BACK TO SPEAKERS
Terry MacDonald
Cosive
Terry MacDonald has been involved in information security for over 17 years.

He has worked in various roles during that time, spanning Security Operations, Policy, Planning, Business Development and Product Development. Terry co-founded the Spark NZ Security Operations Team, has worked in senior roles at the Cisco Managed Threat Defense centre and helped Microsoft develop their internal Threat Intelligence Management solution.

In recent years Terry has focused on helping organizations integrate threat intelligence, incident response and policy planning together to gain the most benefit from their information security programmes. Terry has been a major contributor to the OASIS STIX, TAXII and CybOX threat intelligence sharing standards, and has provided advisory services to major vendors such as Microsoft, Soltra and EclecticIQ.

He was also instrumental in the FIRST IEP Policy Framework and is a FIRST IEP-SIG co-chair. Terry is also a NZITF board member in his spare time.

TUTORIAL: Open Source Security Orchestration - Automating the Boring Stuff
Technical Level (3 being the highest score): 2

Organisations have an increasing number of detective controls in their information security environments. With more and more logs and monitoring there can only be more events to investigate and triage.

In this tutorial Cosive will show participants how they can use open source tooling to automate the contextualisation and remediation of security threats in their environment.

The agenda will include:
1. Installing and configuring the tools
2. Basic automation concepts
3. Creating workflows
4. Debugging workflows
5. Developing end to end playbooks for common security incidents (suspicious executables, phishing emails)
6. Developing integrations for currently unsupported systems

This is a hands-on course with a bare minimum of presenting.

Our intention is to make sure that 75% of this does not really require any programming experience and a minimum of systems administration but having some SOC fundamentals and basic Linux will definitely help.

We’re still solidifying tooling but it will either be based on StackStorm - a general purpose automation engine with a wide range of supported integrations) or WALKOFF - NSA released software that is cleaner to work with but has less supported integrations.