Understanding the Difference Between SOCs and CSIRTs

Building an effective security strategy in organizations today requires the right combination of experts, processes, tools and technologies. Luckily, there are many different ways in which you can organize them to fit your company’s needs.

The two types of teams most often mentioned today are Security Operations Centers (SOCs) and Computer Security Incident Response Teams (or CSIRTs). SOCs and CSIRTs have distinctive roles and responsibilities, so deciding which one is better for your organization’s security program isn’t always easy. This blog post will focus on explaining their main objectives and how they differ in structure, which may help you to decide which one is more suitable for your organization’s internal infrastructure and strategy, especially if you are looking to set one up in the near future as your business expands.  

Security Operations Center (SOC)

The term SOC bears the connotation of an environment designed specifically to defend corporate data and networks, and it can be used to describe the facility where carrying out security tasks takes place or the people who are responsible for that.

A SOC is the “brain” of a security organization, as it acts as the center of all roles and responsibilities, with the main goal of protecting information within the organization. Its main tasks are:

  • Prevention
  • Detection
  • Incident management / response
  • Reporting
  • Anything that involves managing and protecting information within the company

Furthermore, the SOC also monitors people, technology and tools, and processes involved in all aspects of cybersecurity. Often companies have a SOC before they decide to establish a separate CSIRT. The end objective of every SOC is to monitor and take care of every cyber activity that takes place and ultimately ensure the organization is protected against any type of attack.

The SOC is also responsible for incident response if there is no formal CSIRT established within the organization. If there is, the SOC helps the CSIRT in responding faster and more efficiently to a cyber threat.

The SOC is responsible for the following:

  • Monitoring the security of users, systems, and applications
  • Prevention, detection, and response to security threats
  • Creating and managing procedures
  • Integration of security systems with other tools

What makes a SOC unique and different from other units within the organization is its centralized role with a strong focus on combining techniques, skills, and technology, by utilizing tools to increase the protection of the company against threats. It’s also important to underline that even though incident prevention and management is not its specialty, a SOC may still cover these events as well, being a department that covers all things related to cyber security.

Computer Security Incident Response Team (CSIRT)

CSIRT is a centralized department within an organization whose main responsibilities include receiving, reviewing, and responding to security incidents. CSIRTs may work under SOCs, or function individually, depending on the organization’s needs and structure.

The main goal of a CSIRT is to minimize and control the consequences from an incident. It’s not just addressing the attack itself, their role involves communicating with boards, executives, and clients about the incident.

Some of its main responsibilities include:

  • Prevention, detection, and response to security threats
  • Ranking alerts and tasks
  • Investigating and conducting forensics on incidents
  • Coordinating strategies
What do CSIRTs do?

The basis of every CSIRT is providing incident management. The CSIRT is the central point of contact in the event of a security incident. Depending on how fast a CSIRT team responds to an incident, it can limit the damage from the incident by providing rapid response and recovery solutions. This ensures the workflow is uninterrupted and lowers the overall costs.

Incident management presupposes three functions: reporting, analysis and response. With this being said, the CSIRT activities usually involve the following:

  • Understanding incidents – CSIRTs must be aware of the nature of the incident and the consequences that might arise from it. A repository helps teams gain insights of the patterns of a certain cyber attack and this could lead to future activities that could prevent the occurrence of such attacks.
  • Handling negative impact – CSIRTs carry out elaborate research of a certain problem and recommend solutions for it.
  • Assist other departments – CSIRT teams distribute alerts across the organizations on the latest threats and risks.
  • Compose security strategies
Does my organization need a CSIRT?

The CSIRT within an organization may be a formal unit or an ad-hoc team, depending on the company’s needs. If your organization is not facing a cyber threat on a regular basis, the need for a CSIRT might not be as big as for larger organizations, or companies in high-risk industries, such as healthcare, finance or government. In industries such as these, responding to threats happens daily and there’s a need for a formal, full-time CSIRT.

Whatever the needs of your organization, don’t forget that a CSIRT team will evolve with time. What might start as an ad-hoc team may develop into a full functioning department as the business expands and progresses.

