Security Automation Case Study

Maricopa Community Colleges

Watch the full webinar replay

 Your Speakers

Rich Lang Tammy Sexton

Technical Director: Information Technology
Vice President
Security & Planning
LogicHub
Maricopa Community Colleges

Watch the full webinar replay

PHISHING HIGHER-ED
SOC AUTOMATION
 SOC AUTOMATION
• 2016 data – Higher Education hit across the country
Phishing attacks
• https://www.universitybusiness.com/article/college-
cyber-attacks-don-t-take-bait
• Important update from your IT Helpdesk – please login
and update your profile.
• TOR, Anonymous Proxies used by threat actors
• Postmortem review / findings
 SOC AUTOMATION

User Lucky ([email protected])

 SOC AUTOMATION
• Google’s recommendation for stopping suspicious
logins:
• Ask the user if they remember signing in.

• Have them check their last account activity.

• If you can’t establish the legitimacy of the

signin- follow the Admin security checklist.

• Google Cloud Support can’t investigate alerts

as they are considered sensitive and potentially
private.
 SOC AUTOMATION
• So what were you doing on the night of Friday the 13th
2 AM at IP address 10.10.1.20.

• Do you frequently log in from the Ukraine, Iraq or Brazil?

• Have you checked your last login activity?

• I noticed you are using a free proxy service.

• Are you aware your home computer may be infected?

 SOC AUTOMATION

• Avg daily number of employee Suspicious Logins – 50

• Avg daily number of student suspicious logins – 200

• Consider 250 events * 5 minutes / event handling

Appx two FTE dedicated to Suspicious login events
ROI less than 2 months
 SOC AUTOMATION
Save the patient!

Is the cure worse than the disease?

I am an adjunct faculty member traveling abroad through

Europe and you just shut my access down at the airport !!!

I am your CIO presenting to the board via a kiosk and you just
locked me out !!!

I am your board member, my wife installed a proxy service at

home for privacy.
 SOC AUTOMATION

Enter LogicHub for the SOC

If it has a webhook it can be automated.

SumoLogic great for log event triggers and integrated

access to Gsuite API’s.

CrowdStrike to provide malware confidence scoring

 SOC AUTOMATION

Lots of great data

and event Twilio for the win.
management but Right on their
how do we reach phone.
the customer!
 SOC AUTOMATION

Threat
Intelligence

Webhooks

Push notifications
 SOC AUTOMATION
Detect
Assess SMS

Respond
Response
Log
Action

Close
SOC AUTOMATION
 16

SOC AUTOMATION
• The alert is sent from
Sumo Logic into
LogicHub.
• Sumo Logic ,
CrowdStrike,
LogicHub,
• Twilio
• This flow captures the
work that would be
done manually if we
had the resources
 17

SOC AUTOMATION

• A text message is sent via Twillio.

• This flow can be modified, Example:
add action to send a text message
to IT security if the user is an admin, a
financial aid processor, or has
access to wire transfers
• Any action can be 24x7 or just during
the work day or school year.
 18

SOC AUTOMATION
• LogicHub created an action
that opens a case in
ServiceNow for purposes of
the POC.
• In the test case, Lucky User
had responded “yes” to the
text which is automatically
documented in the case
that LogicHub automatically
opened
• This action could be easily
modified to our Case
Management System via API
access
 SOC AUTOMATION
• Lucky User - The Information Security Office has
received notification of suspicious activity from your
account. IP: 72.216.244.24 Login Time: 2018-06-
12T14:17:30.000Z Please reply with “Y” or “YES” if this
WAS you. Please reply with a “N” or “NO” if this WAS
NOT you. Maricopa Community Colleges will never ask
you for your password, and you may contact the
Information Security Office to verify the validity of this
message at 480-7xx-xxxx
or [email protected].
 SOC AUTOMATION
• Because the user has not entered a mobile phone
number, we are resetting their password.
Time: 2018-06-12T21:33:18.000Z UTC
Name: Lucky User
Title: Music Instruction Hrly
Suspicious login from: , United States
Login IP: 2600:8800:2c00:e430:4577:2b1d:f130:5a3f
• Because the user did not respond, we reset their
password
Time: 2018-06-12T16:21:22.000Z UTC
Name: Ima Teepot
Title: Tech Support Specialist
Suspicious login from: Ashburn, United States
Login IP: 54.208.84.215
 SOC AUTOMATION

Best Practices

Validate Data Integration Sources

Enlist Peers to Test the System

Scope The Prototype

Set Your Expectations

Fail Fast
 SOC AUTOMATION

Lessons Learned

Consider Event Timing / Synchronization

Build in Error Handling

Enlist Communications Team

Start with Modest Workflow

LogicHub Automates:
Logic

Alert Triage Reduce false positives by 95%

Incident Response Reduce response times (MTTR)

Threat Hunting Detect unknown threats

Next Generation Security Automation:

•Founded in 2015
•Headquarters: Mountain View, CA
Traditional SOA Vendors

Threat Hunting Alert Triage Incident Response

BILLIONS

THOUSANDS
HUNDREDS
TENS

Eliminate
Detection
False Incidents
Rules Alerts Positives

( Security Events )

Ignored
Notifications
Security Automation Platform:

End-to-End Intelligent Automation for Detection and Response

Alerts SIEMs
Automation

Integration Framework
Framework
Ingestion Framework

Log Aggregators Security Products

Deep
Threat Intelligence Ranking Case Management

Security Products Network Management

Human
Feedback
Cloud Logs Any API enabled system
LogicHub Integrations
90+ and counting, including:
Investigative Ticketing Systems Threat Intelligence Vulnerability Remote Access
Management

Identity Management Cloud

AWS Cloud Trail

VPC Flow Logs

freegeoip
Messaging
ICANN WHOIS SIEMs
Endpoint

dig
ET Intelligence
LogicHub Sample Use Cases
 Thank You!

Tammy Sexton

VP Sales
612-961-6672
[email protected]
Q&A