SIR
Creating Post Incident Reviews
-A review is assigned to each user in the request assessments field -This field can be emptied to avoid automated assessments
What would a manager want to see in Reporting?
-Aggregations for priority and workload -Drill-down to granularity -Time Period views
Role: Security Analyst
-Assigned to L1 or L2 agents who work security incidents -Creates and updates security incidents, requests and tasks as well as problems, changes and outages related to their incidents.
OOB Integration capabilities
-Block Request -Email Search and Delete -Enrich Configuration Item -Enrich Observable -Get Network Statistics -Get Running Processes -Isolate Host -Publish to Watchlist -Sighting Search -Threat Lookup
What does the OOB Risk Score Calculator Consider?
-CI Business Impact -SI Business Impact -SI Priority -SI Severity -User's Business Impact -Vulnerable item Business Impact
Dashboards OOB
-CISO Reporting Overview -Security Analyst Overview -Security Incident Explorer
Role: Security Manager
-Can update Business Criticality Calculators and view the manager dashboard -Creates and updates security incidents, requests and tasks as well as problems, changes and outages related to their incidents.
SIR Sources
-Catalog -Tickets -Emails -Events -Logs -3rd Party Integrations
Configuring Post Incident Reviews
-Create Assessment Metric Category (Platform Admin) -Create Assessment Metrics -Define Additional Reviewers (optional)
SN NIST States
-Draft -Analysis -Contain -Eradicate -Recover -Review -Closed
SN SANS States
-Draft -Identification -Contain -Eradicate -Recover -Review -Closed
Security Tag Groups
-Enrichment whitelist./blacklist - Categorize process as known good or known bad -Metatag - Demo Only -Trafic Light Protocol - Used to mark sensitivity of data, can drive ACL Restriction -Block for sharing - Prevent sharing in trusted circles
What can be used to determine if a calculator runs?
-Filter Groups -Scripted condition -Condition builder
Role: External
-For external users to view and work tasks assigned to them -User with this role can view assigned tasks, but not the related Security Incidents
Role: Security Admin
-Full control over all SIR data -Configures Territories and Skills - Security roles are only assignable by this role
What would a CIO/CISO want to see in Reporting?
-High Level Overviews -Single Clear indicators of organizational health and function
Post Incident Report Include:
-Initial Incidents that cuased the security incident -Change Requests, Problems and Vulnerabilities linked to the Security Incident -Descriptions on the Security Incident -Activity Logs with all work notes, response tasks and activities -Optionally, the audit log
Available Process Definitions
-NIST Stateful -NIST Open -SANS Open
What is on the CISO Homepage?
-New Security Incidents this week -Security Incidents closed this week -New Security Incidents (Running 7 Days) -Security Incidents Closed (Running 7 days) -Average time to identify -Average time to contain -Average time to contain critical -Weekly New security Incidents -Weekly closed security incidents -Security Incident Close Codes -Security Incident Criticality Report (business services)
NIST States
-Preparation -Detection and Analysis -Containment, Eradication and Recovery -Post Incident Activity
How does the Splunk Integration work?
-Pushes records into the em_event table -Can Also: -Assign manual tasks -Automatically address events using workflow or orchestration
Role: Read
-Read only access to security incidents, typically for reporting/monitoring
Security Alert Sources
-SIEM -Firewall IDS-IPS -Security endpoint -Identity and Access -Network Security -Threat Intel
SOX
-Sarbanes-Oxley Act of 2002 -aka Public Company accounting reform and investor protection act -aka Corporate and auditing accountability, responsibility and transparency Act
Knowledge Bases OOB
-Security Incident -Security Incident Response Runbook
License Tier Standard (SIR)
-Security Incident Response -Limited Trusted Circles -No PA
License Tier Professional
-Security Incident Response -Vulnerability Response -Threat Intelligence -Limited Trusted Circles -PA for Security Operations -Event Management for security operations
License Tier Enterprise
-Security Incident Response -Vulnerability Response -Threat Intelligence -Trusted Circles -PA for Security Operations -Event Management for Security Operations -Orchestration for Security Operations -Configuration Compliance
Commonly used tables for reporting
-Security Incident [sn_si_incident] -Security Incident Audit Log [sn_si_audit_log] -Task [task]
How can a security incident be triggered?
