJE"OBMZTJT VSMTDBOJP FUD

<4UFQ>3FWJFX&WBMVBUFTFWFSJUZ w&WBMVBUJPOQPMJDZXSJUUFOJO(PPO"84-BNCEB w 4FFOPUPOMZTFDVSJUZBMFSUCVUBMTPFOSJDIFEEBUB w &WFOUVBMMZ DIPJDFTFWFSJUZGSPN4BGF 6ODMBTTJpFEBOE6SHFOU w1PMJDZJTNBOBHFEJO(JU)VC&OUFSQSJTF w

3FWJFX1PMJDZ$IBOHFT w$IBOHFCZ13 1VMM3FRVFTU w 0O(JU)VC&OUFSQSJTF w 3FWJFXFECZBUFBNNFNCFS w

5FTU1PMJDZ$IBOHFT w5FTUCZ(FOFSBM'SBNFXPSLPG(P w 3FWJFX-BNCEB'VODUJPOJTJNQMFNFOUFE XJUITJNQMFJOQVUPVUQVU w *OQVU"MFSUBOE%BUB w 0VUQVU4FWFSJUZ

<4UFQ>&NJU5BLFBDUJPO w/PUJpDBUJPO w 4MBDL 1BHFS%VUZ 0CTPMFUFE w*ODJEFOU5JDLFU$SFBUJPO w (JU)VC&OUFSQSJTF

*NQSPWF4FDVSJUZ.POJUPSJOH0QFSBUJPOCZ40"3 w3FEVDJOHBOVNCFSPGUSJBHFSFTQPOTF w 0WFSDBTFTBSFDMPTFEBVUPNBUJDBMMZ SFTVMUT w3FEVDJOHUJNFUPUSJBHF w "OBOBMZTUTUBSUTUSJBHFQIBTFXJUIFOSJDIFEBMFSUJOGPSNBUJPO w-PXDPTU

4FDVSJUZCZ 4PGUXBSF&OHJOFFSJOH

40"3JT(PPE&YBNQMFPG4PGUXBSF&OHJOFFSJOH w4FDVSJUZNPOJUPSJOHTZTUFNNVTUCFVQEBUFEDPOUJOVPVTMZ w $IBOHJOHTUBUVTPGPSHBOJ[BUJPO w $IBOHJOHBUUBDLFS`TUSFOE w $IBOHJOHDBQBCJMJUZPGTFOTPSBOEBMFSUEFUFDUPS w'PSDPOUJOVPVTSFJOGPSDFNFOUMPPQPG40"3ʜ w

4FD0QT w"QQMZ%FW0QTQSJODJQMFTUP4FDVSJUZTZTUFNT w -JLF.-0QT BQQMZ%FW0QTQSJODJQMFTUP.-TZTUFNT w %FW4FD0QTNFBOTlTFDVSJUZDIFDLJO$*QJQFMJOFzJOHFOFSBM w#VJMEBOEPQFSBUFZPVSTFDVSJUZTZTUFNCZZPVSPXO TFMG

$BTF4UVEZ43& w4JUF3FMJBCJMJUZ&OHJOFFSJOH &OHJOFFS w "EJTDJQMJOFUIBUJODPSQPSBUFTBTQFDUTPGTPGUXBSFFOHJOFFSJOHBOE BQQMJFTUIFNUPJOGSBTUSVDUVSFBOEPQFSBUJPOTQSPCMFNT GSPN8JLJQFEJB w'SPN(PPHMF#PPL

"QQSPBDIUP4FD0QT GSPNNZFYQFSJFODF w$IBOHFUIFDVMUVSF w 'VMMDPNNJUNFOUGPSPQFSBUJPOBMXPSLTJTCBE w $IBOHFEGSPNUPQ MFBEFSPSNBOBHFS w#PUIPGEFWFMPQNFOUTLJMMTBOETFDVSJUZLOPXMFEHFT

5IBOLZPV