Final Thoughts

Regardless of the final choice, which will depend on a number of individual requirements and factors, (including but not limited to the size of the organization, the number of threats it faces, the industry and the company’s security program maturity), don’t forget that whatever team is established, it is always important to clearly define roles and responsibilities, have efficient processes in place that can be automated, and implement the right tools and technologies that will help your team do their job more effectively. Set up correctly, SOCs and CSIRTs will facilitate the organization to respond to all security alerts and react faster to the ever-evolving cyber security incidents.

Add Context and Enrich Alert Information for a More Effective Response with DFLabs and ArcSight

Responding to a new security incident in the fastest possible time frame is critical for any security operations center (SOC) or computer security incident response team (CSIRT), but having the necessary information at your fingertips is key in order to help improve response times and appropriately deal with the threat at hand. In this blog post we’ll take a closer look at how security teams can increase the efficiency and effectiveness of their response by adding context and enrichment to the alert information directly from ArcSight, when utilizing DFLabs’ Security Orchestration, Automation and Response (SOAR) platform and its many other bidirectional integrations.

The Problem

Organizations are generating more log data than ever before and are increasingly turning to SIEM tools to help manage, correlate and alert on potential events from this large quantity of data. Once data is correlated and an alert is generated, enriching alert data is often a manual task which consumes a significant amount of analysts’ time. Pivoting from a single alert or from enriched information is often also a manual process, requiring many more custom written queries within the SIEM. Enriched and additional data must then be correlated manually by the analyst before it becomes actionable.

On a daily basis an analyst will face a number of challenges and is likely to be asking themselves the following questions:

  1. How can I use the SIEM logs to add context to a security event?
  2. How can I enrich information from the initial security alert?
  3. How can I pivot from the initial security alert to further my investigation?
The DFLabs and ArcSight Solution

DFLabs and MicroFocus ArcSight bring SOAR and SIEM together to allow rapid, informed responses to security incidents based on enriched, actionable information. DFLabs’ IncMan SOAR platform allows users to automatically query ArcSight to pivot from an initial alert to gather increase insight into the activity within the organization. IncMan also allows users to enrich information retrieved from ArcSight, such as IP addresses, hostnames and domains, using any number of IncMan’s other integrations.

About MicroFocus ArcSight

ArcSight is an industry-leading Security Information and Event Management (SIEM) solution from MicroFocus. ArcSight collects and analyzes events from across systems and security tools. It detects security threats in real time so that analysts respond quickly, and it scales to meet demanding security requirements. ArcSight’s advanced distributed correlation engine, helps security teams detect and respond to internal and external threats, reduces response time from hours or days to just minutes.

Use Case

To get a real understanding of how the two solutions work together, here is a simple use case in action.

A Web Application Firewall (WAF) has observed a potential attack against an application server in the organization’s DMZ. IncMan automatically responds by initiating an appropriate runbook for the alert. The runbook begins by performing basic enrichment on the source IP address of the malicious traffic. This basic enrichment is followed by a query for IP reputation information on the source IP address from the organization’s threat reputation service of choice.  

Following the threat reputation search, ArcSight is queried for any other events which have been recently generated by the source IP address. If ArcSight returns any other recent events generated by the source IP address, or the source IP address has a negative threat reputation, the severity of the incident is automatically upgraded to High. The analyst is then presented with a user choice decision to determine if the source IP address should be blocked at the perimeter firewall. If the analyst chooses to automatically block the source IP address, a ticket will be created in ArcSight Enterprise Security Manager (ESM) to notify the appropriate teams to follow up on the emergency change according to the organization’s policies.

These actions are followed by a second query to ArcSight, this time for any other recent events involving the web application server. If ArcSight returns any other recent events generated from the web application server, the severity of the incident is automatically upgraded to High (unless it has already previously been upgraded).  The runbook concludes by performing a query of the organization’s endpoint detection solution for all recent events from the web application server. This information will be retained for review by the analyst during the investigative process.

ArcSight

 

ArcSight Actions

In summary, here are the actions available to security analysts by using ArcSight.

