Building an effective security strategy in organizations today requires the right combination of experts, processes, tools and technologies. Luckily, there are many different ways in which you can organize them to fit your company’s needs.
The two types of teams most often mentioned today are Security Operations Centers (SOCs) and Computer Security Incident Response Teams (or CSIRTs). SOCs and CSIRTs have distinctive roles and responsibilities, so deciding which one is better for your organization’s security program isn’t always easy. This blog post will focus on explaining their main objectives and how they differ in structure, which may help you to decide which one is more suitable for your organization’s internal infrastructure and strategy, especially if you are looking to set one up in the near future as your business expands.
Security Operations Center (SOC)
The term SOC bears the connotation of an environment designed specifically to defend corporate data and networks, and it can be used to describe the facility where carrying out security tasks takes place or the people who are responsible for that.
A SOC is the “brain” of a security organization, as it acts as the center of all roles and responsibilities, with the main goal of protecting information within the organization. Its main tasks are:
- Incident management / response
- Anything that involves managing and protecting information within the company
Furthermore, the SOC also monitors people, technology and tools, and processes involved in all aspects of cybersecurity. Often companies have a SOC before they decide to establish a separate CSIRT. The end objective of every SOC is to monitor and take care of every cyber activity that takes place and ultimately ensure the organization is protected against any type of attack.
The SOC is also responsible for incident response if there is no formal CSIRT established within the organization. If there is, the SOC helps the CSIRT in responding faster and more efficiently to a cyber threat.
The SOC is responsible for the following:
- Monitoring the security of users, systems, and applications
- Prevention, detection, and response to security threats
- Creating and managing procedures
- Integration of security systems with other tools
What makes a SOC unique and different from other units within the organization is its centralized role with a strong focus on combining techniques, skills, and technology, by utilizing tools to increase the protection of the company against threats. It’s also important to underline that even though incident prevention and management is not its specialty, a SOC may still cover these events as well, being a department that covers all things related to cyber security.
Computer Security Incident Response Team (CSIRT)
CSIRT is a centralized department within an organization whose main responsibilities include receiving, reviewing, and responding to security incidents. CSIRTs may work under SOCs, or function individually, depending on the organization’s needs and structure.
The main goal of a CSIRT is to minimize and control the consequences from an incident. It’s not just addressing the attack itself, their role involves communicating with boards, executives, and clients about the incident.
Some of its main responsibilities include:
- Prevention, detection, and response to security threats
- Ranking alerts and tasks
- Investigating and conducting forensics on incidents
- Coordinating strategies
What do CSIRTs do?
The basis of every CSIRT is providing incident management. The CSIRT is the central point of contact in the event of a security incident. Depending on how fast a CSIRT team responds to an incident, it can limit the damage from the incident by providing rapid response and recovery solutions. This ensures the workflow is uninterrupted and lowers the overall costs.
Incident management presupposes three functions: reporting, analysis and response. With this being said, the CSIRT activities usually involve the following:
- Understanding incidents – CSIRTs must be aware of the nature of the incident and the consequences that might arise from it. A repository helps teams gain insights of the patterns of a certain cyber attack and this could lead to future activities that could prevent the occurrence of such attacks.
- Handling negative impact – CSIRTs carry out elaborate research of a certain problem and recommend solutions for it.
- Assist other departments – CSIRT teams distribute alerts across the organizations on the latest threats and risks.
- Compose security strategies
Does my organization need a CSIRT?
The CSIRT within an organization may be a formal unit or an ad-hoc team, depending on the company’s needs. If your organization is not facing a cyber threat on a regular basis, the need for a CSIRT might not be as big as for larger organizations, or companies in high-risk industries, such as healthcare, finance or government. In industries such as these, responding to threats happens daily and there’s a need for a formal, full-time CSIRT.
Whatever the needs of your organization, don’t forget that a CSIRT team will evolve with time. What might start as an ad-hoc team may develop into a full functioning department as the business expands and progresses.
Regardless of the final choice, which will depend on a number of individual requirements and factors, (including but not limited to the size of the organization, the number of threats it faces, the industry and the company’s security program maturity), don’t forget that whatever team is established, it is always important to clearly define roles and responsibilities, have efficient processes in place that can be automated, and implement the right tools and technologies that will help your team do their job more effectively. Set up correctly, SOCs and CSIRTs will facilitate the organization to respond to all security alerts and react faster to the ever-evolving cyber security incidents.
The terms security automation and security orchestration are often used almost interchangeably nowadays in the IT ecosystem. But it’s very important to note that these terms have completely different meanings and purposes. The aim of this blog is to discuss the core differences by explaining what these terms mean exactly, what their functions are and how they can be used within an IT context.
When automation emerged in the security field, it became a crucial asset for security teams that were already exhausted from time-consuming, repetitive, low-level tasks. Orchestration was the next step for better time and resource management for teams, as it helped professionals respond to issues faster, and prioritize important tasks with defined and consistent processes and workflows.
Security orchestration vs. security automation – the difference
When we speak about automation, it’s often wrongly assumed to mean automating an entire process, which is not always correct. The proper definition of security automation is setting a single security operations-related task to run on its own, without the need for human intervention (or a task could be semi-automated if some form of human decision is required).
On the other hand, orchestration, in essence, refers to making use of multiple automation tasks across one or more platforms. This means that automation tasks are part of the overall orchestration process, which covers larger, more complex scenarios and tasks. With this being said, we can say that orchestration means the automated coordination and management of systems, middleware, and services. Security orchestration uses multiple automated and semi-automated tasks to automatically execute a complex process or workflow, and these can consist of multiple automated tasks or systems.
