WEBVTT

00:07.160 --> 00:11.540
Streamlining processes have become much easier over the years, as tools and software have been developed

00:11.540 --> 00:14.570
to automate tedious and sometimes detailed procedures.

00:14.600 --> 00:19.760
In this episode, we're going to uncover saw as well as other automated processes and tasks, but we're

00:19.760 --> 00:21.620
also going to discuss the human element.

00:21.650 --> 00:27.560
Humans make up nearly 93% of all incidents that you're going to see within your environment, within

00:27.560 --> 00:28.550
an organization.

00:28.580 --> 00:35.090
This includes things like clicking on a phishing link or ignoring policies or procedures you need to

00:35.120 --> 00:40.490
understand as a cybersecurity analyst, not only the technical perspective, but also the human perspective

00:40.490 --> 00:44.720
and how to get humans and our employees to do what they're supposed to be doing.

00:44.720 --> 00:50.570
And if they're not, to uncover those risks and identify how to best and most efficiently deal with

00:50.570 --> 00:52.190
those problems that you see.

00:52.220 --> 00:58.880
As an analyst within your organization, security, orchestration, automation and response, or Saw

00:58.910 --> 01:02.600
is the idea of taking automation to a new level.

01:02.600 --> 01:08.120
We wanted to interact or collaborate with other tools and provide different leverages that we can then

01:08.120 --> 01:10.520
utilize in an automated procedure.

01:10.550 --> 01:14.870
In other words, what we're really saying is that this incident occurs.

01:14.870 --> 01:18.980
And how does this technology automatically deal with that incident?

01:19.010 --> 01:24.950
Now, this can be in the most fundamental level as a malware comes across on a client.

01:24.950 --> 01:29.690
And then the antivirus comes in and sees the malware and it stops it from going forward.

01:29.690 --> 01:36.380
Any software that's intruded upon it gets rid of it eradicates, and then puts into isolation on your

01:36.380 --> 01:37.100
desktop.

01:37.100 --> 01:39.350
It can on a more network level.

01:39.380 --> 01:43.460
A lot of times what we're seeing is this traffic came into play.

01:43.460 --> 01:44.750
It looks suspicious.

01:44.750 --> 01:47.810
So it goes through the IPS, the IPS flags it.

01:47.840 --> 01:49.910
We then prevent it from moving forward.

01:49.910 --> 01:54.110
That's an automated process that stops malware from intruding upon our network.

01:54.140 --> 01:59.570
It also provides us alerts, which then you as an analyst can then inspect that alert and figure out

01:59.570 --> 02:00.590
what's going on.

02:00.590 --> 02:05.990
We see saws interacting with different technologies, such as an endpoint detection and response or

02:06.020 --> 02:07.400
an EDR solution.

02:07.400 --> 02:13.490
We see it encompassing different scripts where we automate different processes that seem tedious, and

02:13.490 --> 02:19.160
we create a script that goes through and automatically does different perspectives of that process that

02:19.160 --> 02:20.810
would otherwise take a human being.

02:20.840 --> 02:23.180
Hours within telecommunications.

02:23.180 --> 02:28.880
I remember where we were setting up different radios for cellular science, and those each radio had

02:28.880 --> 02:33.890
to go through and be configured specifically not only for the site, but then the site had to be configured

02:33.890 --> 02:41.090
with the backhaul in order to function correctly, and it took about an hour to go through and configure

02:41.090 --> 02:45.800
each radio to interact with the with the actual cell site, and then the cell site with the backhaul

02:45.800 --> 02:46.400
site.

02:46.670 --> 02:50.450
And that kind of really kind of took a long time to facilitate.

02:50.450 --> 02:55.790
However, if we created a script, we literally had to only go in there and say, this is the radio

02:55.790 --> 02:59.960
number, this is the site ID, and this is the switch that it's operating on.

02:59.960 --> 03:04.260
We run the script, and since everything was automated and went through and did everything in about

03:04.260 --> 03:05.070
ten minutes.

03:05.100 --> 03:10.410
Now, it may not seem like a lot on a one for one basis, and you're going through and going, oh yeah,

03:10.410 --> 03:14.730
well, you know, it was took ten minutes to an hour and a half task manually, but it's more than that.