Enrichment:

  • Get Active List Entries
  • Search Into Events

Containment:

  • Add Active List Entries
  • Clean Active List Entries

Notification:

  • Create Ticket
  • Get Ticket
  • Update Ticket

Integrating ArcSight with DFLabs’ IncMan SOAR allows organizations to efficiently triage the volume of alerts being generated by the SIEM, automatically prioritizing those alerts which may pose the greatest risk to the organization. By automating and orchestrating the SIEM with other security solutions, IncMan SOAR can automatically enrich the alert information, then pivot based on the enriched information as an analyst would do during a manual investigation. This ability to automatically enrich and pivot allows IncMan to more accurately prioritize incidents which may initially seem innocuous.  

9 Key Components of Incident and Forensics Management

Incident and Forensics Investigations Management

Security incidents and digital forensics investigations are complex events with many facets, all of which must be managed in parallel to ensure efficiency and effectiveness. When investigations are not managed and documented properly, processes fail, critical items are overlooked, inefficiencies develop, and key indicators are missed, all leading to increased potential risk and losses.

Investigation management can be broken down into a number of key components and it is important that an organization is able to carry out all of these elements collectively and seamlessly in order to properly handle and manage any incident they may potentially face.

This blog will briefly cover 9 key areas that I believe are the most important when it comes to incident and forensics management. Ensuring these are firmly in place within your security operations or CSIRT team will ensure more efficient and effective incident management when an incident does occur.

If you would like to learn more about each of the components in more detail and how DFLabs has incorporated them into its comprehensive and complete Security Orchestration, Automation and Response (SOAR) platform to enable organizations to improve their security program, you can download our in-depth white paper here.

Case Management

Every investigation must be organized into a logical container, commonly referred to as a case or incident. This is necessary for several reasons. Most obviously, this container is used to identify the investigation and contain information such as observables, tasks, evidence, notes and other information associated with the investigation, discussed in greater detail in the subsequent sections. Many investigations contain sensitive information which should only be accessible by those with a legitimate need to know. These containers also serve to enforce a level of access control.

Observables and Findings

Investigations generate a large volume of data, from simple observables such as IP addresses, domain names and hash values, to more complex observables such as malware and attacker TTPs, as well as findings such as those made from log analysis, forensic examination and malware analysis. All this information must be recorded and shared with all appropriate stakeholders to ensure the most effective response to a security incident.

Data gathered from previous incidents can be an invaluable tool in responding more effectively to future security incidents. As individual data points are associated with each other, this information is transformed from simple data into actionable threat intelligence which can inform future decisions and responses.

Phase, Expectation and Task Management

Investigations generally progress through a series of phases, each of which will contain a series of management expectations and a set of tasks required to meet those expectations. As the complexity of an investigation increases the tracking of these phases, expectations and tasks become both more critical and more difficult to manage. Failing to properly track and manage investigation phases, expectations and tasks can lead to duplicated efforts, overlooked items and other inefficiencies which lead to an increase in both cost and time to successfully complete an investigation.

Evidence and Chain of Custody

Documenting evidence and tracking chain of custody can be a complex process during an investigation of any size. Documentation using older paper-based or spreadsheet systems does not scale to larger investigations, is prone to error and is time-consuming. Failing to maintain a full list of evidence or maintain chain of custody can result in lost evidence, duplication of efforts and inability to use critical evidence during legal processes.

Forensic Tool Integration

Security operations use a multitude of tools and technologies on a daily basis with different ones being utilized for varying types of investigations. Logging into several platforms individually to collect data is often a manual process and can be tiresome and painful, as well as extremely time-consuming, and time is always of the essence. It is critical that security tools are connected and integrated to improve efficiencies and to fuse intelligence seamlessly together so that all data can be analyzed and documented in a single location and immediately shared with relevant stakeholders.

Reporting and Management

Reporting and the management of reports is a vital function during any investigation. Once information is documented, it must be able to be accessed easily and in multiple formats appropriate for a wide variety of audiences. As the scale of an investigation grows, so does the number of individual reports which will be generated. This can result in many complexities, including sharing logistics, proper access controls and managing different versions of reports. To reduce the impact of these complexities, a single report management platform should be used to act as the authoritative source for all reports.

Activity Tracking and Auditing

Tracking actions taken during an investigation is important to ensure a consistent response, identify areas where process improvements are needed, and to prove that the actions taken were appropriate. Not only must actions be documented, but it is also crucial to ensure that the integrity of this documentation cannot be called into question later. However, documenting activity during an investigation can be time-consuming, taking analysts attention away from the tasks at hand, and is often an afterthought.