Security Orchestration aims to streamline and optimize repeatable processes and ensure correct execution of tasks. Anytime a process becomes repeatable and tasks can be automated, orchestration can be used to optimize the process and eliminate redundancies.
Automation and orchestration can be best understood by differentiating between a single task and a complete process. Automation only handles a single task, while orchestration makes use of a more complex set of tasks and processes. When a task is automated, it speeds things up, especially when it comes to repeating basic tasks. But optimizing a process is not possible with simple automation, as it only handles a single task. A process is not limited to a single function, so optimization is only possible with orchestration. If done right, orchestration achieves the main goal of speeding up the entire process from start to finish.
By now, we believe you’re aware of the core difference of security automation vs security orchestration, but bare in mind that these two are not completely inseparable and are used in conjunction with each other. As we’ve been discussing so far, security orchestration is not possible without automation. Now let’s go through the main benefits of both orchestration and automation:
Automation makes many time-consuming tasks run smoothly without (or with little) human intervention, thus allowing organizations to take a more proactive approach in protecting their infrastructure from increasing volumes of security alerts and potential incidents, which would take far too many man-hours to be able to complete.
The primary goal of orchestration is to optimize a process. While security automation is limited to automating a particular task, orchestration goes way beyond this. With automation providing the necessary speed to the processes, orchestration, on the other hand, provides a streamlined approach and process optimization.
What happens when these two work together?
- Better utilization of assets, allowing the organization to be more efficient and effective
- Improved ROI on existing security tools and technologies
- Increased productivity – all tasks are automated and orchestrated between themselves
- Reduced security analyst fatigue from alert and task overload
- Processes remain consistent due to standardization of activities.
Orchestration and automation work together to empower security teams, allowing them to be more effective, and ultimately focus on incident analysis and important investigations, rather than on manual, time-consuming and repetitive tasks. Having all of the tools to hand within a centralized, single and intuitive orchestration platform can only benefit your security operations team. This ultimately means more time for analysts and incident respondents to focus on issues that require a level of human intervention for a higher level of investigation for mitigation and remediation.
Both of these concepts: security automation and security orchestration relate to each other, and it’s often very difficult to differentiate between them. As we discussed in detail regarding this confusion, one last piece of advice would be to look at these in their fundamental difference, which lies in their varying individual goals. Automation is all about codification and orchestration is all about systematization of processes. The adequate differentiation between these two principles will help you to achieve a streamlined and accurate execution of your incident response processes and tasks.
About National Cybersecurity Awareness Month (NCSAM)
Every year since 2004, October has been recognized and celebrated as National Cybersecurity Awareness Month (NCSAM). NCSAM was created in a united effort between the Department of Homeland Security and the National Cyber Security Alliance to raise awareness on a variety of cybersecurity issues. NCSAM has grown exponentially over the years, reaching consumers, small and medium-sized businesses, corporations, government entities, the military, educational institutions, and young people nationally and internationally. NCSAM was designed with one goal, to engage and educate the public as well as the private sector partners through a series of events and initiatives with the goal of raising awareness about cybersecurity in order to increase the resiliency of the nation in the event of facing cyber incidents. This unified effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come.
What’s New in 2018
This year, National Cybersecurity Awareness Month (NCSAM) focuses on internet security as a shared responsibility among consumers, businesses and the cyber workforce. NCSAM 2018 aims to “shine a spotlight on the critical need to build a strong, cyber-secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected.” The month is divided into four week-long topics:
Week 1 (Oct. 1–5): Make Your Home a Haven for Online Safety
Week 2 (Oct. 8–12): Millions of Rewarding Jobs — Educating for a Career in Cybersecurity
Week 3 (Oct. 15–19): It’s Everyone’s Job to Ensure Online Safety at Work
Week 4 (Oct. 22–26): Safeguarding the Nation’s Critical Infrastructure
Staying Safe Online
This month, organizations should make it a priority to build on their existing cybersecurity knowledge and practices, better understand the current cyber threats impacting their industry. With the spotlight on security, NCSAM is a great time to review current cybersecurity strategies and map out strategic actions that could be undertaken to secure the organization’s infrastructure as much as possible.
Even though preventing every single attack is an impossible mission, all stakeholders within any organization, regardless of their position, capability or involvement within cybersecurity should aim to increase their security knowledge, as one phishing attack could have devastating consequences. Working towards increasing levels of awareness and training, strengthening partnerships and defenses, exchanging valuable information, and with advancing technology will help organizations to protect their brands and valuable assets.
With that being said, we know from experience that today cyber attacks are inevitable and regardless of the vast number of preventative measures we take to protect ourselves, our businesses and our infrastructure are still at risk. We can never be 100% certain that they are fully secure. Therefore it is key that organizations also have an appropriate and in-depth incident response plan in place in order to be able to respond efficiently and effectively to any type of incident that should unfortunately occur.
How SOAR Technology Helps To Improve Incident Response
Effective cyber defense demands a team effort where employees, end users, and enterprises recognize their shared role in reducing cybersecurity risks. As the ever-evolving cybersecurity landscape poses new challenges, companies are pushed even more to combat the growing number and even more sophisticated levels of cyber attacks. Organizations across all sectors and industries are a potential target. Security operations teams need to be prepared to respond to existing as well as to new types of cyber threats, in order to fully defend and protect their company assets.
As prevention is becoming increasingly difficult for security teams, some organizations also tend to have a weakness when it comes to incident response and the processes and workflows that should be implemented in order to minimize the impact. The main reasons why companies are failing at Incident Response is due to a number of factors including but not limited to inadequate resources, lack of skilled analysts, failure to manage phases, task overload and more.
