Detecting and responding to incidents is challenging. To do so automatically is even more challenging. There are many sources of information for security events
such as endpoint security, DNS, Firewalls, Network Anomalies etc. Trying to automatically respond is typically avoided because of the risk for false positives.
But can we, by combining different sources of events, and applying a penalty point system, reduce the likelyhood of false positives enough to allow for automatic response?
This lecture will outline a prototype for Rapid Threat Containment based on input from multiple sources. It will also discuss challenges, such as how to normalise the target
of the attack (which could be hostname, IP address, MAC address, email address, username – depending on the source). It will also discuss some potential extra benefits such
as creating automatic reports on breaches based on the information.
Hakan Nohre is a Technical Solutions Architect with Cisco Systems, focusing on Cyber Security in Cisco EMEAR. He has over 20 years of experience of Enterprise IT Security, covering technical solutions such as Firewalls, VPN, IPS, DNS and Identity Solutions.
He is currently specialising in Cyber Security. Very interested in offensive security, he is a Certified Penetration Tester (GIAC) and a member of the SANS Advisory Group. He also holds the CISSP certification.
Hakan also works with programmability, mainly working with solutions for the Blue Team.
Hakan is a frequent presenter at international events such as Cisco Live and has presented at FIRST, ITBN and DEFCON. He likes to address both technical and strategic topics, from both the attack and defence perspective.
Prior to joining Cisco Hakan worked with Ericsson for many years as a Software designer (C,C++, Assembler) and later as a manager for Global Support.
Cisco Developer Advocate with focus on security technologies. With Cisco for 5+ years. Favorite language is Python.
From Rotterdam, the Netherlands.
Level 0, Blue Team Village