Information Security

Investigative data can be extremely sensitive, and it is crucial that the confidentiality of such data be maintained at all times. Confidentiality must be maintained not only for those outside of the organization but also for those internal users who may not be authorized to access some or all of the incident information.

Asset Management

No matter the specific roles a team is tasked with, the team will require many different physical and logical internal assets to accomplish their tasks. This may include workstations, storage media, license dongles, software and other hardware. Regardless of the asset, an organization must be able to track that asset throughout its life, ensuring that they (and the money spent on them) do not go to waste.  As the team grows, managing the tracking of these assets, who they are issued, their expiration dates and more can become a full-time task.

Final Thoughts

These core components combined enable security teams to work more efficiently throughout the entire investigative lifecycle, reducing both cost and risk posed by the wide variety of events facing organizations today. Providing a holistic view of the security landscape and the organization’s broad infrastructure allows for better use of existing tools and technologies to minimize the time team members must spend on the administrative portions of investigations, allowing them to focus on the more important tasks that will ultimately impact the outcome of the response.

Learn more about the topic by downloading our latest Whitepaper titled “DFLabs IncMan SOAR: For Incident and Forensics Management“.

Why Measuring SOC-cess Matters – Using Metrics to Enhance Your Security Program

SANS recently released their 2018 SOC Survey and many of their findings were of no surprise to anyone who has been responsible for maintaining their organization’s security posture. Many respondents reported a continued breakdown in communication between NOC and SOC operations, lack of dynamic asset discovery procedures, and event correlation continues to be a manual process even though SOC staffing is being worn thin by the surmounting responsibilities they have to take on.

Why Measuring SOC-cess Matters?

Anyone who has been a part of a security team knows these issues are an everyday battle, but those “common” issues were not what caught me off guard. The most shocking statistic I gathered from this survey is that only 54% of respondents reported that they are actively using metrics to measure their SOC’s success! I was taken aback by this finding and couldn’t help but wonder if all the other reported SOC deficiencies could be directly related to this missing link?

I have been in the security industry for close to ten years, most of which was spent as a SOC analyst and SIEM engineer for a large MSSP. It was my responsibility to be an extension of my client’s security arm and those clients ranged from large Fortune 500 companies to small family owned businesses. Each client was unique, what one found to be important, another thought of as noise. The diversity between each of these clients taught me early on how important it is to understand what their definition of success was so that I may help them to not only achieve their security goals but to assist them in staying ahead of today’s rapidly expanding threat landscape.

This diversity also taught me another valuable lesson: not all security programs are created equally. Naturally, my larger clients had a more mature security posture, they knew what they wanted and what it would take to get them there, and they had the funding to back it up. Unfortunately, some of my smaller clients were not as lucky. They were severely understaffed, their IT department was the Security department, they lacked adequate funding to stay ahead of the ever-growing security curve, and in many cases, the measurement of success resembled a game of whack a mole.

Does this sound familiar? If the answer is yes, you can rest assured that you are not alone. Even the most secure, highly funded organizations have struggled with these obstacles. However, I believe one of the biggest differences between these organizations and the organizations striving to be like them isn’t directly due to the lack of funds, but instead the metrics they are using to show value in what they are trying to accomplish.

Don’t get me wrong, funding is and always will be an obstacle that organizations, large or small, will have to overcome when trying to build and maintain a security program. But the larger and more dangerous obstacle is the one we are creating for ourselves by not measuring and monitoring our security strengths and weaknesses through a strong security metrics program.

This type of security program will be as different as the organization it aims to define. To truly understand what success looks like for you there are a few recommended tasks, that when completed, will give you a greater understanding of your environment and a strong foundation for your security metrics program.

How to enhance your security program
  • Conduct a risk assessment

A risk assessment is meant to help identify what an organization should be protecting and why. A successful assessment should highlight an organization’s valuable assets and showcase how they may be attacked and what would be at stake if an attack is successful. Armed with the results of this assessment, organizations can not only begin to address their deficiencies but now have a solid set of metrics that they can use to measure their success as they move forward.