Adopting a complete and comprehensive Security Orchestration, Automation and Response (SOAR) solution can go a long way towards preventing and mitigating the consequences of cyber incidents. The deployment of a SOAR solution can help alleviate a number of current security operations challenges (including the growing number of alerts, increased workloads and repetitive tasks, current talent shortage and competition for skilled analysts, lack of knowledge transfer and budget constraints), while improving the overall organization’s security posture by eliminating the most-common scenarios of resource-constrained security teams struggling to identify critical cyber incidents.
Some of the key benefits of using a Security Orchestration, Automation and Response (SOAR) solution are outlined below.
Top 10 Benefits of Adopting a SOAR Solution
- Acts as a force multiplier for security teams
- Automates manual repetitive processes to avoid alert fatigue
- Responds to all security alerts eliminating false positives
- Decreases the time to detect, remediate and resolve incidents
- Simplifies incident response and investigation processes
- Integrates with existing security operations tools and technologies
- Improves the overall efficiency and effectiveness of existing security programs
- Reduces operational costs and improves ROI
- Minimizes the risk and damage resulting from incidents
- Meets legal and regulatory compliance (e.g. NIST and GDPR) including incident reporting and breach notification
Security Orchestration, Automation and Response With DFLabs IncMan SOAR Platform
DFLabs’ IncMan SOAR platform provides a complete and comprehensive solution to streamline the full incident response lifecycle. IncMan SOAR, is designed for SOCs, CSIRTs and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks, all from within one single, intuitive platform. IncMan SOAR is easy to implement and use, allowing you to leverage the capabilities of your existing security infrastructure and assets.
Take this October’s national cybersecurity awareness month seriously and do your part in learning something new which could help your organization to better protect itself. Contact us today to organize a bespoke demonstration and to discuss your individual requirements.
We’ve been witnessing the continual transformation of the cyber security ecosystem in the past few years. With cyber attacks becoming ever-more sophisticated, organizations have been forced to spend huge amounts of their budgets on improving their security programs in an attempt to protect their infrastructure, corporate assets, and their brand reputation from potential hackers.
Recent research, however, still shows that a large number of organizations are experiencing an alarming shortage of the cyber security skills and tools required to adequately detect and prevent the variety of attacks being faced by organizations. Protecting your organization today is a never-ending and complex process. I am sure, like me, you are regularly reading many cyber security articles and statistics detailing these alarming figures, which are becoming more of a daily reality.
Many organizations are now transitioning the majority of their efforts on implementing comprehensive incident response plans, processes and workflows to respond to potential incidents in the quickest and most efficient ways possible. But even with this new approach, many experts and organizations alike express concerns that we will still be faced with a shortage of skilled labor able to deal with these security incidents, with security teams struggling to fight back thousands of potential threats generated from incoming security alerts on a daily basis.
With so many mundane and repetitive tasks to complete, there’s little time for new strategies, planning, training, and knowledge transfer. To make things worse, security teams are spending far too much of their valuable time reacting to the increasing numbers of false positives, to threats that aren’t real. This results in spending hours, even days on analyzing and investigating false positives, which leaves little time for the team to focus on mitigating real, legitimate cyber threats, which could result in a serious and potentially damaging security incident. Essentially, we need to enable security operations teams to work smarter, not harder; but is this easier said than done?
How does security orchestration and automation help security teams?
With this in mind, organizations need to find new ways combat these issues, while at the same time add value to their existing security program and tools and technologies being used, to improve their overall security operations performance. The answer is in the use of Security Orchestration, Automation and Response (SOAR) technology.
Security Orchestration, Automation, and Response SOAR solutions focus on the following core functions of security operations and incident response and help security operations centers (SOCs), computer security incident response teams (CSIRTs) and managed security service providers (MSSPs) work smarter and act faster:
- Orchestration – Enables security operations to connect and coordinate complex workflows, tools and technologies, with flexible SOAR solutions supporting a vast number of integrations and APIs.
- Automation – Speeds up the entire workflow by executing actions across infrastructures in seconds, instead of hours if tasks are performed manually.
- Collaboration – Promotes more efficient communication and knowledge transfer across security teams
- Incident Management – Activities and information from a single incident are managed within a single, comprehensive platform, allowing tactical and strategic decision makers alike complete oversight of the incident management process.
- Dashboards and Reporting: Combines of core information to provide a holistic view of the organization’s security infrastructure also providing detailed information for any incident, event or case when it is required by different levels of stakeholders.
Now let’s focus on the details of these core functions and see how they improve the overall performance.
Security Orchestration is the capacity to coordinate, formalize, and automate responsive actions upon measuring risk posture and the state of affairs in the environment; more precisely, it’s the fashion in which disparate security systems are connected together to deliver larger visibility and enable automated responses; it also coordinates volumes of alert data into workflows.
With automation, multiple tasks on partial or full elements of the security process can be executed without the need for human intervention. Security operations can create sophisticated processes with automation, which can improve accuracy. While the concepts behind both security orchestration and automation are somewhat related, their aims are quite different. Automation aims to reduce the time processes take, making them more effective and efficient by automating repeatable processes and tasks. Some SOAR solutions also applying machine learning to recommend actions based on the responses to previous incidents. Automation also aims to reduce the number of mundane actions that must be completed manually by security analysts, allowing them to focus on a high level and more important actions that require human intervention.
Incident Management and Collaboration
Incident management and collaboration consist of the following activities:
- Alert processing and triage
- Journaling and evidentiary support
- Analytics and incident investigation
- Threat intelligence management
- Case and event management, and workflow
Security orchestration and automation tools are designed to facilitate all of these processes, while at the same making the process of threat identification, investigation and management significantly easier for the entire security operations team.
