October 3, 2018 Operationalizing Automation Standards for Cheaper/Better/Faster Cybersecurity Borderless Cyber USA 2018 Michael Stair Lead Member of Technical Staff AT&T Chief Security Office © 2018 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo, Mobilizing Your World and DIRECTV are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are the property of their respective owners.
Operationalizing Automation Standards for Cheaper/Better/Faster Cybersecurity
Cyber Defense Automation
Sensors/Actuators
OpenC2 Response Orchestration
Cyber Events SensTinhgreat Analytics
Case
Open-loop CoA
Management
Workflows
Reversibility
2
Sense-Making Services Threat Intelligence Context Enrichment Enterprise Inventory
Operationalizing Automation Standards for Cheaper/Better/Faster Cybersecurity Malware Containment Workflow
START
OpenC2
Enterprise Inventory
OpenC2
Context Enrichment
Decision
CoA Workstation Contain END
3
Operationalizing Automation Standards for Cheaper/Better/Faster Cybersecurity AT&T OpenC2 Open Source OpenC2-Lycan · Python/Java libraries to translate OpenC2 messages to/from language objects · Currently supports OpenC2 CSD04 Language specification · MIT license · OASIS Github · https://github.com/oasis-open/openc2-lycan-python · https://github.com/oasis-open/openc2-lycan-java OpenC2-AWS · Manage AWS NACL/Security Groups over OpenC2 · BSD license · AT&T Github · https://github.com/att/openc2-aws 4
Operationalizing Automation Standards for Cheaper/Better/Faster Cybersecurity
Philip Royer Security Analyst Phantom
New Context protects data and the movement of data in highly regulated industries VISION Keeping the connected world safe MISSION To use Lean Security to automate the orchestration, governance and protection of critical infrastructure
CALIFORNIA ENERGY SYSTEMS FOR THE 21ST CENTURY Research program to explore machine to machine automated response for Industrial Control Systems (ICS) cybersecurity. New Context task was to deliver a normalized standard/language for machines and humans.
CLOSING THE RESPONSE GAP WITH · Provide immediate action Change control approval can be too long or manual Manual may also be inaccurate, e.g. typos, or mistaken target · Standardize among vendors Same command for all products in a class Environments with different devices can respond to same command · Integration into SOC Leverage existing Cyber Threat Intel for smarter response
Openc2 Command Generator By Efrain Ortiz, CISSP Director, CTO Office Symantec
Copyright © 2017 Symantec Corporation
10
Raw OpenC2 Command Dropdown
Copyright © 2017 Symantec Corporation
11
Openc2-universal-frontend o Responsive Web Design o Located at https://www.github.com/netcoredor/openc2universal-frontend o Uses Javascript, Jquery, Bootstrap, Popper, Fontawesome on client side o Used NodeJs on backend
Copyright © 2017 Symantec Corporation
12
"Sample Code to Download" Button
Copyright © 2017 Symantec Corporation
13
Questions?
Copyright © 2017 Symantec Corporation
14