  • Perform vulnerability assessments

Vulnerability assessments are another vital security tool which is designed to detect as many vulnerabilities as possible in an environment, and aid security teams in prioritizing and remediating the issues as they are uncovered. All organizations regardless of maturity will benefit from these types of assessments, but organizations with a low to medium security posture may benefit the most. The result of these assessments will help give greater definition to what an organization’s metrics should consist of and what steps are necessary for continued success.

  • Adopt a security framework

Even if you are not held to a compliance standard, adopt a security framework anyway. I understand that choosing a framework to model form does not guarantee an organization’s safety, but it is proven that those organizations who adopt a standard have a higher security maturity and are more likely to identify, contain, and recover from an incident faster than those who do not follow security program’s best practices. These frameworks, in conjunction with the security assessments mentioned above, were built to give organizations a blueprint of how to best protect their environment and measure their successes.

I sincerely believe in the value of a rich metrics program and have seen first hand what it can do for an organization. With the level of sophistication in today’s cyber attacks and the environments they target, we can no longer afford to leave our security up to chance. It is my hope that when SANS publish their SOC Survey for 2019, that we have taken the steps necessary to change this statistic because I know as an industry we can do better.

If you want to read more about KPIs and the metrics that we suggest should be set, monitored and measured for a more efficient and effective security program, read our white paper titled “Key Performance Indicators (KPIs) for Security Operations and Incident Response”

SANS 2018 SOC Survey – How Does Your SOC Stack Up?

Each year SANS conducts a global Security Operations Center – SOC survey to identify the latest trends, recommendations and best practices to enable organizations to successfully build, manage, maintain and mature their SOCs.  With the continual increase in volume and sophistication of cyber attacks it is crucial that SOCs are performing as effectively and efficiently as possible to respond to all security alerts and potential incidents, as well as providing a clear benefit and ROI to the organization’s current security program.

This week SANS released the results of their 2018 survey and what they defined as “SOC-cess”!  This blog will cover a quick snapshot of the report highlights and we will delve deeper into some of the results in future posts.  

You can download the full report here. DFLabs is joining the SANS team for a live webinar to discuss the results in more detail (16th August at 1:00 PM EDT).  

SANS 2018 SOC Survey Highlights

Regardless of whether you are a security analyst, a SOC manager or a C-level executive, I am sure there will be some key learning points and takeaways for you, with some of the results resonating with you and your organization.  So, how does your SOC stack up against the 2018 survey results?

Here are the key findings.

  • Only half of SOCs (54%) use any form of metrics to measure their performance
  • There is a lack of coordination between SOCs and NOCs (only 30% had a positive connection)
  • Asset discovery and inventory tool satisfaction was rated the lowest of all technologies
  • The most meaningful event correlation is still primarily carried out manually
  • Over half of respondents (54%) did not consider their SOC a security provider to their business
  • The most common architecture is a single central SOC (39%)
  • Nearly a third of SOCs are staffed by 2-5 people (31%) and just over a third by 6-25 people (36%)
  • Top shortcomings to SOC performance included:
    • – Shortage of skilled staff (62%)
    • – Inadequate automation and orchestration (53%)
    • – Too many unintegrated tools (48%)

What do these results actually mean? I am sure they can be interpreted in many ways. For me some results were not surprising, such as the shortage of skilled labor is the number one shortfall affecting SOC performance. However, some were quite startling, in particular surrounding the number of SOCs that do not use any form of metrics to measure performance – results indicating nearly half.

With the growing number of threats also comes a growing number of challenges, and today it just isn’t possible for SOC analysts to manually carry out everything that is needed to run the SOC effectively. Investment in technology seems to be a must to help improve efficiencies, but it needs to be the right technology for the organization. The survey results show a clear need for SOCs to invest further in tools such as automation and orchestration, which was identified as the second most common shortfall affecting performance at 53%.   

Defining and Measuring SOC-cess

What is “SOC-cess” and how can we determine what an efficient and effective SOC is?  SANS definition of SOC-cess is as follows.

SOC success requires the SOC to take proactive steps to reduce risk in making systems more resilient, as well as using reactive steps to detect, contain and eliminate adversary actions.  The response activities of SOC represent the reactive side of operations.”

