The recent SANS 2018 Security Operations Center (SOC) Survey, which was designed to identify the areas of SOCs that need improvement to reach consistent levels of success, revealed several significant deficiencies. These challenges can be overcome with several proven best practices. This blog post will focus on the top four identified SOC deficiencies, the core causes behind them, and the actions that should be taken to the end of improving them.
Lack of automation/orchestration, integrated toolsets and processes/playbooks
Most SOCs fall behind with automation and orchestration mainly because they aren’t aware of the processes that should be automated. This issue can be fixed by performing employee interviews and conducting risk and security assessments.
The employees are the first line of defense in an organization. Those processes that are repeatable can be easily discovered by interviewing employees and find out what tasks they are responsible for.
Interviewing employees to find out what tasks they are responsible for can identify repeatable processes. These processes, such as evidence gathering during an incident (IP/URL reputation, information, etc.), are time-consuming but can be easily automated with SOAR technology. By automating time-consuming processes, employees can better utilize their time with more urgent matters which will benefit the overall organization.
Performing risk assessments and other security-related tasks will naturally lead to the strengthening of a security program by identifying assets (asset management), identifying vulnerabilities (vulnerability management), providing metrics to monitor and improve (security metrics program), and highlighting areas to be included in a security monitoring program. Identifying these areas of an organization’s security landscape means additional repeatable processes will be exposed, and this not only provides automation opportunities but also aids in overcoming the other deficiencies today’s SOCs are struggling with.
Additionally, the lack of integration between security tools can be attributed to the security vendor space becoming more and more saturated and organizations are forced to layer their security defenses to protect from multi-threaded attacks. This has left security teams with a vague knowledge of their product lines and what they can do in concert with each other. However, there is no easy fix here – some alternatives may include performing Proof of Concept (POC) engagements and encouraging security vendors to “lean in” and gain a better understanding of the organization’s environment. By doing so, these organizations can test drive the product, identify possible gaps, and correct them before deploying it to the environment.
Finally, SOCs that fall behind in terms of processes and playbooks typically have a low maturity security program. In these situations, working with a managed security service provider or managed detection and response service seem to be good alternatives.
Asset discovery and inventory tool satisfaction was lowest of all SOC technologies
The main reason for this finding is simple: asset inventory and management is hard. Even with an asset management or inventory system in place, the technology staff will be left doing the heavy lifting. The initial upfront investment of time and energy is what usually causes organizations to become dissatisfied. In a world of instant gratification, we expect that if we spend a certain amount of money on any product that it should accelerate us to our end goal. But unfortunately reality sets in and we are still faced with dynamic business landscapes and a rapidly evolving technology curve which forces us to roll up our sleeves and get our hands dirty.
Any asset management program requires planning and a full understanding of the environment. Without these crucial steps, any tool that is purchased will fail to meet your requirements. As mentioned earlier, perform risk and security assessment against your environment. A lot of security assessments, particularly vulnerability assessments, have a discovery phase. This phase will produce a list of assets as well as their vulnerabilities which an organization can use as a jumping off point. And as always, keep in mind there is no single solution good enough for everyone. There will be some pain and heartache when standing up an asset management solution, but when done correctly will be worth it in the long run.
Despite the use of SIEM and big data tools, most event correlation is still manual
This seems counter-intuitive, but there’s a good explanation. When standing up a SIEM, it is not as simple as turning it on and pointing log sources towards it. Organizations should have a grasp of their log sources and the overall visibility they provide into the environment.
In order to do this correctly, an organization should perform a network audit. This will highlight where network taps should be located, what devices consistently speak to each other, and if there are any gaps or obstacles which must be resolved. Obstacles, for example, web proxies masking a true source, or short DHCP leases may prevent an investigator from locating a potential victim and limit an organization’s SIEM from conducting the proper correlation between events. Understanding where these gaps lie and the limitations a chosen SIEM product may have can help investigation teams better understand areas where manual correlation may still be necessary.
Effectiveness of SOC/NOC integration is low
This deficiency is a cultural problem, SOC teams have one agenda (detection and protection), while NOC teams have another (maintaining uptime and availability). These are usually at odds with each other, take for example the age-old conflict of least privilege. Network teams want to have the keys to the castle and be able to move freely through the environment, while SOC teams are focused on locking down the environment to better identify anomalies which may indicate malicious activity.
