Not so long ago we used to hear about a cyber-attack or a new form of vulnerability in the news perhaps on a quarterly or monthly basis. Today, they are becoming increasingly more frequent and I don’t think a day goes by that we don’t read in the headlines about the consequences an organization is having to face, due to another attack. McAfee recently reported a staggering eight new cyber threats a second in Q4 2017.
With the sophistication of attacks also continuously evolving, the modern CISO is now facing up to the fact and preparing for a “when it will happen” scenario as opposed to “if it will happen”, as cyber incidents become more inevitable. Based on this, their cybersecurity strategy is being turned on its head and instead of focusing more on how to prevent an incident from occurring in the first place, they are now heavily investing in technologies and solutions to help identify, manage and contain an incident, in order to minimize the impact to the organization when it does occur.
In larger enterprises today, it is common to have a Security Operations Center (SOC) and/or a Computer Security Incident Response Team (CSIRT) to monitor, manage and respond to incoming security alerts, but with this, there are numerous challenges that are continuously being faced. Our recent blog “How to Implement Incident Response Automation the Right Way” specifically addressed the challenge of increasing volumes of alerts, resulting in an exponential volume of mundane tasks and discussed how utilizing automation should be implemented to overcome this. In reality, the number of challenges is probably many more than what we will cover in this blog, but here are our top five, which we believe are currently having the biggest effect on SOCs and CSIRTs today.
Top 5 Challenges Faced by Security Operations Centers
1. Increasing Volumes of Security Alerts
With the snowballing number of security alerts being received, valuable analyst time is being consumed sorting through a plethora of security alerts. Most commonly, time is wasted performing a multitude of mundane tasks to triage and determine the veracity of the alerts, often resulting in alerts being missed or those of more damaging consequences slipping through the net as they are overlooked. As you can probably imagine, analysts time would be better spent working on the more sophisticated alerts that need human intervention, as well as proactively threat hunting, in order to minimize the time from breach discovery to resolution.
2. Management of Numerous Security Tools
As a wider range of security suites are being adopted by SOCs and CSIRTs, it is becoming ever more difficult to effectively monitor all of the data being generated from the multiplying number of data points and sources. A typical security operations center may use a combination of 20 or more technologies, which understandably can be difficult to monitor and manage individually. It is therefore important to be able to have a central source and single platform to summarize all of the information as it is being generated and to be able to have a helicopter view of your overall security environment to manage, monitor, and measure security operations and incident response processes effectively.
3. Competition for Skilled Analysts and Lack of Knowledge Transfer Between Analysts
With the global cybersecurity talent shortage to hit 1.2m by 2020 and to increase to 1.8m by 2022, the pool of suitable analysts will only continue to diminish over time, with the level of competition becoming more fierce for analysts that have the required skill set. As with most companies and industries, workforce comes and goes, but knowledge transfer is particularly important within a security operations center and incident response teams, in order to ensure the correct response and process takes place within the minimal amount of time, reducing the time to incident detection and time to incident resolution. This lack of knowledge transfer can inevitably lead to increased response times and wasted resources.
4. Budget Constraints with Security Incidents Becoming More Costly
As within most organizations large or small alike, budgets are always restricted in some way, shape or form. In order to authorize spending, a clear positive ROI usually needs to be forecast and/or proven. Security operations and incident response are notoriously difficult to measure, monitor and manage, (why not read our recent whitepaper entitled “KPIs for Security Operations and Incident Response” to learn more), so justifying spend is always difficult. With the increasing number of cyber-attacks, organizations are increasing the level of investment in cyber security tools, but what level of spending is necessary and what amount outweighs the benefits it will achieve? Can you put a price on the consequences of a potential incident such as a data breach, knowing you will likely face a hefty fine, as well as brand and reputation damage?
5. Legal and Regulatory Compliance
Meeting a growing number of legal and regulatory compliance such as NIST, PCI, GLBA, FISMA, HITECH (HIPPA) and GDPR to name a few, as well as industry best practices, will inherently have an impact on any organization, but can have a heavy bearing depending on the specific industry or geographical location. Using the example of the upcoming Global Data Protection Regulation, taking effect on May 25, 2018, it is even more important for security operations centers to have mandatory processes and procedures clearly in place which are conducted in a legally and policy-compliant manner. Providing sufficient incident reporting and breach notification within the required parameters (in the case of GDPR to notify the supervisory authority within 72 hrs of a breach) is going to be key, or the legal, financial and reputational impact and repercussions could be significant.
Based on these five challenges alone, enterprise SOCs and CSIRTs are struggling to remain efficient and effective and are increasingly being forced to do more with less, while striving to keep up with the current threat landscape and a plethora of security alerts.
With security incidents becoming more costly, enterprises need to find new ways to further reduce the mean time to detection and resolution. As a result, security and risk management leaders will see the business need to invest in Security Orchestration, Automation and Response (SOAR) technology and tools, such as the IncMan SOAR platform from DFLabs, to help improve their security operations proficiency, efficacy, and quality, in order to keep their cyber incident under control.
