Automating Incident Response: Sit Back and Relax, Bots are Taking Over…

Presented at Black Hat Europe 2016, Nov. 3, 2016, 10 a.m. (60 minutes)

Our research focuses on illustrating the value of automating functions and processes within Incident Response. Traditional response capabilities are largely contingent upon highly-skilled, specialized resources. Reduction of such necessities and constraints through automation are a precursor to overcoming inefficiencies, and speeding up response and operations center capabilities.<br> <br> To prove out our research, we developed an approach leveraging orchestration of cyber architectures and open-source IR tools. Taking into account the limited use of automation, we measure and contrast capabilities in human-driven versus automated incident response processes. Specifically, our solution automatically confirms alerts/events (typically analyzed manually), correlates events likely associated with an incident, and determines scope and context of potential breaches.<br> <br> While our proposed automated capability may not comprehensively analyze all complex incidents with the highest degree of accuracy, it abstracts and automates processes/tasks typically considered mundane by swamped analysts or responders and further hunts for threats associated with the incident across a network. Machines and intelligence can't solve everything, while qualified human analysts don't scale. As such, IR teams are best served by having automated generation and prioritization of analytics and insights (actionable to humans), as opposed to having responders determine how to best crunch data while attempting to mitigate an incident.<br> <br> An automated IR capability is most suitable for Security Operations Center (SOC) teams that encounter large swaths of security alerts frequently, have (relatively mature) IR processes, seek to ask more questions of data received, and adopt a more proactive detection, triage, and response capability.


  • Mohamed El-Sharkawi - Research & Development Senior Analyst, Accenture
    Mohamed El-Sharkawi is the lead developer on multiple projects within Accenture Technology Labs including UTIP (Unstructured Threat Intelligence Processing). He is now leading the Architecture of automating the incident response process. In his spare time he loves to develop android applications and python automation scripts.
  • Elvis Hovor - Security Expert, Accenture
    Elvis Hovor has been working in the security industry for the past 7 years. He received a MS in information security from the Johns Hopkins University, MD. He has worked on various research projects in his three years with Accenture's technology labs. Prior to joining the security community, he was a network administrator for several years. He currently works on developing solutions for orchestrating security processes.


Similar Presentations: