WEBVTT

1
00:00:00.120 --> 00:00:03.240
<v Speaker 1>Welcome to the deep dive. Today, we're plunging into the

2
00:00:03.240 --> 00:00:07.559
<v Speaker 1>world of security orchestration, Automation and Response or so ARE,

3
00:00:08.240 --> 00:00:10.759
<v Speaker 1>specifically for security analysts.

4
00:00:10.880 --> 00:00:11.839
<v Speaker 2>Yeah s, so ARE.

5
00:00:11.960 --> 00:00:14.240
<v Speaker 1>It's a big topic, it is, and we've got a

6
00:00:14.279 --> 00:00:17.320
<v Speaker 1>great resource to guide us, the book Packed Publishing, put

7
00:00:17.320 --> 00:00:21.160
<v Speaker 1>out just last year July twenty twenty three. So our

8
00:00:21.199 --> 00:00:23.559
<v Speaker 1>mission today is really to unpack what so ARE is

9
00:00:23.559 --> 00:00:26.039
<v Speaker 1>all about. You know, why is it so vital now

10
00:00:26.120 --> 00:00:27.920
<v Speaker 1>in today's cybersecurity world.

11
00:00:27.879 --> 00:00:30.800
<v Speaker 2>And maybe most importantly, how it kind of acts like

12
00:00:30.839 --> 00:00:32.640
<v Speaker 2>a best friend for sec.

13
00:00:32.479 --> 00:00:35.479
<v Speaker 1>Analysts exactly, those analysts on the front lines trying to

14
00:00:35.520 --> 00:00:37.280
<v Speaker 1>deal with this constant flood of threats.

15
00:00:37.359 --> 00:00:40.359
<v Speaker 2>Absolutely, and for you the listener, we know you're probably

16
00:00:40.439 --> 00:00:43.759
<v Speaker 2>juggling a lot, maybe preparing for a discussion, trying to

17
00:00:43.799 --> 00:00:44.880
<v Speaker 2>get a handle on new.

18
00:00:44.759 --> 00:00:46.439
<v Speaker 1>Tech, or maybe just curious.

19
00:00:46.600 --> 00:00:49.359
<v Speaker 2>Right, we're just playing curious. The challenge is staying informed

20
00:00:49.399 --> 00:00:51.280
<v Speaker 2>without getting you know, completely swamped.

21
00:00:51.439 --> 00:00:53.640
<v Speaker 1>So our goal is to pull out the key insights

22
00:00:53.640 --> 00:00:55.679
<v Speaker 1>from this book for you, give you the essentials, but

23
00:00:55.759 --> 00:00:57.880
<v Speaker 1>hopefully without drowning you in technical jargon.

24
00:00:57.960 --> 00:00:58.719
<v Speaker 2>We'll try our best.

25
00:00:59.000 --> 00:01:01.799
<v Speaker 1>Okay, So, why is this such a hot topic right now?

26
00:01:02.039 --> 00:01:03.880
<v Speaker 1>The book makes it pretty clear, doesn't it.

27
00:01:03.880 --> 00:01:08.920
<v Speaker 2>It really does traditional security measures they're struggling, especially against

28
00:01:08.959 --> 00:01:11.280
<v Speaker 2>the sophisticated attacks we see today. Yeah.

29
00:01:11.319 --> 00:01:14.920
<v Speaker 1>The book even uses some interesting historical parallels like the

30
00:01:14.959 --> 00:01:16.040
<v Speaker 1>Trojan horse.

31
00:01:15.959 --> 00:01:18.959
<v Speaker 2>Right, that classic deception bypassing strong.

32
00:01:18.719 --> 00:01:24.519
<v Speaker 1>Walls and the fall of constantinople legendary defenses. But well,

33
00:01:24.640 --> 00:01:26.640
<v Speaker 1>attackers adapt, methods evolve.

34
00:01:27.319 --> 00:01:30.480
<v Speaker 2>It really drives home that point. Attackers don't stand still.

35
00:01:30.680 --> 00:01:32.920
<v Speaker 2>And the book links this to other modern pressures too,

36
00:01:33.120 --> 00:01:37.959
<v Speaker 2>like what, well, there's this increased public awareness about data privacy.

37
00:01:38.280 --> 00:01:41.439
<v Speaker 1>For one, people care more, and the huge risks financial

38
00:01:41.519 --> 00:01:45.079
<v Speaker 1>reputational from attacks. We've all seen the headlines Colonial pipeline

39
00:01:45.159 --> 00:01:46.280
<v Speaker 1>Marriott exactly.

40
00:01:46.400 --> 00:01:48.519
<v Speaker 2>Those are big wake up calls. Plus the whole idea

41
00:01:48.560 --> 00:01:50.680
<v Speaker 2>of a network perimeter, it's getting really blurry.

42
00:01:50.719 --> 00:01:55.200
<v Speaker 1>Oh yeah, remote work people using their own devices byod.

43
00:01:55.439 --> 00:01:58.680
<v Speaker 2>It all makes those traditional digital walls you know, less effective.

44
00:01:58.719 --> 00:01:59.959
<v Speaker 2>The old playbook isn't enough.

45
00:02:00.040 --> 00:02:02.879
<v Speaker 1>And that's precisely where SR comes in, right as the solution,

46
00:02:03.120 --> 00:02:03.719
<v Speaker 1>that's the idea.

47
00:02:03.840 --> 00:02:06.959
<v Speaker 2>It's designed to tackle these challenges head on. SEC teams

48
00:02:06.959 --> 00:02:08.240
<v Speaker 2>are often buried in alerts.

49
00:02:08.479 --> 00:02:08.919
<v Speaker 1>Uh huh.

50
00:02:09.360 --> 00:02:12.639
<v Speaker 2>Alert fatigue is real, it is and there's often a

51
00:02:12.680 --> 00:02:16.840
<v Speaker 2>shortage of skilled analysts too, so SR promises to help

52
00:02:17.439 --> 00:02:18.879
<v Speaker 2>by automating.

53
00:02:18.400 --> 00:02:23.680
<v Speaker 1>Responses, reducing that alert fatigue, spreamlining investigations, and ultimately just

54
00:02:23.759 --> 00:02:26.240
<v Speaker 1>speeding up how quickly incidents get resolved.

55
00:02:26.280 --> 00:02:27.080
<v Speaker 2>That's the core promise.

56
00:02:27.159 --> 00:02:30.080
<v Speaker 1>Yeah, okay, let's unpack the core elements of SR then,

57
00:02:30.199 --> 00:02:31.919
<v Speaker 1>based on the book, what's fundamental?

58
00:02:32.439 --> 00:02:34.960
<v Speaker 2>Right? So the foundation, according to the source, has a

59
00:02:35.000 --> 00:02:38.599
<v Speaker 2>few key pillars. First up, incident management.

60
00:02:38.960 --> 00:02:40.439
<v Speaker 1>Okay, what does that involve.

61
00:02:40.680 --> 00:02:43.719
<v Speaker 2>It's the basics of handling security events in a structured way.

62
00:02:44.199 --> 00:02:47.360
<v Speaker 2>Think incident queues, a central place to see everything.

63
00:02:47.199 --> 00:02:49.319
<v Speaker 1>So things don't slip through the cracks exactly.

64
00:02:49.400 --> 00:02:52.919
<v Speaker 2>Avoids analysts working in silos missing stuff, especially when alerts

65
00:02:52.960 --> 00:02:55.840
<v Speaker 2>are flying in. Then you need clear ownership who's dealing.

66
00:02:55.680 --> 00:02:56.319
<v Speaker 1>With this right?

67
00:02:56.520 --> 00:03:01.560
<v Speaker 2>Accountability define severity levels helps prioritize status tracking, where are

68
00:03:01.599 --> 00:03:05.919
<v Speaker 2>we with this, the ability to add comments, tags for organization,

69
00:03:06.120 --> 00:03:10.120
<v Speaker 2>collaboration features basically shared understanding, and the book mentions investigation

70
00:03:10.199 --> 00:03:12.240
<v Speaker 2>spaces too, places to actually dig.

