Successful incident response requires swift action to contain. Whether it is a breach, insider threat or other attack the longer the adversary pivots in your network, the more difficult the event will be to contain. There are numerous tools available today to perform key orchestration tasks referred to as EDR or Endpoint Detection and Response tools – there are many reasons why these tools may not be suitable for your environment. For example, if you are tasked with protecting an industrial control system or OT environment where agent-based EDR-style applications could cause interruption to critical infrastructure, alternative options may be required. This presentation will discuss the concept of security incident automation and response and focus on introducing open-source host orchestration tools that can be used to execute key tasks to contain a cyber-security event, collect key evidence and better prepare you to survive the incident.
During this presentation we will discuss the following:
– Assessing what an organization’s incident response capabilities are
– Discussing the concept of automation and response and how this fits into the concept of Security Orchestration, Automation and Response (SOAR)
– Understanding what incident response processes can be easily automated and which cannot
– Discuss the concepts of incident analysis, triage and prioritization
– Review the benefits of incident response automation including quicker response to incidents, working with a smaller cyber workforce, lack of a sufficient tools budget and lack of response capabilities
– Discuss the various processes that should be in place in your playbook to be executed when a cyber-event has been identified and how these can translate to an automated workflow
– Discuss the value of agentless automation vs. commercial tools that require an agent
– Look at tools such as PowerShell, Chef, Puppet and Ansible used as tools to enable incident response automation
– Review a number of incident scenarios and response use cases and how they can be automated – including some uses for automation from a recent real-world ransomware response
Peter leverages over 25 years of experience to help clients develop robust Cybersecurity program strategies. This includes advising organizations in areas ranging from industrial and control system (ICS) security, network security architecture, threat hunting and red-teaming to cloud security, incident response, computer forensics and beyond. Throughout Peter’s career, he has held senior positions with numerous organizations, including a global Cybersecurity consulting firm, a national telecommunications and media company, a Fortune 500 cloud-computing company, a recognized Cybersecurity software company and a major US defense contractor. Peter has had the opportunity to work across industries, including in the critical infrastructure including energy and water, mining and industrial sectors as well as government, aerospace and military. As a public speaker, Peter has presented at numerous events held by the FBI, US Department of Homeland Security, Conference Board of Canada, FIRST, BSides, SecTor, SANS, Blackhat, Public Safety Canada, IIA and ISACA. Peter is also a frequent guest lecturer at colleges and universities across North America, and have been featured in such publications as SC Magazine, USA Today, National Post and Penetration Testing Magazine. Peter currently serves on the board of directors for the ISACA Atlantic Provinces Chapter. Peter received the ISACA Global Outstanding Leader Award in 2020 for his contributions to the association and his chapter.