Dashboards and Reporting
SOAR tools generate reports and dashboards for a range of stakeholders from the day to day analysts, SOC managers, other organization departments and even C-level executives. These dashboards and reports are not only used to provide security intelligence, but they can also be used to develop analyst skills.
Human Factor Still Paramount
Security orchestration and automation solutions create a more focused and streamlined approach and methodology for detection and response to cyber threats by integrating the company’s security capacity and resources with existing experts and processes in order to automate manual tasks, orchestrate processes and workflows, and create an overall faster and more effective incident response.
Whichever security orchestration and automation solution a company chooses, it is important to remember that no one single miracle solution guarantees full protection. Human skills remain the core of every future security undertaking and the use of security orchestration and automation should not be viewed as a total replacement of a security team. Rather, it should be considered a supplement that enables the security team by easing the workload, alleviating the repetitive, time-consuming tasks, formalizing processes and workflows, while supporting and empowering the existing security team to turn into proactive threat hunters as opposed to reactive incident investigators.
Humans and machines combined can work wonders for the overall performance of an organization’s security program and in the long run allows the experts in the team to customize and tailor their actions to suit the specific business needs of the company.
Finally, by investing in a SOAR solution for threat detection and incident response, organizations can increase their capacity to detect, respond to and remediate all security incidents and alerts they are faced with in the quickest possible time frames.
Discussions about security breaches often focus on the planning elements, but simply talking about planning is not enough. Comprehensive plans need to be drawn up, fully executed and regularly reviewed in order to be successful. This is the only way to potentially contain the breach and limit the impact it could have on the organization. Properly planning and implementing is the difference between success and failure for companies when it comes to security and incident response.
As the ever-evolving cyber security landscape poses new challenges, companies are pushed even more to fight back the growing number and even more sophisticated levels of cyber attacks. Organizations across all sectors and industries are potential targets and could become victims at any time. With attacks escalating in all areas, whether via phishing or malware, for example, security operations teams need to be prepared to respond to existing and new types and strains of threats, in order to fully defend and protect their company assets and networks.
Along with prevention becoming increasingly difficult for security teams, some organizations also tend to have a weakness when it comes to incident response. Below outlines some of the main reasons why this failure is happening today and if this a true representation of your organization, it is important for action to be taken in order to improve it.
With the number of sophisticated cyber threats in the past several years growing at a phenomenal rate, the security industry has been facing an explosion of security tools available in the market. Many of these though have adversely resulted in creating more tasks for security teams and analysts in terms of monitoring, correlating, and responding to alerts. Analysts are pushed to work on multiple platforms and generate data from every single source manually, while afterwards then needing to enrich and correlate that data which can take many hours or even days.
Security budgets are often limited, and while it is often easier to gain support and approval for additional security apps and tools than it is for additional staff members, this means that many security teams often are forced to search innovative ways to perform many different tasks with extremely limited personnel resources.
Another important point to note is that with increased market competition for experienced and skilled analysts, companies are often forced to choose between hiring one highly skilled staff member versus a couple of less experienced, junior level ones.
Over the years, organizations have witnessed an increasing number of security tools to fight back the growing number of security threats. But even though these tools manage alerts and correlate through security information and management system, security teams are still overwhelmed by the volume of alerts being generated and in many instances are not physically able to respond to them all.
Every single alert must be verified manually and triaged by an analyst. Then, if the alert is determined to be valid, additional manual research and enrichment must take place before any other action to address the threat. While all of these processes take place, other potential alerts wait unresolved in a queue, while new alerts keep being added. The problem is, any one of these alerts may be an opportunity window for an attacker while they wait to be addressed.
Risk of Losing Skilled Analysts
Security processes are performed manually and are quite complex in nature, therefore training new staff members takes time. Organizations still rely on the most experienced analysts when it comes to decision making, based on their knowledge and work experience in the company, even with documented procedures in place. This is commonly referred to as tribal knowledge, and the more manual the processes are, the longer the knowledge transfer takes. Moreover, highly qualified analysts are considered a real treasure for the company, and every time a company loses such staff member, part of the tribal knowledge is also lost, and the entire incident response process suffers a tremendous loss. Even though companies make efforts to keep at least one skilled analyst who is able to teach other staff members the skills they have, they aren’t always successful in that.
Failure to Manage Phases
Security teams work with metrics that could be highly subjective and abstract, compared to other departments which often work with proven processes for measuring the effectiveness or ineffectiveness of a program. This is largely due to the fact that conservative approaches and methods for measuring ROI aren’t applicable, nor appropriate when it comes to security projects, and might give misleading results. Proper measurement techniques are of utmost importance when it comes to measuring the effectiveness and efficiency of a security program, therefore it is necessary to come up with a measurement process customized according to the needs of the company.
Another important issue that should be mentioned here is the one concerning the management of different steps of the incident response process. Security incidents are very dynamic processes that involve different phases, and the inability to manage these steps could result in great losses and damages to the company. For the best results, companies should focus on implementing documented and repeatable processes that have been tested and well understood.
In order to resolve these issues, organizations should consider the following best practices.
The coordination of security data sources and security tools in a single seamless process is referred to as orchestration. Technology integrations are most often used to support the orchestration process. APIs, software development kits, or direct database connections are just a few of the numerous methods that can be used to integrate technologies such as endpoint detection and response, threat intelligence, network detection, and infrastructure, IT service and account management.
Orchestration and automation might be related, but their end goals are completely different. Orchestration aims to improve efficiency by increased coordination and decreased context switch among tools for a faster and better-informed decision-making, while automation aims to reduce the time these processes take and make them repeatable by applying machine learning to respective tasks. Ideally, automation increases the efficiency of orchestrated processes.