Meanwhile, to add to this misaligned agenda, both groups are usually under-resourced and overworked due to the lack of qualified candidates and the surmounting responsibilities these teams face when maintaining and securing a network. To bridge the gap, organizations will want to institute processes and procedures that outline rules of engagement between the teams. By creating rules of engagement, both departments know what their responsibilities are and the processes and procedures which are in place for their interactions leave little doubt as to how the partnership should function.
These Security Operations Centers (SOC) deficiencies in most organizations can be easily overcome with timely planning and with the right processes in place. A good option for those that lack appropriate resources or security program is to use a managed security service provider, or managed detection and response service.
With a vast range of security technologies, tools and platforms now widely available in the market for security teams, it is ever more complex to decide which tools are best to deploy to suitably defend the organization’s infrastructure.
Within security structures of larger organizations, it is common to have a security information and event management (SIEM) tool in place, alongside or sitting on top of several other systems, but how can it benefit from implementing a Security Orchestration, Automation and Response (SOAR) solution on top of its existing SIEM infrastructure to further manage its security operations and incident response processes and tasks? Let’s find out.
In simple terms, a SIEM collates and analyses the information generated from various sources, identifying issues and raising the initial security alerts. Alert triage is then often carried out by security analysts in a very manual and non-methodical way and subject to mistakes and errors due to the sheer volumes and number of repetitive and mundane actions required, often not being able to fulfill all of them. One of the original core drivers for SIEM technology was to ingest and process large volumes of security events; a function which SIEMs continue to excel at today. However, although some advanced SIEMs have incorporated additional features, such as integration with threat intelligence and other third-party solutions, many SIEMs are still largely focused on data ingestion and presentation.
Another fundamental limitation of many SIEM solutions is that the communication between the SIEM and other third-party products is unidirectional. SIEMs were designed to ingest information, however, support for two-way communication with third-party tools is often limited at best. In most cases, this severely limits a SIEM’s ability to carry out actions beyond the initial alert; this is where a SOAR solution can add significant additional value.
A SOAR solution, on the other hand, is often used in conjunction with a SIEM, however, it is not dependent on having a SIEM in place. A SOAR solution is not intended to be a SIEM replacement, instead, when used in conjunction with a SIEM it is intended to be utilized to help security teams automate and orchestrate actions across their entire portfolio of security products in a bidirectional manner to reduce analyst workload, alert fatigue, time to respond and remediate and reduce overall risk.
Sitting on top of the SIEM, the SOAR solution would orchestrate and automate multiple third-party tools from different vendors, whereas the SIEM would be used to collate and analyze data and generate the alert, which is just the first step of a multistep process. SOAR technology would then be leveraged once the initial security threat had been detected and the security alert generated by the SIEM.
The amount of security events that cybersecurity professionals deal with on a day to day basis can be overwhelming and analysts often have to delve through a deluge of data to find what they are looking for, ultimately preventing them from tackling incidents more efficiently. SIEM tools collect large amounts of information from different areas of the IT framework, but too much information sometimes is just as crippling as not enough information.
A SIEM used in isolation helps to centralize information gathered from various other security tools being used, but it can often lead to an overwhelming amount of information, that then needs to be filtered and correlated to eliminate the false positives to leave only the critical events that need to be acted upon. It can produce a vast quantity of security alerts, leaving security analysts inundated, not knowing which alerts should take priority and be tackled first. This will have a negative impact on the security team, with what is already considered a scarce resource.
Most security teams do not realize the sheer number of alerts that will be received and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture. There is a common misconception that a SIEM will reduce the number of incoming alerts by applying correlation rules. However, this is not always the case and correlation rules may only reduce a small percentage of the total number of alerts. Most enterprises will see a clear business need for implementing a SOAR solution to help reduce alert fatigue, orchestrate the organization’s different security tools and automate menial tasks.
Integrating a SIEM with a SOAR solution combines the power of each to create a more robust, efficient and responsive security program. Taking advantage of the SIEM’s ability to ingest large volumes of data and generate alerts, the SOAR solution can be layered on top of the SIEM to manage the incident response process to each alert, automating and orchestrating a number of mundane and repetitive tasks that would take many manual man hours to complete.
