1ère Réunion de la Communauté Cybersécurité Opérationnelle "CyberOPS" - 1

Automation in every way, what is currently leveraged in our organisations to detect and answer faster to threats

Date : 15 décembre 2023 de 12h30 à 16h30

Cocktail : de 12h30 à 13h30

Réunion : de 13h30 à 16h30

Lieu : Campus Cyber - RDC - Salle Auditorium

Thématique : Comment automatiser sa détection et sa réponse à incident ?

Programme

1. Data Collection and Ingestion:
Identify Relevant Data Sources: Discuss sources like logs, network traffic, and threat intelligence feeds.
Data Normalization: Standardize data formats for effective processing.
Real-time Data Ingestion: Explore mechanisms for quick and efficient data ingestion.


2. Detection and Triage:
Rule-Based Detection: Develop rules for identifying known threats.
Machine Learning for Anomaly Detection: Discuss algorithms for detecting unusual patterns.
Triage Logic: Establish criteria for prioritizing alerts based on severity.


3. First-Level Analysis:
Automated Alert Handling: Design workflows for automated initial analysis.
Decision Trees: Create decision-making processes for routine incidents.
Scripting for Quick Checks: Develop scripts for rapid assessment.


4. Level 2 Handling:
Advanced Threat Analysis: Techniques for investigating sophisticated threats.
Threat Hunting Automation: Implement automated processes for proactive threat hunting.
Collaboration Tools: Discuss tools for effective communication among analysts.


5. Incident Contextualization:
Enrichment Sources: Identify external sources for enriching incident data.
Contextual Correlation: Integrate context into incident analysis.
Attribution Techniques: Explore methods for attributing incidents.


6. Incident Response with Containment and Remediation:
Automated Containment Actions: Define actions for isolating affected systems.
Playbook Development: Create response playbooks for different scenarios.
Remediation Workflows: Develop processes for system recovery.


7. Automation Orchestration:
Security Orchestration Platforms: Evaluate and implement SOAR platforms.
Workflow Integration: Ensure seamless integration between different security tools.
API Integration: Discuss methods for connecting diverse security products.


8. Monitoring and Metrics:
Key Performance Indicators (KPIs): Define metrics for measuring SOC performance.
Real-time Monitoring: Implement continuous monitoring of automated processes.
Metrics for Improvement: Identify areas for improvement based on metrics.


9. Continuous Improvement:
Feedback Loop Implementation: Establish a feedback loop for learning from incidents.
Machine Learning Model Updates: Discuss methods for updating ML models based on new data.
Knowledge Sharing: Promote sharing of insights and best practices among team members.


10. Legal and Compliance Considerations:
Data Privacy Regulations: Ensure compliance with data protection laws.
Legal Implications of Automated Actions: Address the legal aspects of automated responses.
Documentation for Compliance: Document processes for audit and compliance purposes.


11. Training and Skill Development:
Automation Tool Training: Provide hands-on training for using automation tools.
Skill Enhancement Programs: Develop programs to enhance technical skills.
Cross-Training: Encourage cross-training among team members for versatility.
Situational Awareness
Reporting to Management (CISO, Board)