Strategic and Tactical Measurement
Information in favor of tactical decisions usually consists of incident data for analysts and managers, which might consist of indicators of compromise assets, process status, and threat intelligence. This information improves decision-making from incident triage and investigation, through containment and eradication.
On the other hand, strategic information is aimed at executives and managers, and it’s used for high-level decision making. This information might comprise statistics and incident trends, threat intelligence and incident correlation. Advanced security programs might also use strategic information to enable proactive threat hunting.
If these challenges sound familiar within your security operations team, find out how DFLabs’ Security Orchestration, Automation and Response solution can help to address these to improve your overall incident response.
Attending face-to-face events does wonders for career networking and acquiring knowledge, plus it’s always incredibly helpful to see the latest advancements in technology first-hand, view a new tool in action, or simply get some answers to questions you have from industry experts.
This becomes even more important if your organization wants to stay up to date with the latest security trends and ahead of the ever-evolving cyber threats, especially with such a quickly evolving threat-landscape we are faced with today. If this is the case, then attending these top-notch cyber security conferences in the months ahead should be a priority for you and your security team, whether you are a C-level executive, a security operations manager or security analyst, there will be something there to benefit you.
There are a growing number of events taking place around the globe with cyber security as its main focus this fall. These gather tech enthusiasts, developers, pioneers, security experts, and many other masterminds, all at the same venue with a single goal in mind – to improve their cyber security ecosystem. Picking the conferences and summits a company should attend may be a real challenge as there are so many to choose from and this is exactly why we prepared a quick guide on some of the most exciting events to be at, large and small alike. It’s not too late to plan your travel!
So, here’s the lineup of our top-rated cyber security events where DFLabs will be present, that will give you the opportunity to chat with your peers, attend presentations and hear keynotes, engage in discussions about the dark web, cyber espionage, malware and more importantly, incident response and how to detect, respond to and remediate potential security incidents, as well as many other topics.
6-7 September 2018, New Orleans, US
This two-day in-depth summit is focused on the latest in threat hunting and incident response techniques that can be used to successfully identify, contain and eliminate adversaries targeting your networks. The summit will put special focus on the effectiveness of threat hunting in reducing the dwell time of adversaries, providing actionable threat hunting strategies, as well as tools, tactics, and techniques that can be used to improve the defense of companies’ organization. Our Senior Product Manager, John Moran, will also be speaking on the subject of “Threat Hunting Using Live Box Forensics”.
13-14 September, 2018, Warsaw, Poland
The SCS conference consists of presentations from leading world authorities in the cyber security realm. This conference gathers leading international companies with presentations focused on cyber security, as well as guests from all around the globe, while maintaining a large Polish presence. DFLabs, along with its Polish based partner, Orion Instruments Polska, will be engaging with the audience during live presentations, as well as on the exhibition floor during this 2-day event.
18-19 September, Copenhagen, Denmark
DFLabs is a proud sponsor of Think In 2018, LogPoint’s first ever customers and partners conference. With the recent integration of LogPoint’s SIEM with DFLabs’ SOAR solution, this conference will provide a unique opportunity to connect with both organizations in one place and enable you to ask important questions in relation to how this joint solution can support your business needs. See first-hand a comprehensive joint demonstration during the live briefing sessions regarding how to integrate an effective incident response program combining the power of SIEM and SOAR technology.
18-20 September, Singapore
GovWare is into its 27th year and is the cornerstone event for the Singapore International Cyber Week featuring the latest trends in all things cybersecurity, focused around the Government sector. DFLabs with its partner PCS Security will be showcasing its solutions to “Control Your Cloud”, where you can learn how to create a more efficient and effective response to cyber security incidents.
18-19 September, London, UK
SINET is dedicated to building a cohesive, worldwide cybersecurity community with the goal of accelerating innovation through collaboration. SINET is a catalyst that connects senior level private and government security professionals with solution providers, buyers, researchers and investors. DFLabs is delighted to be participating in and sponsoring this London event to share knowledge and broaden the awareness and adoption of innovative cybersecurity technologies.
9-11 October, Nuremberg, Germany
it-sa is Europe’s largest exhibition for IT security and one of the most important worldwide events where experts will be providing information on current issues, strategies and technical solutions. In partnership with Softshell, DFLabs will be showcasing its latest solution features to enable organizations to transform their security operations, acting as a force multiplier for their security team to decrease the time to detect and resolve incidents.
14-18 October, Dubai, UAE
If you’re talking technology within the Middle East, Africa and Asia, GITEX is the place to be. Right from world-famous industry names to Silicon Valley’s hottest startups, everyone heads to GITEX in anticipation of big business partnerships, future-ready gear and booming success. As the largest technology event in the Middle East, Africa and South Asia, see new technologies and innovation come alive. During GITEX Technology Week, DFLabs will be available with our partner RAS Infotech at booth G02.
If you are attending one or more of these events, or even if your aren’t able to attend and would like to learn more about our ever-evolving Security Orchestration, Automation and Response platform and to improve the performance of your security program, do make sure to get in touch, whether for an informal chat, a more formal discussion or to see a live demo.
We look forward to hearing from you and seeing you there!
Each year SANS conducts a global Security Operations Center – SOC survey to identify the latest trends, recommendations and best practices to enable organizations to successfully build, manage, maintain and mature their SOCs. With the continual increase in volume and sophistication of cyber attacks it is crucial that SOCs are performing as effectively and efficiently as possible to respond to all security alerts and potential incidents, as well as providing a clear benefit and ROI to the organization’s current security program.
This week SANS released the results of their 2018 survey and what they defined as “SOC-cess”! This blog will cover a quick snapshot of the report highlights and we will delve deeper into some of the results in future posts.