71
00:03:12.039 --> 00:03:15.879
<v Speaker 1>In and crucially capturing lessons learned afterwards.

72
00:03:15.919 --> 00:03:19.599
<v Speaker 2>Oh absolutely, yeah, that's vital for continuous improvement. You have

73
00:03:19.639 --> 00:03:20.840
<v Speaker 2>to learn from what happened.

74
00:03:21.080 --> 00:03:23.919
<v Speaker 1>And the book also talks about aligning this with frameworks

75
00:03:24.479 --> 00:03:26.199
<v Speaker 1>like NIST and SANDS.

76
00:03:26.479 --> 00:03:30.000
<v Speaker 2>Yes, exactly, NIS the National Institute of Standards and Technology

77
00:03:30.000 --> 00:03:35.039
<v Speaker 2>and the SANDS Institute. They provide established cybersecurity frameworks best practices.

78
00:03:35.120 --> 00:03:36.080
<v Speaker 1>Why is that important?

79
00:03:36.400 --> 00:03:39.879
<v Speaker 2>Well, Using frameworks like these gives you a structured approach.

80
00:03:40.159 --> 00:03:41.479
<v Speaker 2>They cover the whole life cycle.

81
00:03:41.879 --> 00:03:44.400
<v Speaker 1>Preparation getting ready before anything happens, right.

82
00:03:44.639 --> 00:03:48.360
<v Speaker 2>Then detection and analysis or identification as SANS calls it,

83
00:03:48.840 --> 00:03:52.560
<v Speaker 2>figuring out what's going on, then stopping it, Containment, then eradication,

84
00:03:52.680 --> 00:03:56.039
<v Speaker 2>stopping the spread, getting rid of the threat, then recovery

85
00:03:56.400 --> 00:04:00.560
<v Speaker 2>getting back to normal, and finally post incident activity. Lessons

86
00:04:00.639 --> 00:04:04.159
<v Speaker 2>learned that feedback loop is critical for getting better and

87
00:04:05.000 --> 00:04:08.879
<v Speaker 2>refining your defenses. Following these helps everyone speak the same language,

88
00:04:09.199 --> 00:04:11.599
<v Speaker 2>uses proven methods, and often helps with compliance too.

89
00:04:11.759 --> 00:04:15.080
<v Speaker 1>Okay, so that's the structured handling. What about the investigation

90
00:04:15.199 --> 00:04:16.759
<v Speaker 1>itself with an SR.

91
00:04:16.720 --> 00:04:20.160
<v Speaker 2>That's the next piece The book stresses analysts need a

92
00:04:20.199 --> 00:04:23.800
<v Speaker 2>dedicated space to investigate effectively. You need a good overview

93
00:04:23.839 --> 00:04:24.800
<v Speaker 2>of the incident.

94
00:04:24.600 --> 00:04:26.519
<v Speaker 1>All the key details in one place.

95
00:04:26.680 --> 00:04:30.439
<v Speaker 2>Yeah, tracking things like IP addresses, host names, user accounts

96
00:04:30.439 --> 00:04:33.839
<v Speaker 2>involved and it needs to be usable, easy to navigate

97
00:04:33.920 --> 00:04:35.439
<v Speaker 2>so analysts can respond fast.

98
00:04:35.560 --> 00:04:37.240
<v Speaker 1>Speed is critical, I guess.

99
00:04:36.959 --> 00:04:39.959
<v Speaker 2>Definitely, and the book points out how much time can

100
00:04:40.040 --> 00:04:43.519
<v Speaker 2>be wasted just clicking around trying to find data. So

101
00:04:43.759 --> 00:04:48.079
<v Speaker 2>a good sor investigation tool helps prioritize based on severity

102
00:04:48.399 --> 00:04:51.639
<v Speaker 2>other factors, and importantly, it helps with enrichment.

103
00:04:51.879 --> 00:04:53.240
<v Speaker 1>Enrichment, what's that.

104
00:04:53.279 --> 00:04:56.920
<v Speaker 2>Pulling an extra context like getting data from thread intelligence

105
00:04:56.920 --> 00:05:00.000
<v Speaker 2>feeds or seeing if the affected system has known vulnerable

106
00:05:00.000 --> 00:05:03.319
<v Speaker 2>abilities from your TVM threat and Vulnerability Management system.

107
00:05:03.439 --> 00:05:05.639
<v Speaker 1>Ah? Okay, So it adds context automatically.

108
00:05:05.720 --> 00:05:09.480
<v Speaker 2>Ideally yes, Having that enriched info right there helps analysts

109
00:05:09.519 --> 00:05:11.360
<v Speaker 2>make quicker, smarter decisions early on.

110
00:05:11.560 --> 00:05:14.279
<v Speaker 1>Got it? Now, let's talk automation. This feels like the

111
00:05:14.319 --> 00:05:15.040
<v Speaker 1>heart of SOO.

112
00:05:15.319 --> 00:05:17.800
<v Speaker 2>It really is a core component. The book digs into

113
00:05:17.879 --> 00:05:21.399
<v Speaker 2>the why, mostly freeing up analysts from repetitive tasks.

114
00:05:21.759 --> 00:05:24.079
<v Speaker 1>What kind of tasks are we talking about? Things that

115
00:05:24.120 --> 00:05:25.000
<v Speaker 1>are done over and.

116
00:05:24.920 --> 00:05:28.399
<v Speaker 2>Over exactly the low hanging fruit, as the source calls it,

117
00:05:29.120 --> 00:05:32.680
<v Speaker 2>Things like looking up the geolocation of an IP address okay,

118
00:05:32.759 --> 00:05:35.639
<v Speaker 2>or checking the reputation of a URL is it known

119
00:05:35.720 --> 00:05:36.639
<v Speaker 2>to be malicious?

120
00:05:36.959 --> 00:05:39.920
<v Speaker 1>Right? Stuff analysts do constantly.

121
00:05:39.560 --> 00:05:43.639
<v Speaker 2>Constantly automating those simple checks means the info is just there,

122
00:05:44.079 --> 00:05:47.519
<v Speaker 2>saves triage time let's analysts focus on harder problems.

123
00:05:47.720 --> 00:05:50.800
<v Speaker 1>But the book also warns about automating everything right.

124
00:05:50.920 --> 00:05:54.240
<v Speaker 2>Absolutely, it's a really important point. You can't just automate blindly.

125
00:05:54.279 --> 00:05:57.199
<v Speaker 2>Why not, Well, the book says you need a clear policy.

126
00:05:57.639 --> 00:06:00.879
<v Speaker 2>Some critical assets or systems might be a human to

127
00:06:00.959 --> 00:06:04.319
<v Speaker 2>sign off before an automated action is taken. You don't

128
00:06:04.360 --> 00:06:08.519
<v Speaker 2>want automation accidentally taking down a key business system makes sense,

129
00:06:08.600 --> 00:06:11.920
<v Speaker 2>And things like threat hunting that proactive searching for hidden

130
00:06:11.959 --> 00:06:16.600
<v Speaker 2>threats that needs human intuition, human expertise. You can't fully

131
00:06:16.639 --> 00:06:19.000
<v Speaker 2>automate that creative, investigative work.

132
00:06:19.240 --> 00:06:21.319
<v Speaker 1>So automation is a tool, not a replacement.

133
00:06:21.680 --> 00:06:25.879
<v Speaker 2>Precisely it augments the analyst. The book also mentions getting

134
00:06:25.879 --> 00:06:30.279
<v Speaker 2>analyst input into the automation workflows and crucially reviewing and

135
00:06:30.319 --> 00:06:35.279
<v Speaker 2>maintaining those rules. Regularly threats change, so your automation needs to.

136
00:06:35.240 --> 00:06:39.680
<v Speaker 1>Adapt to Okay, Then there's reporting. How does SO reporting

137
00:06:39.680 --> 00:06:42.959
<v Speaker 1>differ from say, sim reporting, Sam's collect all the logs

138
00:06:43.040 --> 00:06:43.800
<v Speaker 1>right right.

139
00:06:44.199 --> 00:06:47.480
<v Speaker 2>SIME reporting often focuses on visualizing that massive amount of

140
00:06:47.480 --> 00:06:51.319
<v Speaker 2>log data. So reporting the book explains, is more targeted

141
00:06:51.360 --> 00:06:53.000
<v Speaker 2>towards the incident response process.

142
00:06:53.079 --> 00:06:55.560
<v Speaker 1>So tracking the incidents themselves.

143
00:06:55.120 --> 00:06:58.560
<v Speaker 2>Yes, tracking incidents, measuring how effective the automation is, like

144
00:06:58.720 --> 00:07:01.319
<v Speaker 2>how many alerts did we close so automatically? What's our

145
00:07:01.360 --> 00:07:03.199
<v Speaker 2>mean time to resolve? Stuff like that?

146
00:07:03.240 --> 00:07:04.959
<v Speaker 1>Performance metrics for this SC.

147
00:07:05.040 --> 00:07:08.319
<v Speaker 2>Exactly overall SC performance. And the book notes that some

148
00:07:08.360 --> 00:07:11.360
<v Speaker 2>platforms are actually blending SIM and SOLAR now, which makes

149
00:07:11.399 --> 00:07:12.839
<v Speaker 2>reporting more unified.

150
00:07:12.720 --> 00:07:15.879
<v Speaker 1>Interesting Okay, And finally, the book briefly mentions Threat of

151
00:07:15.879 --> 00:07:20.480
<v Speaker 1>Intelligence TI and Threat and Vulnerability Management TVM. How do

152
00:07:20.480 --> 00:07:21.000
<v Speaker 1>they plug in?

153
00:07:21.120 --> 00:07:25.680
<v Speaker 2>They provide essential context. TI gives you info about known threats, attackers,

154
00:07:25.720 --> 00:07:26.720
<v Speaker 2>their methods.

155
00:07:26.519 --> 00:07:29.279
<v Speaker 1>Like TTPs, tactics, techniques and procedures.

156
00:07:29.439 --> 00:07:32.759
<v Speaker 2>Right, and TVM tells you about weaknesses in your own systems.

157
00:07:32.920 --> 00:07:35.519
<v Speaker 1>So connecting those to SO so means when.

158
00:07:35.399 --> 00:07:39.600
<v Speaker 2>An incident happens, the analyst immediately sees relevant threat intel

159
00:07:40.199 --> 00:07:44.040
<v Speaker 2>and knows if the targeted system is vulnerable. It helps

160
00:07:44.040 --> 00:07:46.839
<v Speaker 2>assess the risk and decide how to respond much faster

161
00:07:47.240 --> 00:07:48.000
<v Speaker 2>and more effectively.

162
00:07:48.120 --> 00:07:50.839
<v Speaker 1>Okay, that covers the core elements really well. Now, the

163
00:07:50.920 --> 00:07:54.360
<v Speaker 1>book does give a quick look at some specific SO tools.

164
00:07:54.439 --> 00:07:57.399
<v Speaker 2>Yeah, it gives an overview of a few big names.

165
00:07:58.199 --> 00:08:00.920
<v Speaker 2>Microsoft Sentinel so Sore, Lunk so that used to.

166
00:08:00.879 --> 00:08:03.120
<v Speaker 1>Be called phantom, right, I run a phantom and.

167
00:08:03.120 --> 00:08:06.240
<v Speaker 2>Google Chronicle sohar which came from Simplify.

168
00:08:06.560 --> 00:08:08.800
<v Speaker 1>So it doesn't compare every single feature, but gives a

169
00:08:08.839 --> 00:08:10.079
<v Speaker 1>general idea exactly.

170
00:08:10.079 --> 00:08:12.600
<v Speaker 2>It looked at common functions across them. Yeah, and you

171
00:08:12.680 --> 00:08:15.360
<v Speaker 2>know each has its strengths. Splunk sore is known for

172
00:08:15.439 --> 00:08:19.439
<v Speaker 2>being really customizable, good for complex automation okay, and Google

173
00:08:19.519 --> 00:08:23.879
<v Speaker 2>Chronicles sr leverages Google's you know, massive threat intelligence and

174
00:08:23.959 --> 00:08:25.519
<v Speaker 2>data analytics power.

175
00:08:25.839 --> 00:08:28.199
<v Speaker 1>So what are some of those common functions it points out?

176
00:08:28.439 --> 00:08:31.480
<v Speaker 2>Well across the board you see solid incident management, those

177
00:08:31.560 --> 00:08:35.440
<v Speaker 2>cues we talked about, detailed case views, timelines managing the

178
00:08:35.480 --> 00:08:39.320
<v Speaker 2>investigation life cycle from start to finish. Right then for investigation,

179
00:08:39.559 --> 00:08:43.519
<v Speaker 2>they usually offer ways to explore the entities involved users devices,

180
00:08:43.639 --> 00:08:47.440
<v Speaker 2>ips and often have thread hunting features built in makes sense.

181
00:08:47.519 --> 00:08:52.519
<v Speaker 2>And obviously automation creating rules or playbooks or workflows different

182
00:08:52.600 --> 00:08:56.240
<v Speaker 2>names for similar concepts to automate actions and coordinate responses

183
00:08:56.440 --> 00:08:57.919
<v Speaker 2>across different security tools.

184
00:08:58.039 --> 00:09:01.159
<v Speaker 1>Did it give any specific examples for these platforms.

185
00:09:01.519 --> 00:09:03.840
<v Speaker 2>It did mention a few For Microsoft Sentinel It talked

186
00:09:03.840 --> 00:09:07.679
<v Speaker 2>about automational rules triggered by incident creation or updates or

187
00:09:07.679 --> 00:09:08.840
<v Speaker 2>even alert.

188
00:09:08.480 --> 00:09:10.799
<v Speaker 1>Creation, so very flexible triggers.

189
00:09:10.960 --> 00:09:14.120
<v Speaker 2>Yeah. And it highlighted that playbooks are built using Azure

190
00:09:14.159 --> 00:09:18.080
<v Speaker 2>Logic apps. Think of logic ass as the powerful engine

191
00:09:18.120 --> 00:09:20.799
<v Speaker 2>underneath that lets you connect to tons of different services

192
00:09:21.039 --> 00:09:24.480
<v Speaker 2>and build these workflows graphically. It mentioned actions like changing

193
00:09:24.519 --> 00:09:29.399
<v Speaker 2>status assigning owners automatically for plunks so are. It noted

194
00:09:29.440 --> 00:09:32.360
<v Speaker 2>the idea of progressing from an event to a formal case,

195
00:09:32.879 --> 00:09:36.480
<v Speaker 2>using workbooks to guide investigation step by step, and having

196
00:09:36.519 --> 00:09:37.759
<v Speaker 2>a visual playbook builder.

197
00:09:37.879 --> 00:09:39.879
<v Speaker 1>Visual builders are usually quite helpful.

198
00:09:39.600 --> 00:09:42.600
<v Speaker 2>They can be. Yeah. And for Google Chronicle SR it

199
00:09:42.720 --> 00:09:46.320
<v Speaker 2>mentioned the dashboard for a quick overview case management features

200
00:09:46.759 --> 00:09:51.200
<v Speaker 2>and explorer view to visualize connections between security events. Ah,

201
00:09:51.279 --> 00:09:55.600
<v Speaker 2>same relationships exactly and the playbook process with triggers and actions.

202
00:09:56.240 --> 00:09:59.360
<v Speaker 2>So similar concepts may be implemented slightly differently.

203
00:09:59.440 --> 00:10:02.720
<v Speaker 1>Right, I make automation really tangible. The book dives a

204
00:10:02.759 --> 00:10:06.080
<v Speaker 1>bit deeper into Microsoft's Sentinels automation as an example.

205
00:10:06.240 --> 00:10:08.799
<v Speaker 2>Yeah, that section is useful for seeing how it works

206
00:10:08.799 --> 00:10:12.320
<v Speaker 2>in practice. It explains Sentinels automation rules first.

207
00:10:12.120 --> 00:10:13.679
<v Speaker 1>What are the key parts of a rule.

208
00:10:13.600 --> 00:10:16.840
<v Speaker 2>You've got triggers like when an incident is created, conditions

209
00:10:16.919 --> 00:10:19.759
<v Speaker 2>like if the incident involves a high value asset or

210
00:10:19.799 --> 00:10:21.159
<v Speaker 2>if the severity changes to.

211
00:10:21.159 --> 00:10:23.679
<v Speaker 1>High so you can be specific very and.

212
00:10:23.639 --> 00:10:26.639
<v Speaker 2>Then the actions which should happen automatically run a playbook,

213
00:10:27.000 --> 00:10:30.399
<v Speaker 2>change the status, assign it to someone, add a tag.

214
00:10:30.639 --> 00:10:34.159
<v Speaker 2>Lots of options definitely. The book also mentions setting an

215
00:10:34.159 --> 00:10:38.159
<v Speaker 2>expiration date for rules, maybe for temporary ones, and defining

216
00:10:38.200 --> 00:10:40.000
<v Speaker 2>the order they run in if you have multiple rules

217
00:10:40.039 --> 00:10:42.600
<v Speaker 2>that could apply. Keeps things predictable.

218
00:10:42.200 --> 00:10:44.519
<v Speaker 1>Okay, And then the playbooks themselves. Those are the actual

219
00:10:44.559 --> 00:10:46.240
<v Speaker 1>automated workflows.

220
00:10:45.720 --> 00:10:49.279
<v Speaker 2>Exactly as mentioned. They're built on azule Logic apps. The

221
00:10:49.279 --> 00:10:52.639
<v Speaker 2>book talks about the visual designer, the connectors to integrate

222
00:10:52.679 --> 00:10:58.000
<v Speaker 2>with all sorts of things email, ticketing, other security tools APIs.

223
00:10:57.399 --> 00:10:59.320
<v Speaker 1>So you can connect to almost anything.

224
00:10:59.200 --> 00:11:03.679
<v Speaker 2>Pretty much es actually using the generic HTTP connector for APIs.

225
00:11:04.080 --> 00:11:07.759
<v Speaker 2>It also covers how you handle authentication securely using things

226
00:11:07.840 --> 00:11:11.559
<v Speaker 2>like managed identities or service principles, so the playbook has

227
00:11:11.600 --> 00:11:13.639
<v Speaker 2>a right permissions without exposing credentials.

228
00:11:13.879 --> 00:11:17.480
<v Speaker 1>Security for the automation itself important crucial, and the book

229
00:11:17.480 --> 00:11:21.200
<v Speaker 1>gives a concrete example of automating enrichment right with virus Total.

230
00:11:21.360 --> 00:11:25.360
<v Speaker 2>Yes, it's a great example. The idea is an incident

231
00:11:25.360 --> 00:11:27.720
<v Speaker 2>comes in with an IP address or a URL. Instead

232
00:11:27.759 --> 00:11:30.559
<v Speaker 2>of the analyst manually copying that IP and checking it

233
00:11:30.600 --> 00:11:31.240
<v Speaker 2>on virus.

234
00:11:31.039 --> 00:11:33.240
<v Speaker 1>Total, which takes time, right, the.

235
00:11:33.200 --> 00:11:36.879
<v Speaker 2>Playbook runs automatically. It grabs the IP or URL from

236
00:11:36.919 --> 00:11:40.320
<v Speaker 2>the incident, uses a virus Total connector to query their

237
00:11:40.360 --> 00:11:42.360
<v Speaker 2>API for thread intelligence, gets back.

238
00:11:42.279 --> 00:11:45.399
<v Speaker 1>The reputation any known malicious associations exactly, and.

239
00:11:45.360 --> 00:11:48.120
<v Speaker 2>Then the playbook automatically adds that information as a comment

240
00:11:48.480 --> 00:11:50.039
<v Speaker 2>right back into the sentinel incident.

241
00:11:50.159 --> 00:11:53.600
<v Speaker 1>Ah, so the analyst sees it immediately immediately.