03:14.730 --> 03:19.980
Even if I was going to take a task that took 15 minutes and I automated it and it took ten minutes,

03:19.980 --> 03:24.630
or let's even take it to reverse and say it took 17 minutes for the automated process.

03:24.630 --> 03:28.260
But if I did it myself manually, it would only take 15.

03:28.290 --> 03:32.880
The problem isn't the speed, the problem is the detailed associated with it.

03:32.880 --> 03:39.210
I want you to imagine yourself sitting in a desk and your job all day long for eight hours a day, five

03:39.210 --> 03:47.310
days a week, 52 weeks a year is the same process of typing in the same words, with minor changes to

03:47.340 --> 03:49.440
it day in and day out.

03:49.470 --> 03:55.050
Not only is that tedious and mind numbing, but you're bound to make mistakes, and it's those mistakes

03:55.050 --> 03:57.000
that that scripting really solves.

03:57.000 --> 04:02.070
If I can go in and change three different numbers inside my script and it automatically goes through

04:02.070 --> 04:06.660
and configures the entire site for me where I can get up, get a cup of coffee, and maybe even do a

04:06.660 --> 04:07.590
different task.

04:07.590 --> 04:14.580
I've not only made that process more efficient, I've made it more accurate, thereby lessening human

04:14.580 --> 04:15.030
error.

04:15.030 --> 04:21.240
But I've also freed you up as a security analyst to do something else while that script is ongoing.

04:21.240 --> 04:27.510
So even if it takes more time and in most cases it doesn't, I have increased my accuracy on that specific

04:27.540 --> 04:33.030
task and provided you, the security analyst, more time to perform other actions, that's really where

04:33.060 --> 04:37.680
Soar comes into play with that orchestration, automation and then response.

04:37.710 --> 04:43.920
Now, I described the actual incident well, not really the incident, but I described a process where

04:43.920 --> 04:47.910
we're configuring an item which is going to remove the human error from that.

04:47.910 --> 04:49.410
But what about the response element?

04:49.410 --> 04:50.820
We talked about IPS.

04:50.820 --> 04:57.180
We talked about an antivirus, but we can go much more detail with that with an EDR solution or with

04:57.180 --> 05:03.810
a SIM solution where it's identifying a specific incident that can be flagged as malware or, uh, A

05:03.840 --> 05:08.460
perceived as a threat within our system and then provided automated response to that.

05:08.460 --> 05:10.920
And that's really where Saw gets its power from.

05:11.760 --> 05:15.240
Automated tasks are usually simple, repetitive.

05:15.270 --> 05:16.680
We want to reduce the time.

05:16.680 --> 05:22.710
I just described an automated task where it was talking about using those cell phones or the radios

05:22.710 --> 05:28.260
within those cell phone towers, to automated a repetitive task that went into play.

05:28.440 --> 05:34.230
When we talk about scripting or we talk about automating any task, we're really kind of removing that

05:34.230 --> 05:36.240
human element as much as possible.

05:36.270 --> 05:43.200
Humans like I said, 93% of all incidents within an organization are from a human element making an

05:43.200 --> 05:46.770
error, usually on accident within an enterprise environment.

05:46.770 --> 05:51.900
And if we can remove that human element as much as possible and make those tedious tasks or those repetitive

05:51.930 --> 05:56.760
tasks come into play with an automated script, we've removed that human element from it.

05:56.790 --> 05:58.200
We've reduced the error rate.

05:58.200 --> 06:04.590
We've also increased our efficiency and our human power, meaning that our labor or our security analysts

06:04.620 --> 06:10.890
can then go do other tasks that cannot be automated, i.e. going through and looking at a specific incident

06:10.890 --> 06:15.870
and making a judgment on that incident of whether or not you need to proceed in a certain viewpoint

06:15.870 --> 06:20.580
where automated tasks or AI or machine learning just isn't capable at this point in time.

06:20.610 --> 06:23.910
Human interaction is usually encompassed with human error.

06:23.940 --> 06:28.110
It also encompassed with efficiency, standardization, and predictability.

06:28.440 --> 06:33.930
I often refer to predictability as my nine year old, who I predict will always click on links that

06:33.930 --> 06:36.630
are flashy, regardless if they're malware induced or not.

06:36.660 --> 06:43.050
We can surmise that we're going to have a certain number of employees within our organization, which

06:43.050 --> 06:49.110
are going to click on links from phishing emails on a repetitive basis, regardless of what we do.