SANS 2018 SOC Survey Highlights
Regardless of whether you are a security analyst, a SOC manager or a C-level executive, I am sure there will be some key learning points and takeaways for you, with some of the results resonating with you and your organization. So, how does your SOC stack up against the 2018 survey results?
Here are the key findings.
- Only half of SOCs (54%) use any form of metrics to measure their performance
- There is a lack of coordination between SOCs and NOCs (only 30% had a positive connection)
- Asset discovery and inventory tool satisfaction was rated the lowest of all technologies
- The most meaningful event correlation is still primarily carried out manually
- Over half of respondents (54%) did not consider their SOC a security provider to their business
- The most common architecture is a single central SOC (39%)
- Nearly a third of SOCs are staffed by 2-5 people (31%) and just over a third by 6-25 people (36%)
- Top shortcomings to SOC performance included:
- – Shortage of skilled staff (62%)
- – Inadequate automation and orchestration (53%)
- – Too many unintegrated tools (48%)
What do these results actually mean? I am sure they can be interpreted in many ways. For me some results were not surprising, such as the shortage of skilled labor is the number one shortfall affecting SOC performance. However, some were quite startling, in particular surrounding the number of SOCs that do not use any form of metrics to measure performance – results indicating nearly half.
With the growing number of threats also comes a growing number of challenges, and today it just isn’t possible for SOC analysts to manually carry out everything that is needed to run the SOC effectively. Investment in technology seems to be a must to help improve efficiencies, but it needs to be the right technology for the organization. The survey results show a clear need for SOCs to invest further in tools such as automation and orchestration, which was identified as the second most common shortfall affecting performance at 53%.
Defining and Measuring SOC-cess
What is “SOC-cess” and how can we determine what an efficient and effective SOC is? SANS definition of SOC-cess is as follows.
“SOC success requires the SOC to take proactive steps to reduce risk in making systems more resilient, as well as using reactive steps to detect, contain and eliminate adversary actions. The response activities of SOC represent the reactive side of operations.”
I am sure it can be defined and is defined in a multitude of ways across different organizations, but metrics will always be a key factor. Of those SOCs surveyed, the top three metrics measured included:
- Number of incidents handled
- Average time from detection to containment to the eradication of an incident
- Number incidents closed in a single shift
Without these metrics, there is nothing to compare to or benchmark against to measure the overall performance and capabilities of the SOC and it will be difficult for management to justify any additional investment in additional tools or resources if the effectiveness and return on investment can’t be calculated or quantified. Therefore, measuring metrics should be a number one priority for any SOC to determine its success, not only by the 54% of SOCs that currently do so.
Summary of Findings
Overall the SANS 2018 SOC survey results indicated that there was somewhat limited satisfaction with current SOC performance with an absence of a clear vision and route to excellence. Also, survey respondents felt that their SOCs were not fulfilling expectations and many areas could still be improved, although there was an overall consensus of the key capabilities that they felt must be present within a SOC.
Compared to last year’s survey, the results showed a minor improvement; however, there are still many challenges facing today’s SOCs and the teams operating within them which need to be overcome.
There are though a number of things that can help to drive improvements and these include better recruitment and internal talent development, improved metrics to ensure the SOC is providing value to the organization, a deeper understanding of the overall environment that is being defended and better orchestration both with the NOC and SOC, using orchestration tools to drive consistency.
Overall, the existence of a functional and mature SOC is a critical factor in an organization’s security program to adequately protect the business from the ever-evolving threat landscape and SOCs will need to continue to work on improving what they already have in place.
How Can DFLabs Help?
A Security Orchestration, Automation and Response (SOAR) platform, such as that offered by DFLabs can not only help to tackle the orchestration and automation shortfalls as mentioned above, but can also help to tackle a number of other common SOC challenges and pain points, including the shortage of skilled workforce, the integration of tools, as well as measuring SOC performance metrics.
Ask DFLabs today how we can help you to transform your SOC with SOAR technology and request a live demo of IncMan SOAR in action to see more.
Security analysts today are spending the majority of their time dealing with the mundane, repetitive and administrative based tasks associated with incident response, as opposed to using their valued time proactively investigating and hunting threats in order to remain one step ahead of the increasing number of cyber threats they are facing. On a daily basis, security teams are being bombarded with a plethora of security alerts, most commonly from their security information and event management (SIEM) solution, combined with log and event data from a number of other platforms and sources with their infrastructure.
A SIEM tool pulls event and logs data from a wide range of internal sources, sometimes up to 15 different third-party tools or more, to provide a complete all-around picture of an organization’s current security posture ongoing threats. The SIEM mainly acts as a security monitoring system by correlating relevant data from multiple sources and generating alerts when the events appear to be worthy of further investigation. At a basic level, SIEM implementations can be rule-based or can employ a statistical correlation engine to establish relationships between event log entries, while advanced SIEMs can be used for user and entity behavior analytics (UEBA) and some orchestration and automation processes.
Is there such a thing as too much information?
The main advantage of implementing a formal and automated SIEM process is to increase the overall visibility of the IT network and security infrastructure. However, this process and enhanced visibility often leads to large volumes of alerts being generated which then manually need investigating by security analysts. Quite often a number also turn out to be false positives after further investigation, wasting a considerable amount of time. In other cases, far too many alerts are being generated for the workforce to even begin to consider investigating them all. As a consequence, only the higher levels of alerts are prioritized, increasing the risk to the organization by disregarding some of the lower-level alerts.
A more effective and efficient solution
Rather than leaving the organization vulnerable to the risks of ignored alerts, a better solution is to complement the SIEM with security orchestration, automation, and response (SOAR) technology. Gartner created the term SOAR to describe an approach to security operations and incident response that aims to improve security operations’ efficiency, efficacy, and consistency. SOAR allows organizations to collect security data and alert information from a number of different sources, including a SIEM, and to then perform incident analysis and triage using a combination of human and machine power. This helps to formalize the response handling procedure, determining and deploying effective and repetitive incident response processes and workflows.
