Abstract: An approach is provided for dynamically and automatically generating a playbook. A new incident and the tactics, techniques, and procedures (TTP) specifying the new incident are identified. The TTP are mapped to actions included in a TTP-based response matrix, which associates actions that address security incidents with respective TTPs that specify the security incidents. The actions are mapped to technologies in a defense capabilities matrix, which associates technologies deployed by an organization with multiple countermeasures to security incidents. A playbook is automatically generated that specifies countermeasure(s) to counter the new incident. The countermeasure(s) are based on the actions, the technologies to which the actions are mapped, and the TTP mapped to the actions. The countermeasure(s) are executed by using the defense capabilities matrix.

Abstract: A method, system, and computer program product for adaptive network provisioning. The method may include storing a plurality of use case records in a use case repository, where each use case record provides a diagnostic definition of a security threat to a SIEM environment. The method may also include storing metadata for a plurality of attributes of subscribers to the SIEM environment. The method may also include storing use cases that the subscribers have deployed from the use case repository. The method may also include setting up a new subscriber, where setting up the new subscriber includes: receiving a set of attributes of the new subscriber; searching a metadata store to identify subscribers with attributes that are similar to the set of attributes; and selecting an initial set of use cases for the new subscriber based on use cases deployed by the identified subscribers.

Abstract: A method, system, and computer program product for adaptive network provisioning. The method may include storing a plurality of use case records in a use case repository, where each use case record provides a diagnostic definition of a security threat to a SIEM environment. The method may also include storing metadata for a plurality of attributes of subscribers to the SIEM environment. The method may also include storing use cases that the subscribers have deployed from the use case repository. The method may also include setting up a new subscriber, where setting up the new subscriber includes: receiving a set of attributes of the new subscriber; searching a metadata store to identify subscribers with attributes that are similar to the set of attributes; and selecting an initial set of use cases for the new subscriber based on use cases deployed by the identified subscribers.

Abstract: A method to detect a plurality of steganography based information embedded in a multimedia file associated with an online computer environment is provided. The method may include detecting the multimedia file entering or exiting an online environment associated with a network or an organization. The method may also include comparing a stored hashed version of the detected multimedia file to the detected version of the multimedia file. The method may also include comparing a stored perceptual hashed version of the detected multimedia file to the detected version of the multimedia file based on the detected multimedia file not matching the stored hashed version of the detected multimedia file. The method may further include assigning a flag attribute to the detected multimedia file based on the detected multimedia file matching the stored perceptual hashed version of the detected multimedia file.

Abstract: A method to detect a plurality of steganography based information embedded in a multimedia file associated with an online computer environment is provided. The method may include detecting the multimedia file entering or exiting an online environment associated with a network or an organization. The method may also include comparing a stored hashed version of the detected multimedia file to the detected version of the multimedia file. The method may also include comparing a stored perceptual hashed version of the detected multimedia file to the detected version of the multimedia file based on the detected multimedia file not matching the stored hashed version of the detected multimedia file. The method may further include assigning a flag attribute to the detected multimedia file based on the detected multimedia file matching the stored perceptual hashed version of the detected multimedia file.