SOAR solutions such as IncMan from DFLabs support SIEM integrations and present a comprehensive solution for all organizations that are trying to create a successful and affordable security program, by effectively reducing the noise generated by a high number of alerts and sometimes less than reliable threat intelligence. This can ultimately enable security teams to minimize incident resolution time, maximize analyst efficiency and overall increase handled incidents.
The combined power of a SOAR solution working alongside a SIEM is crucial to ensure that alerts do not go untouched or ignored. More importantly, it ensures all alerts are dealt with in a timely manner and are acted upon following a standard set of consistent and repeatable practices and procedures.
A SIEM is a crucial tool within any security infrastructure, amongst other tools. However, it is critical to keep in mind what a SIEM is designed to achieve, and what gaps may still exist within the security program. The combination of a SIEM and a SOAR solution can transform the security operations and incident response capability and take it from one level to the next, in an intelligent and predetermined manner, so why wait? To learn more about the topic read our new whitepaper “How to Leverage Your Existing SIEM Tool with SOAR Technology”
Last week, Anton Chuvakin from Gartner announced that Augusto Barros and himself are planning to conduct research in Q4 2017 on the topic of Security Orchestration, Automation and Response (SOAR), or Security Automation and Orchestration, depending on which analyst firms’ market designation you follow. At DFLabs we are very excited that Gartner is finally showing our market space some love and will be helping end users to better assess and differentiate SAO offerings.
Anton provided many questions that he wanted SAO vendors to prepare for. The questions immediately piqued our interest, with one question, in particular, standing out to us.
1.When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?
Anton also said that he had one main problem with Security Automation and Orchestration. In his own words, “For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.”
The question is not entirely unwarranted. During my own time at Gartner covering the SOAR space, I spoke to many clients who were seeking an SAO solution without knowing that they were. Typical comments were, “I have too many alerts and false positives to be able to deal with them all”, or “We are struggling to hire enough skilled people to be able to respond to all of the incidents that we have to manage”. Another common comment was, “I am struggling to report operational performance to my executives?”. Often, these comments were followed by the question, “Do you know of any technology that can help?”.
Typically, these organizations had a mature security monitoring program, usually built around a SIEM. They often had critical drivers, such as regulatory requirements, or held sensitive customer data. We hear the same buying drivers from our own customer base.
To sum up the most common drivers for someone asking about Security Automation and Orchestration:
- A high volume of alerts and incidents and the challenge in managing them
- A large portfolio of diverse 3rd party security detection products resulting in a large volume of alerts
- Regulatory mandates for incident response and breach notification
- An overstretched security operations team
- Reporting risk and the operational performance of the CSIRT and SOC to an executive audience
One interesting thing is that when there is no external driver like regulatory compliance, deploying a Security Automation and Orchestration solution is often determined by maturity. Most organizations don’t realize that they will be unable to cope with the volume of alerts and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture.
The common misconception is that the SIEM can help to reduce the number of incoming alerts by applying correlation rules. This not entirely untrue, but correlation rules will only reduce a small percentage. They are essentially signature based. You need to know in advance what you want to correlate, and adding a correlation rule to cover all and every incoming alert is not a trivial task. Even with correlation rules, additional work will be required to qualify an incident. Gathering additional IoC’s, incident observables and context is still a very manual process. Lastly, detection is only one part of the entire incident response process – notifying stakeholders, gathering forensic evidence and threat containment will also have to be done manually. These are the areas where SAO solutions provide the greatest ROI – as a force multiplier.
Alert fatigue is the desensitization when overwhelmed with too much information. The constant repetition and sheer volume of redundant information are painful and arduous but sadly often constitutes the daily reality for many people working in cyber security. Mike Fowler (DFLabs’ VP of Professional Services) discusses several best practices to help with some of the challenges involved in this in his recent whitepaper “DFLabs as a Force Multiplier in Incident Response”. I am going to discuss another one, but looking at it from a slightly different angle.