Acting as a force multiplier, SOAR allows security teams to do more with less resources. It provides capabilities to automate, orchestrate and measure the full incident response lifecycle, including detection, security incident qualification, triage and escalation, enrichment, containment, and remediation. The overall goal of an organization utilizing a SOAR solution is to reduce the mean time to detection (MTTD) as well as the mean time to respond (MTTR) to an incident. This, in turn, minimizes the risk resulting from the growing number of cyber threats and security incidents, while also enabling the organization to achieve legal and regulatory compliance, while ultimately increasing the return on investment for existing security infrastructure technologies.
Action alerts immediately automatically
A SIEM solution ingests and processes large volumes of security events from various sources, then collates and analyzes the information to identify the issues, which subsequently triggers the creation of the initial security alert. This functionality is often limited to unidirectional communication with the data collection sources and in most cases, SIEM implementations do not carry out actions beyond the initial alert generation. This is where the power of SOAR can add significant value, taking the SIEM generated alert and orchestrating and automating responses, utilizing multiple security and IT tools from different vendors to remediate the threat.
Once a SIEM alert is generated, an incident is triggered within the connecting SOAR solution. Combined with machine automation and some level of human interaction where needed, a number of enrichment and response actions are carried out following a specific set of playbooks and runbooks for each individual incident type. A set of activities based on previously defined incident workflows and results, combined with machine learning are used to automate and guide the entire response process from start to finish.
Get more from the people you have
Integrating SIEM and SOAR combines the power of each to create a more robust, efficient and responsive security program, ensuring no alerts go untouched. It accelerates incident detection and response actions from minutes to seconds, ultimately enabling security teams to maximize analyst efficiency, minimize incident resolution time and avoid alert fatigue that negatively impacts so many of today’s security teams. It also enables organizations to automate most of the low-level work often performed by security analysts, allowing them to do what they do best, which is challenging and rewarding, while SOAR technology does the rest.
Preparation for GDPR has been underway for the last two years. Although last month’s deadline has passed and GDPR is now in effect, there are still many companies in the EU and the rest of the world for that matter, that are still not 100% compliant. A recent survey by Spiceworks revealed that only 25 percent of US companies were thought to be compliant when GDPR went into force. Many of these companies are waiting in anticipation to see the first results and the impact the new legislation will bring once a new major breach has been uncovered. As we wait for that first announcement in the news, the chances are that many new breaches have most likely already occurred post-May 25th but are still yet to be detected and disclosed. Dixons Carphone may be the first, announcing a huge data breach last week involving 5.9 million payment cards and 1.2 million personal data records, but the breach was reported to have taken place last year, pre-GDPR, so the consequences are somewhat unclear.
GDPR is unique in that it is the first major regulation to focus on the end scenario, the impact and aftermath of a breach, especially to the individual, as opposed to focusing solely on the prevention and controls put in place by organizations to prevent a breach in the first place. What seems to have caused the most confusion is that there doesn’t seem to be that “one size fits all” approach for companies to meet GDPR compliance and there have been many different interpretations. Companies must be able to prove they have carried out the necessary risk assessments and put the appropriate policies, processes, and procedures in place given all the risks involved.
Historically it has been more common to associate security controls in conjunction with breach prevention, but today cybersecurity strategies have been turned on their head and security operations teams must assume that a breach has or will occur. It is no longer the “if” scenario and focus is now fully on the “when” scenario. This change in mindset puts incident response, in particular data breach notification and reporting processes, at the forefront of reducing the risk of a data breach as opposed to being an afterthought. Organizations under GDPR now have to notify EU authorities within 72-hours and have to prove that their security programs and responses were appropriate to the situation.
If you are not quite fully GDPR compliant yet, there is no time to wait. Here are 5 steps you should take without due delay.
1. Establish Roles and Responsibilities
Data Protection Officer (DPO) is the latest new job title being created within many organizations. Main responsibilities of the DPO include providing advice on security controls, processes and procedures within the organization, as well as acting as the main point of contract for the supervisory authority. The DPO is not the only role that may be required though, as a proper incident response plan will require many additional roles including an incident response coordinator, legal and compliance resources and human resources to name a few. Stakeholders within the organization will need to be aware of how to effectively put the plans into action. If you are yet to define roles and responsibilities, this is a key first step when tackling GDPR.
Under GDPR it is important to understand what data exists, where it is located, who has access to it and for what purpose it is being used. Only the minimum amount of data to perform the task should be collected and processed and it should not be retained for longer than necessary. If data within the company is unknown then it can’t be protected, putting the company at risk. Knowing where data exists is crucial during incident response and breach notification to ensure you do a comprehensive audit of your business and the data it holds.
To respond to a security incident, a thoroughly planned and documented approach is required to maximize its effectiveness. Without structure and documented processes and procedures in place, an incident response attempt could turn into complete mayhem. The process should comprise of the appropriate tools and tasks, as well as personnel required to respond to the incident, ensuring it covers all scenarios whether large or small. It is also important to document both the high-level plan, as well as the more detailed workflows for handling specific types of security incidents (e.g. runbooks and playbooks). Having this documentation and associated processes and procedures in place will help your organization to demonstrate that a formalized, repeatable process using an appropriate response was followed during a potential breach.
4. Test the Plan Regularly
Having a documented plan is one thing, but ensuring it works and is fully tested is another. GDPR not only requires that security controls are in place but also states that they should be tested and evaluated on a regular basis. This will most likely vary from organization to organization, but we would recommend it should take place at least once a year and include exercises such as breach simulations. As well as meeting this requirement under GDPR it also helps to ensure that all stakeholders within the incident response process are up to date and familiar with their respective role and responsibilities.