-Service Catalog -Manually -Email Parsing -Third Party integration
Incident assignment factors
-Time Zone -Location -Skills/Capabilities
Role: Security Basic
-Underlying role for basic security access -Creates and updates security incidents, requests and tasks as well as problems, changes and outages related to their incidents.
What would an analyst want to see in Reporting
-Up-to-the-minute views -Clear Prioritizations -Granularity
Escalations
-Used to get Security incident in front of the right person (Functional and Hierarchical escalation) -Escalate Button only shows up if an escalation group is configured for current assignment group
Security Incident Calculators
-Used to set specific fields according to matches conditions -Calculator Groups run each calculator one at a time and stop running after first match
What should be considered when automating SI creation?
-What additional info can enrich the ticket? -How will events be captured, filtered and ingested?
TLP Roles
-sn_sec_cmn.tlp_red -sn_sec_cmn.tlp_amber -sn_sec_cmn.tlp_green
Roles in Security Incident
-sn_si.admin -sn_si.manager -sn_si.analyst -sn_si.basic -sn_si.read -sn_si.external -sn_si.ciso -sn_si.knowledge_admin -sn_si.integration_user
How many roles are installed with SI?
10
How many workflows are installed with SI?
24
How many tables are installed with SI?
27
How many script includes are installed with SI?
28
How many assessment metrics are installed with SI?
36
Definition of Security Incident
A Violation of computer security policies, acceptable use policies, or standard computer practices
Alert definition
A particular event (or series of events) that may be of interest
Event definition
A special record the system uses to log when certain conditions occur and to take some kinds of action in response.
Risk Score Calculators
Calculated as a mean representing -Risk Based on Priority -Type of Security Incident -Number of sources that triggered the failed score on the indicator
CERT
Computer Emergency Response Team
CSIRT
Computer Security Incident Response Team
Goal of SN SIR
Containment as soon as possible by reducing time to get the right info in front of the right eyes
GDPR
General Data Protection Regulation
What kind of information does the Security analyst homepage have?
Granularity "What work is assigned to me?"
HIPAA
Health Insurance Portability and Accountability Act
Firewall IDPS-IPS
Intrusion detection/prevention system
SIR Analysis
Mainly a manual Process of analyst working inc, but may have automated enrichment
Role: Knowledge Admin
Manages the security incident KB, both content and config
NOC
Network Operations Center
PCI-DSS
Payment Card Industry Data Security Standard
Role: Integration User
Permits external tools to create/update security incident records
What role is needed to create new Post Incident Review Categories?
Platform Admin
Who can select the process definition?
Platform Admin - Appears to work for Security Incident admin, but has error due to scoping
Script include that controls process definitions
ProcessDefinition
What Workflow updates a 3rd part watch list?
Publish to watch list
SIR Detection
Raised through automation originating from Firewalls, intrusion detections systems, logs of email or web gateways etc OR Manually
Role: CISO
Read and write access to security incidents and can view CISO dashboards
Application menu to define process definition
Security Incident > Administration > Process Definitions
Application Menu for Risk Score Calculators
Security Incident > Setup > Risk Score Configuration
What role is required to setup Sec Ops inbound actions?
Security Incident Admin
SIRT
Security Incident Response Team
Who can create a new Process Definition?
Security Incident admin -Platform Admin needed to change scripts
SIEM
Security Information and Event Management
Application Menu to create new email parsing rule
Security Operation > Email Processing > Email Parsing
SOC
Security Operations Center
What table does security incident extend?
Service Order [sm_order] -Service Order extends task
What happens when more than 1 calculator group affects the same field?
Successive calculators will alter the previous field, but will be reported when the incident is raised
Definition: Security Incident Response
The action plan taken to mitigate security incidents and imminent security threats
Script include called from User Reported Phishing inbound action
UserReportedPhishing
What questions should be ask when setting up Splunk Integration?
Which fields in cURL call? -Where will the data be stored? -Can be mapped to specific fields -Unmapped data will fill the additional information field
Can the Security Incident Admin edit workflows?
Yes
Security Incident Response Plugin Name
com.snc.security_incident
What role is required to use the REST API Explorer
rest_api_explorer
Application Menu for Escalations
security Operations > Groups > Escalations
Security Incident Table Name
sn_si_incident
Security Request table name
sn_si_request
Security Incident Task table name
sn_si_task