I am sure it can be defined and is defined in a multitude of ways across different organizations, but metrics will always be a key factor.  Of those SOCs surveyed, the top three metrics measured included:

  1. Number of incidents handled
  2. Average time from detection to containment to the eradication of an incident
  3. Number incidents closed in a single shift

Without these metrics, there is nothing to compare to or benchmark against to measure the overall performance and capabilities of the SOC and it will be difficult for management to justify any additional investment in additional tools or resources if the effectiveness and return on investment can’t be calculated or quantified. Therefore, measuring metrics should be a number one priority for any SOC to determine its success, not only by the 54% of SOCs that currently do so.

Summary of Findings

Overall the SANS 2018 SOC survey results indicated that there was somewhat limited satisfaction with current SOC performance with an absence of a clear vision and route to excellence. Also, survey respondents felt that their SOCs were not fulfilling expectations and many areas could still be improved, although there was an overall consensus of the key capabilities that they felt must be present within a SOC.

Compared to last year’s survey, the results showed a minor improvement; however, there are still many challenges facing today’s SOCs and the teams operating within them which need to be overcome.

There are though a number of things that can help to drive improvements and these include better recruitment and internal talent development, improved metrics to ensure the SOC is providing value to the organization, a deeper understanding of the overall environment that is being defended and better orchestration both with the NOC and SOC, using orchestration tools to drive consistency.

Overall, the existence of a functional and mature SOC is a critical factor in an organization’s security program to adequately protect the business from the ever-evolving threat landscape and SOCs will need to continue to work on improving what they already have in place.

How Can DFLabs Help?

A Security Orchestration, Automation and Response (SOAR) platform, such as that offered by DFLabs can not only help to tackle the orchestration and automation shortfalls as mentioned above, but can also help to tackle a number of other common SOC challenges and pain points, including the shortage of skilled workforce, the integration of tools, as well as measuring SOC performance metrics.

Ask DFLabs today how we can help you to transform your SOC with SOAR technology and request a live demo of IncMan SOAR in action to see more.

The Top 5 Challenges Faced by Security Operations Centers

Not so long ago we used to hear about a cyber-attack or a new form of vulnerability in the news perhaps on a quarterly or monthly basis.  Today, they are becoming increasingly more frequent and I don’t think a day goes by that we don’t read in the headlines about the consequences an organization is having to face, due to another attack. McAfee recently reported a staggering eight new cyber threats a second in Q4 2017.  

With the sophistication of attacks also continuously evolving, the modern CISO is now facing up to the fact and preparing for a “when it will happen” scenario as opposed to “if it will happen”, as cyber incidents become more inevitable. Based on this, their cybersecurity strategy is being turned on its head and instead of focusing more on how to prevent an incident from occurring in the first place, they are now heavily investing in technologies and solutions to help identify, manage and contain an incident, in order to minimize the impact to the organization when it does occur.  

In larger enterprises today, it is common to have a Security Operations Center (SOC) and/or a Computer Security Incident Response Team (CSIRT) to monitor, manage and respond to incoming security alerts, but with this, there are numerous challenges that are continuously being faced.  Our recent blog “How to Implement Incident Response Automation the Right Way” specifically addressed the challenge of increasing volumes of alerts, resulting in an exponential volume of mundane tasks and discussed how utilizing automation should be implemented to overcome this. In reality, the number of challenges is probably many more than what we will cover in this blog, but here are our top five, which we believe are currently having the biggest effect on SOCs and CSIRTs today.

Top 5 Challenges Faced by Security Operations Centers

1.  Increasing Volumes of Security Alerts

With the snowballing number of security alerts being received, valuable analyst time is being consumed sorting through a plethora of security alerts.  Most commonly, time is wasted performing a multitude of mundane tasks to triage and determine the veracity of the alerts, often resulting in alerts being missed or those of more damaging consequences slipping through the net as they are overlooked.  As you can probably imagine, analysts time would be better spent working on the more sophisticated alerts that need human intervention, as well as proactively threat hunting, in order to minimize the time from breach discovery to resolution.