5. Ensure Reporting Practices and Proficiencies
The GDPR breach reporting and notification element is probably one of the most challenging aspects to comply with, as 72 hours is a relatively short window to detect, remediate, report on and notify all parties of an incident. Organizations need to be able to gather and analyze large amounts of data from multiple sources, as well as make sense of the data before notifying stakeholders internally and externally. Implementing automated procedures for collecting data and preparing detailed reports based on incident and forensic data is essential, as well as having documented processes in place for issuing notifications to potentially hundreds of thousands of individuals.
As we already know, data breach detection and incident response are never going to be a straightforward process for any organization but GDPR has now leveled the playing field to ensure that all companies are meeting the same baseline requirements or face the possibility of hefty fine and public scrutiny. It is now a critical time for organizations to ensure they have detailed and documented incident response plans and procedures in place to deal with any incident should it occur, as well as the tools they need to help them to more easily comply with the requirements.
If your security operations team is looking for assistance with its incident response program and tools to help the organization to demonstrate GDPR compliance as well as breach notification requirements, these useful resources may help. Read our DFLabs IncMan for GDPR solution brief and whitepaper about Increasing the Effectiveness of Incident Management to learn more.
Regardless of the number of cyber security events you attend, their specific focus, size or location, there are always several important items on the agenda and key takeaways for both security professionals and security vendors alike, which keeps us going back for more.
Cyber security professionals attend these events to gather with people who share the same interest and expertise as they do, to learn about new and upcoming things in the industry, to network and meet people, as well as seek out potential vendor solutions to solve their common day challenges and pain points.
On the flipside, cyber security vendors want to do pretty much the same in terms of hearing about the latest trends and advancements in technologies and solutions, while taking the opportunity to meet and network with like-minded people, as today we tend to largely focus our communications less formally over email and social networks, rather than by using the old-fashioned face to face method. If they can, they will, of course, want to showcase their solution first-hand, so the full benefits can be seen, which isn’t a bad thing, as face to face meetings are becoming somewhat few and far between.
There are literally hundreds happening daily, weekly, monthly on a global scale, too many to possibly count. Conferences and events DFLabs has recently participated in include probably the most renowned event, RSA Conference US in San Francisco, as well as last week’s GISEC event in Dubai, which were great successes, meeting with new prospects, existing customers, as well as channel and technology partners. If you didn’t get a chance to meet up with us then, feel free to drop us a line.
So how do you choose which ones to attend? This will depend on a number of deciding factors personal to you, including your agenda, the event program, what you want to achieve, size, location, cost of attending, as well as what fits in with juggling your busy schedule and availability. If Security Orchestration, Automation, and Response (SOAR) is a high priority on your list, these are some of the events to look out for and plan to attend in the next few months.
Upcoming Events: 5-7 June, London, UK
Coming into its 23rd year, Infosecurity Europe continues to be the main hub for cyber security professionals to gather and meet in the city once a year, featuring a comprehensive conference program with a large host of exhibitors. With nearly 20,000 expected visitors, it is a huge networking opportunity for most, so don’t forget to register here.
With only 4 weeks to go, contact me to schedule a date and time in your diary now to meet with one of the DFLabs team. If you don’t like the hustle and bustle of the expo floor, not a problem, we would be happy to meet in a quieter setting outside of the conference hall.
Upcoming Events: 26-28 June, Marina Bay Sands, Singapore
ConnectTechAsia consists of three events encompassing CommunicAsia, BroadcastAsia and its latest addition NXTAsia. Covering the entire spectrum of communication, broadcast, and enterprise technology and services it is where technology ideas and business converge.
Meet DFLabs at NXTAsia where you can visit us on stand #5H2-08 to learn more about how to leverage your existing security operations tools with Security Orchestration, Automation and Response (SOAR) technology. Also listen to our VP of Engineering, Andrea Fumagalli to hear more about the benefits of utilizing a SOAR solution in the NXTAsia Theatre on 28th June at 15:15. Save the date, register now and ensure you reach out to us to arrange to meet up.
The SANS Institute is one of the most trusted and largest sources for information security training and security certification in the world, with over 165,000 members. Established in 1989 as a cooperative research and education organization, it is now home to the largest collection of research documents about various aspects of information security. Hosting a number of summits, it educates delegates on a vast number of topics including Security Awareness, Cyber Threat Intelligence, and Security Operations to name a few.
DFLabs will be sponsoring the Security Operations Summit at the end of July, where you will be able to meet with us, as well as listen to our Lunch and Learn session hosted on Day 1. John Moran, Senior Product Manager from DFLabs will also be speaking at the Threat Hunting and Incident Response Summit in September on the topic “Threat Hunting Using Live Box Forensics”, so save the dates in your diaries. More information and event details are available here.
Upcoming Events: 4-9 August – Las Vegas, US & 3-6 December – London, UK
Black Hat is one of the most technical global information security event in the world, running for 20+ years. It provides attendees with the very latest research, development, and trends driven by the needs of the security community in the form of briefings and trainings. You can meet some of the friendliest hackers here!
DFLabs has a booth at both events and will be networking on the floor throughout. Visit us in Vegas at booth #2329 within the Innovation City, or in London later in the year at booth #1010. Learn more and arrange to meet us, whichever side of the pond you are on.
There will be many other upcoming opportunities to meet up with us throughout the year, but if you are attending one of these events this summer and would like to organize something ahead of time, please do get in touch to arrange a suitable time and a place. We look forward to meeting you. Or alternatively why wait? Arrange for an informal chat and a demo today.