Imagine the scenario where we have tens of thousands of alerts. Visualize these as Jigsaw pieces with a multitude of different shapes, sizes and colors and the additional dimension of different states. We have alerts from a firewall, anomalies from behavioral analytics, authentication attempts, data source retrieval attempts or policy violations. Now, there are a lot of ways to shift through this information, for example by using a SIEM’s to correlate the data and reduce the some of the alerts. The SIEM could identify and cross-reference the colors and shapes of the jigsaw pieces so to speak.
The next question once that I’ve got the all the pieces I need for the puzzle is how do I put this together? How do I complete the puzzle and unlock the picture?
The “what does the jigsaw picture?” question is something that will often puzzle the responders, pun intended. How do you prioritise and escalate incidents to the correct stakeholders? How do you apply the correct playbook for a specific scenario? How do you know which pieces of information to analyse to fit the jigsaw pieces together and make sure the puzzle looks correct?
Automation process can speed up putting that puzzle together, but making sure you automate the right things is just as critical. If skilled staff are running search queries that are menial, repetitive and require little cognitive skill to execute, you should ask yourself why they are performing these and not instead focused on analyzing the puzzle pieces to figure out how they fit together?
Remove the menial tasks. Allow automation to do the heavy lifting so your teams are not only empowered by the right information they need to successfully manage the response to an incident but also to give them more time to figure out the why, how and what of the threat.
We also welcome you to join us for a webinar hosted by Mike Fowler on this topic on the 6th of September.
Is Cyber Threat Intelligence Still Useful?
The importance of information in business in today’s modern world is invaluable. But, in some cases, having large amounts of information coming your way can actually hurt your business. This holds true particularly for organizations that are constantly dealing with the risk of cyber attacks, and every piece of information that could help them prevent those attacks can be of great use to them. This is where cyber threat intelligence comes in, as one of the crucial aspects of developing an effective cyber defense strategy.
But, with so many feeds from various sources at their disposal, determining which information is relevant and credible and distinguishing it from the data that is not essential in regard to a potential cyber threat has become a major challenge for many cyber security professionals. As a result, being able to reduce the noise coming from the flurry of threat intelligence is now key to creating successful security operations.
Overwhelming Amount of Cyber Threat Information
A new study recently conducted by Ponemon Institute LLC, and sponsored by Anomali, reveals that the amount of threat intelligence that cyber security professionals deal with is overwhelming, preventing them from tackling incidents more efficiently.
The study, titled The Value of Threat Intelligence: A Study of North American and United Kingdom Companies, surveyed more than 1,000 professionals from the cyber security industry, with 70 percent of them saying that threat intelligence is often “too voluminous and/or complex to provide actionable intelligence”. This is a figure that should raise a concern, considering that almost half of the respondents (46%) said that incident responders rely on threat data during the incident response process. Furthermore, according to the study, there is too much data to really make sense of if enterprises have a limited resource staff of security operations center analysts or threat analysts.
SIEM Integration Vs IR Orchestration
Cyber security experts agree that in order to be able to use cyber threat intelligence data in an effective and productive way, there must be an SIEM integration in place. However, while 62% of those surveyed said they were aware of this necessity, as many as 64% of them stated that putting such integration in place takes a lot of time and resources, making it a tough feat.
In my corporate experience, the companies that are actually integrating SIEM with CTI, represent a minority. The main challenge of such lack of integration is the impossibility of valorizing the TI Feeds, during an incident. But, there is a new technology trend that addresses this exact problem. There are platforms that are capable of sitting on top of the SIEM, integrating multiple tools from different vendors, which is one of the biggest challenges that threat analysts are faced with. This approach is usually taken during the incident triage phase, it is not intended to be a SIEM replacement but can help SOC and CSIRTs to reduce reaction time and related noise. Such platform fits the Incident Response and SOC Orchestration space, featuring multiple integrations that are easy to use and configure and, nowadays, are probably the only way to reach a near real time- and money-saver incident response, filling the gap that is created when the data sources are originated by different vendors. Such platforms support SIEM integration and could represent a great solution for all entities that are trying to create a successful and affordable cyber defense, by effectively reducing the noise of threat intelligence.
In one of my next columns, I will introduce this paradigm, along with its main potentials in the world of Security Operations and Incident Response. In the meanwhile, you can follow me on our LinkedIn Page, by clicking here.