242
00:11:53.679 --> 00:11:56.600
<v Speaker 2>The book outlines this flow trigger get entities, call API,

243
00:11:57.080 --> 00:11:59.600
<v Speaker 2>add comment. It doesn't give the code, but it shows

244
00:11:59.600 --> 00:12:03.000
<v Speaker 2>the purpose us in the value, saves time, provides instant context,

245
00:12:03.320 --> 00:12:03.799
<v Speaker 2>huge win.

246
00:12:04.039 --> 00:12:07.559
<v Speaker 1>That really illustrates the power. Well, okay, so wrapping things

247
00:12:07.639 --> 00:12:10.960
<v Speaker 1>up for you the listener, what are the key takeaways

248
00:12:11.000 --> 00:12:13.399
<v Speaker 1>from this deep dive into the book on SR.

249
00:12:13.879 --> 00:12:16.159
<v Speaker 2>Well, hopefully you now have a much clearer idea of

250
00:12:16.159 --> 00:12:22.799
<v Speaker 2>what SR actually is. It's core parts Internet management, investigation, automation, reporting, TI.

251
00:12:22.639 --> 00:12:26.159
<v Speaker 1>Integration, and why it's so important today exactly you've seen.

252
00:12:26.000 --> 00:12:29.120
<v Speaker 2>How these tools help security teams cope with that massive

253
00:12:29.200 --> 00:12:33.960
<v Speaker 2>volume of threats, automating routine stuff, making investigation smoother.

254
00:12:34.159 --> 00:12:37.039
<v Speaker 1>Leading to faster, better incident response.

255
00:12:37.200 --> 00:12:40.039
<v Speaker 2>Right, and those Sentinel examples give you a real sense

256
00:12:40.039 --> 00:12:41.480
<v Speaker 2>of how it works in practice.

257
00:12:41.559 --> 00:12:45.679
<v Speaker 1>And like the source materials stressed, staying ahead in cybersecurity

258
00:12:45.720 --> 00:12:48.240
<v Speaker 1>means adapting using modern tools.

259
00:12:48.279 --> 00:12:50.480
<v Speaker 2>Like so far, it's not just about buying more.

260
00:12:50.320 --> 00:12:53.559
<v Speaker 1>Tools, is it, No, it's about orchestrating them, automating them

261
00:12:53.679 --> 00:12:58.000
<v Speaker 1>smartly to make your security team more efficient, more effective, Which.

262
00:12:57.840 --> 00:12:59.720
<v Speaker 2>Leads to a good question for you to think about.

263
00:13:00.679 --> 00:13:07.080
<v Speaker 2>How could these sor principles automation orchestration, centralizing incident management

264
00:13:07.440 --> 00:13:10.519
<v Speaker 2>apply to the challenges you see in your organization or

265
00:13:10.559 --> 00:13:11.080
<v Speaker 2>your field.

266
00:13:11.360 --> 00:13:14.639
<v Speaker 1>Yeah, what are those repetitive tasks, those enrichment steps that

267
00:13:14.679 --> 00:13:17.720
<v Speaker 1>could maybe be automated? What could free up analyst time

268
00:13:18.080 --> 00:13:21.120
<v Speaker 1>for the really tricky stuff. It's worth considering, absolutely, And

269
00:13:21.159 --> 00:13:24.039
<v Speaker 1>remember the world of so is always changing, always evolving.

270
00:13:24.159 --> 00:13:26.799
<v Speaker 1>I feeling so. We really hope this deep dive service

271
00:13:26.840 --> 00:13:29.919
<v Speaker 1>is a good starting point. We encourage you explore the

272
00:13:29.960 --> 00:13:33.039
<v Speaker 1>tools we mentioned, maybe look deeper into those NIST and

273
00:13:33.200 --> 00:13:34.240
<v Speaker 1>SANDS frameworks.

274
00:13:34.480 --> 00:13:37.320
<v Speaker 2>Or dig into platforms like Azure logic apps to see

275
00:13:37.320 --> 00:13:38.799
<v Speaker 2>what's possible with automation.

276
00:13:39.159 --> 00:13:41.679
<v Speaker 1>Yeah, there's a lot more to discover. This is really

277
00:13:41.720 --> 00:13:42.960
<v Speaker 1>just scratching the surface.