 2. Management of Numerous Security Tools

As a wider range of security suites are being adopted by SOCs and CSIRTs, it is becoming ever more difficult to effectively monitor all of the data being generated from the multiplying number of data points and sources.  A typical security operations center may use a combination of 20 or more technologies, which understandably can be difficult to monitor and manage individually. It is therefore important to be able to have a central source and single platform to summarize all of the information as it is being generated and to be able to have a helicopter view of your overall security environment to manage, monitor, and measure security operations and incident response processes effectively.

3.  Competition for Skilled Analysts and Lack of Knowledge Transfer Between Analysts

With the global cybersecurity talent shortage to hit 1.2m by 2020 and to increase to 1.8m by 2022, the pool of suitable analysts will only continue to diminish over time, with the level of competition becoming more fierce for analysts that have the required skill set.  As with most companies and industries, workforce comes and goes, but knowledge transfer is particularly important within a security operations center and incident response teams, in order to ensure the correct response and process takes place within the minimal amount of time, reducing the time to incident detection and time to incident resolution. This lack of knowledge transfer can inevitably lead to increased response times and wasted resources.

4. Budget Constraints with Security Incidents Becoming More Costly

As within most organizations large or small alike, budgets are always restricted in some way, shape or form. In order to authorize spending, a clear positive ROI usually needs to be forecast and/or proven. Security operations and incident response are notoriously difficult to measure, monitor and manage, (why not read our recent whitepaper entitled “KPIs for Security Operations and Incident Response” to learn more), so justifying spend is always difficult.  With the increasing number of cyber-attacks, organizations are increasing the level of investment in cyber security tools, but what level of spending is necessary and what amount outweighs the benefits it will achieve? Can you put a price on the consequences of a potential incident such as a data breach, knowing you will likely face a hefty fine, as well as brand and reputation damage?

5. Legal and Regulatory Compliance

Meeting a growing number of legal and regulatory compliance such as NIST, PCI, GLBA, FISMA, HITECH (HIPPA) and GDPR to name a few, as well as industry best practices, will inherently have an impact on any organization, but can have a heavy bearing depending on the specific industry or geographical location.  Using the example of the upcoming Global Data Protection Regulation, taking effect on May 25, 2018, it is even more important for security operations centers to have mandatory processes and procedures clearly in place which are conducted in a legally and policy-compliant manner.  Providing sufficient incident reporting and breach notification within the required parameters (in the case of GDPR to notify the supervisory authority within 72 hrs of a breach) is going to be key, or the legal, financial and reputational impact and repercussions could be significant.      

Based on these five challenges alone, enterprise SOCs and CSIRTs are struggling to remain efficient and effective and are increasingly being forced to do more with less, while striving to keep up with the current threat landscape and a plethora of security alerts.  

With security incidents becoming more costly, enterprises need to find new ways to further reduce the mean time to detection and resolution.  As a result, security and risk management leaders will see the business need to invest in Security Orchestration, Automation and Response (SOAR) technology and tools, such as the IncMan SOAR platform from DFLabs, to help improve their security operations proficiency, efficacy, and quality, in order to keep their cyber incident under control.

If you are interested in reading more about how SOAR technology can help to address these challenges in more detail, look out for our future blog on the topic coming soon.

Using IncMan Dashboards and Widgets

Today, we will talk about our dashboards in IncMan. We will see how to add, delete and generally organize the dashboard widgets. IncMan widgets can display charts, graphs and tables to display and track Key Performance Indicators. IncMan supports role-based dashboards. This is a key requirement for any SOC, facilitating that the right information is available to the right person based on their role, duties, and needs. Which information is required for any individual or team will differ from organization to organization, so we support customization to create unique and dedicated dashboards for every persona.

How to use IncMan Dashboards and Widgets

Incman dashboards and widgets 1

 

This default screen displays a number of out of the box charts to get you started. But you will want to customize the dashboard with the widgets you need for your role.

1. To begin creating your unique dashboard, select “Customize” to open the menu.

 

Incman dashboards and widgets 2

 

2. The dashboard screen is split into 4 distinct parts: top, left, right and bottom. By selecting the “+” symbol, you can add an additional widget from a number of pre-defined templates. For this example, let’s add the “Incident Overview” widget:

 

Incman dashboards and widgets 3

 

3. You can change the name of the widget in the configuration screen, for example, “GDPR” or “Urgent Incidents”. You can also specify the applicable timeframe for the widget, and the refresh rate, to determine how often the widget will be updated.