If you are interested in reading more about how SOAR technology can help to address these challenges in more detail, look out for our future blog on the topic coming soon.
Today, we will talk about our dashboards in IncMan. We will see how to add, delete and generally organize the dashboard widgets. IncMan widgets can display charts, graphs and tables to display and track Key Performance Indicators. IncMan supports role-based dashboards. This is a key requirement for any SOC, facilitating that the right information is available to the right person based on their role, duties, and needs. Which information is required for any individual or team will differ from organization to organization, so we support customization to create unique and dedicated dashboards for every persona.
How to use IncMan Dashboards and Widgets
This default screen displays a number of out of the box charts to get you started. But you will want to customize the dashboard with the widgets you need for your role.
1. To begin creating your unique dashboard, select “Customize” to open the menu.
2. The dashboard screen is split into 4 distinct parts: top, left, right and bottom. By selecting the “+” symbol, you can add an additional widget from a number of pre-defined templates. For this example, let’s add the “Incident Overview” widget:
3. You can change the name of the widget in the configuration screen, for example, “GDPR” or “Urgent Incidents”. You can also specify the applicable timeframe for the widget, and the refresh rate, to determine how often the widget will be updated.
4. Next, we will configure the widget filters to determine the data that the widget displays.
We can apply search filters to narrow down the displayed incidents. You can filter by a variety of attributes, including tags, incident priority, the Incident Response process stage, and any custom fields you have defined. Every filter that is selected will also need a corresponding value assigned to it in the values tab.
5. Once you’ve selected the values you want to add into the table, the final step allows you to define which columns will be displayed in the widget.
Security Orchestration and Automated Response (SOAR) is a relatively new cyber security solution category. The aim of these platforms is to provide a centralized software solution to manage the complete lifecycle of a cyber incident, orchestrate security products to a determined goal, and respond to cyber incidents in an automated or semi-automated fashion. The SOAR category is of particular interest to Security Operations Center Teams, as this product is now seen as the backbone of incident management.
Given the differences that can exist between Security Operations Center or Cyber Incident Response teams, it’s rare to find items that share a commonality between the incident response organizations when evaluating incident response solutions. Given that, the following seem to share a common focus during the evaluation process:
In no particular order:
1. Supervised Active Intelligence™
This is a methodology that best describes one of our most powerful features within IncMan™, the ability to arm your SOC teams with selected intelligence related to a cyber incident. This feature provides targeted information and is provided directly to the assigned investigator. This information is paramount to starting a cyber investigation, and we see on a daily basis that cyber incidents without this information have a very slow reaction time. However, the most important factor is your teams take steps that are guided by the intelligence generated within an IncMan playbook as they work through their playbook actions.
2. Intelligent Correlation Engine
As per the Supervised Active Intelligence feature, within our IncMan platform, the intelligence will be captured and build upon the growing information around cyber incidents. This information is analyzed by IncMan, providing a visual representation of how an incident has progressed and if any other incidents share common features. I.e. they affected the same users, or same machine types, patterns that have emerged etc. We visualize this information over a timeline, allowing the SOC team the ability to correlate the cyber security incidents to business events or even basic tracking how malware has traversed through several machines and at what rate.
3. Extended Knowledge base with your own intelligence or from others
We understand as an organization how important it is to use multiple sources of external intelligence. This has allowed us to provide the ability to extend the IncMan knowledge base with the information required by your SOC team. For example, some clients use the knowledge base to add additional fraud intelligence and prevention information. We natively support TAXII and other feeds using the STIX format of intelligence sharing. Alternatively, if you are a part of an intelligence sharing network, IncMan permits the API connection.
Another feature which we often see utilized by CSO’s and CISO’s alike is regarding the knowledge base and Cyber Incident linking capabilities. We allow tagging and linking of knowledge base articles with cyber incidents to aid reporting and impact visibility to the stake holders.
4. Integrating your environment
As mentioned earlier, IncMan allows the use of your current environment and the products you already have readily available. As our client, we want to bring you from “Zero to Hero” in the shortest time span possible with pre-configured integrations that are enabled within minutes. With IncMan you choose how you want to leverage your existing products. The crucial point is we know every environment is a mixture of multiple moving parts and we can integrate with your existing framework to ensure maximum availability while minimizing response time and resource expenditures.
Playbooks can be thought of in the context of American football. The term playbook was created to give a visual meaning to orchestrating team members for a single goal, given a scenario presented to a team or organization. The three distinct teams are as follows
– Defense, and containment for cyber incident response
– Special Teams for enrichment and providing both teams with more information and field position for American football
– The offense for mitigating incidents and going on the offensive to put the company in a positive, advantageous position given the situation that is presented in front of them.
For those of you not into the American Football analogy; Playbooks give your teams meticulous control over pre-defined workflows to drive policy and procedures in a repeatable, consistent and enforced manner. This allows for enrichment, containment, and mitigation driven through one product – IncMan.