YOU DON'T NEED A BETTER CAR, YOU NEED TO LEARN HOW TO DRIVE: ON THE IMPORTANCE OF CYBER-DEFENSE LINE AUTOMATION.

No ratings

Presented at First 2017 by

Enrico Lovat

Florian Hartmann

Philipp Lowack

Enrico Lovat recveived his PhD from the Technical Univerity Munich. In 2016 he started at Siemens CERT where he is the team lead of the Cyber Threat Intelligence team. Florian Hartmann has a MSc. in Computer Science from the TU Munich and started at Siemens CERT in 2014. He works as an Incident Responder and is responsible for the software development at Siemens CERT. Philipp Lowack has a MSc. in Computer Science from the TU Munich and started at Siemens CERT in 2013. His main tasks at Siemens CERT are Incident Response and the software development of the analysis frameworks. Thomas Schreck is a Principal Engineer at Siemens CERT and started there in 2007. In the work of CSIRT, where every incident is different but many incidents are similar, it is not uncommon to find recurrent patterns and tasks across different incidents that could be automatically handled in a systematic way. In a context like incident handling, where timely response can make a huge difference in the impact, tooling and process automation are the key to success. But automation does not come for free: integrating the plethora of different security solutions that populates the usual ecosystem of a proper IT infrastructure is a non trivial effort. That's why recently vendors tend to move in the direction of single overarching products, that cover everything (endpoint, malware analysis, TI, reporting , etc). But do you really need to be "only" as good a single specific vendor is, with all the possible drawbacks (lockin, updates, subscriptions, etc) that this choice entails? Isn't it possible to leverage open-source tools and the power of community effort to achieve a comparable, if not better, result? At Siemens CERT we embraced the UNIX Philosophy of "one tool for one task" and worked hard in the past years to develop a set of tools that implements it and automate their connection. In this talk, we want to share with the FIRST community our vision and our current efforts towards it. We believe that sharing the challenges we faced in automating the interplay of our tools is a valuable contribution to the community. At the same time, we hope to benefit from the feedback of more experienced member of the community that may have already faced similar issues. For this reason we also set up a BOF where we can discuss that topic.