4. Next, we will configure the widget filters to determine the data that the widget displays.

 

Incman dashboards and widgets 4

 

We can apply search filters to narrow down the displayed incidents. You can filter by a variety of attributes, including tags, incident priority, the Incident Response process stage, and any custom fields you have defined. Every filter that is selected will also need a corresponding value assigned to it in the values tab.

 

Incman dashboards and widgets 5

 

5. Once you’ve selected the values you want to add into the table, the final step allows you to define which columns will be displayed in the widget.

 

Incman dashboards and widgets 6

 

Enjoy!

Top 5 Features to Evaluate When Selecting a Security Orchestration and Automated Response Product

Security Orchestration and Automated Response (SOAR) is a relatively new cyber security solution category. The aim of these platforms is to provide a centralized software solution to manage the complete lifecycle of a cyber incident, orchestrate security products to a determined goal, and respond to cyber incidents in an automated or semi-automated fashion. The SOAR category is of particular interest to Security Operations Center Teams, as this product is now seen as the backbone of incident management.

Given the differences that can exist between Security Operations Center or Cyber Incident Response teams, it’s rare to find items that share a commonality between the incident response organizations when evaluating incident response solutions. Given that, the following seem to share a common focus during the evaluation process:

In no particular order:

1. Supervised Active Intelligence™
This is a methodology that best describes one of our most powerful features within IncMan™, the ability to arm your SOC teams with selected intelligence related to a cyber incident. This feature provides targeted information and is provided directly to the assigned investigator. This information is paramount to starting a cyber investigation, and we see on a daily basis that cyber incidents without this information have a very slow reaction time. However, the most important factor is your teams take steps that are guided by the intelligence generated within an IncMan playbook as they work through their playbook actions.

2. Intelligent Correlation Engine
As per the Supervised Active Intelligence feature, within our IncMan platform, the intelligence will be captured and build upon the growing information around cyber incidents. This information is analyzed by IncMan, providing a visual representation of how an incident has progressed and if any other incidents share common features. I.e. they affected the same users, or same machine types, patterns that have emerged etc. We visualize this information over a timeline, allowing the SOC team the ability to correlate the cyber security incidents to business events or even basic tracking how malware has traversed through several machines and at what rate.

3. Extended Knowledge base with your own intelligence or from others
We understand as an organization how important it is to use multiple sources of external intelligence. This has allowed us to provide the ability to extend the IncMan knowledge base with the information required by your SOC team. For example, some clients use the knowledge base to add additional fraud intelligence and prevention information. We natively support TAXII and other feeds using the STIX format of intelligence sharing. Alternatively, if you are a part of an intelligence sharing network, IncMan permits the API connection.

Another feature which we often see utilized by CSO’s and CISO’s alike is regarding the knowledge base and Cyber Incident linking capabilities. We allow tagging and linking of knowledge base articles with cyber incidents to aid reporting and impact visibility to the stake holders.

4. Integrating your environment
As mentioned earlier, IncMan allows the use of your current environment and the products you already have readily available. As our client, we want to bring you from “Zero to Hero” in the shortest time span possible with pre-configured integrations that are enabled within minutes. With IncMan you choose how you want to leverage your existing products. The crucial point is we know every environment is a mixture of multiple moving parts and we can integrate with your existing framework to ensure maximum availability while minimizing response time and resource expenditures.

5. Playbooks
Playbooks can be thought of in the context of American football. The term playbook was created to give a visual meaning to orchestrating team members for a single goal, given a scenario presented to a team or organization. The three distinct teams are as follows

Defense, and containment for cyber incident response
Special Teams for enrichment and providing both teams with more information and field position for American football
The offense for mitigating incidents and going on the offensive to put the company in a positive, advantageous position given the situation that is presented in front of them.

For those of you not into the American Football analogy; Playbooks give your teams meticulous control over pre-defined workflows to drive policy and procedures in a repeatable, consistent and enforced manner. This allows for enrichment, containment, and mitigation driven through one product – IncMan.