06:49.140 --> 06:53.610
Now, I say regardless, but there are things that we can actually do to reduce that number.

06:53.610 --> 06:55.290
We can provide training.

06:55.290 --> 07:01.650
We can provide formal and informal reminders of, hey, don't do this right.

07:01.680 --> 07:06.570
And so when we talk about interaction within a store environment We're really trying to remove that

07:06.600 --> 07:07.350
human error.

07:07.380 --> 07:13.020
We're not talking about the people that intentionally go out of their way to cause harm to our organization.

07:13.020 --> 07:17.460
We're never going to be able to stop people like that through training or through tools or technology

07:17.490 --> 07:18.570
100%.

07:18.570 --> 07:24.450
But what we can do is stop them from making human errors, i.e. accidentally clicking on a link they

07:24.450 --> 07:26.790
shouldn't have, or being fooled into clicking.

07:26.790 --> 07:30.300
They shouldn't be clicking on that standardized process.

07:30.330 --> 07:37.260
Within that, if we provide a standardized process on how to do a specific task, i.e. to take a router

07:37.260 --> 07:43.500
and configure it a specific way and we go a step by step procedures, we can remove human error if they

07:43.500 --> 07:46.560
follow the process and procedures that we laid out for them.

07:46.590 --> 07:51.060
However, if I can script it in, that's going to remove it 100%.

07:51.060 --> 07:57.840
You have a problem when anytime you introduce change to an environment i.e. I provide a new a new router

07:57.840 --> 08:02.250
for our employees to utilize and I provide a new process which then they must follow.

08:02.280 --> 08:06.730
They're going to revert back to that original process just because we've changed on them.

08:06.730 --> 08:07.930
That's human error.

08:07.960 --> 08:14.410
However, I script that the script is never going to remove from the initial intention that I put forward.

08:14.440 --> 08:20.140
Now, intention is probably the wrong word, but the initial programming that we put forward, they're

08:20.140 --> 08:22.630
going to follow point A, B, C, D, and E.

08:22.660 --> 08:26.020
It doesn't matter if they do it one time or if they do it a million times.

08:26.020 --> 08:28.690
As long as that script says to do it, they're going to do it.

08:28.690 --> 08:33.670
The only human error process comes into play is changing the actual configuration points that we need

08:33.670 --> 08:35.560
to be changed within that process.

08:35.590 --> 08:40.720
Throughout this episode, we've discussed Saw or security, orchestration, automation and response,

08:40.720 --> 08:46.900
and how it interacts with different formats or different tools such as EDR or SEMs, your antivirus

08:46.900 --> 08:50.440
program, or other tools and processes that we put into play.

08:50.470 --> 08:53.830
This is an important part of your daily job and your job function.

08:53.830 --> 08:58.510
You need to understand as a security analyst, not only the tools and techniques that you'll be utilizing,

08:58.510 --> 09:04.660
but the processes and procedures that are inherent upon your job and how it interacts within your organization

09:04.660 --> 09:06.160
as a security analyst.

09:06.160 --> 09:15.130
And Cisa, you're really going to have test questions that relate to specific scenario based store acquisition

09:15.130 --> 09:17.200
within the environment that you're utilizing.

09:17.200 --> 09:23.470
These are going to be broad questions that overarch upon a relative general point of view, meaning

09:23.470 --> 09:29.680
they're not going to go into detail about a specific procedure or policy that may be intrinsic within

09:29.680 --> 09:35.080
your organization, but you should expect to see some things, like if I can automate this process,

09:35.110 --> 09:36.820
what would be the best way to do it?

09:36.820 --> 09:43.900
Or if I have a human interaction, what would be the best way to limit human error within this procedure

09:43.900 --> 09:45.670
or within this technical control?

09:45.670 --> 09:49.960
And obviously using Soar or an automated process would be the correct answer.

09:49.960 --> 09:55.630
Those are the type of questions you should expect to see within the Cisa exam, but you also should

09:55.630 --> 10:00.700
expect to see questions inherent with the human error perspective and how to remove that human error

10:00.730 --> 10:01.930
as much as possible.

10:01.930 --> 10:07.690
Usually, automation and scripting is going to be your go to answer for those types of questions.