Security Operations : Finding needle in the haystack

Challenges of Security Operations Center and options to Explore

Current cyberattacks are advanced, targeted, and persistent. One of the biggest challenges for security teams today is to keep up with the ever-evolving threat landscape. Enterprises are reasonably more paranoid than ever before. They are investing in a lot more advanced security tools to detect and mitigate these threats.

A survey conducted by the Cloud Security Alliance (CSA), shows that almost 50% of organizations are using 1–5 tools and 12.7% of them are using more than 20 tools

Using more tools plagued the security teams to deal with too many non-action-worthy, repetitive or false positive alerts. Flurry of uncoordinated alerts from these tools can easily overwhelm SOC teams to the extent to potentially make them miss real threats. Most of the time, SOC teams are narrowly focused on segregating real threats from the alarming number of alerts they receive these days.

Top 4 challenges of SOC team

Apart from network, web, application, email, and endpoint security products there are a whole lot of security tools that can combat the advanced threats that pass through perimeter security. Though the security landscape is already vast and will continue to expand, the SOC team’s obstacles remain.The following are some of the most critical challenges.

1 . Alert Fatigue:

Alert-Fatigue is described as a symptom where security teams are bombarded with an overwhelming amount of uncoordinated alerts that make it nearly impossible for them to investigate and respond to the real threats on time. Much like guerrilla tactics enterprise security personnel had to group and filter large volumes of alerts in an unmethodical manner to identify real threats.

As per a Ponemon survey, in a typical Enterprise,

• The annual cost of chasing False Positives — $1.27M
• Number of Alerts ignored each week — 96%
• Number of Alerts generated each week — 17,000
• Organizations with more than 50 tools ranked 8% lower in the ability to detect a cyberattack.

2. Dwell-time of subtle threats:

Apart from handling a number of threats, SOC admins need to keep an eye on some of the undetected threats. Cybercriminals are constantly developing new Tactics/Tools, Techniques and Procedures (TTP) to break the first line of defense offered by firewalls, intrusion prevention systems, email and web security gateways to intrude. These threats can remain undetected in the organization as long as possible. The amount of time the threats remain undetected is called Dwell time.

A 2018 data breach study by the Ponemon Institute found that, on average, detection took around 197 days and containment took an additional 69 days. Recently there was a hack at a gold merchant store that went undetected for 5 months. Malicious Java code was sitting on their website and redirecting the payment to the hacker site. Security vendors could have alerted this breach in a subtle way. Due to lack of correlation of multiple weak signals to provide a stronger signal to identify the breach, dwell time of such threats lingered in the environment for a longer time. SOC teams have the responsibility to to identify and reduce the dwell time of these subtle threats faster to contain and remediate

3. Poor Triage Process

Even if we were able to coordinate and reduce the alerts to a great extent, another relatively common challenge is the poor triage process. Based on what criteria, these alerts need to be prioritized ? Since most of the triage processes are driven by tribal knowledge, past experience and other narrow perspectives, there is no strong structured rule set nor a focused system to prioritize the alerts. These inconsistent processes might lead to human error and potentially missing critical alerts.

4. Bird’s Eye View of the threat landscape

Even though the security infrastructure is doing its job as configured,what’s lacking is the big picture of the attacks. Even if there is a large set of tools in an organization, they may not be able to orchestrate among themselves to provide a holistic view. For example, a single view of how and what malicious files are downloaded by an end user, if the same threat is seen by other endpoints,has the threat progressed laterally across the organization or did the endpoints security vendors clean this threat is missing. Lack of this common operating picture leads to a huge absence of an end-to-end story and timeline of how the attacks gained a foothold and where it could have had its wings spread.

The most important question is how do we manage the influx of alerts from today’s security tools?

“The time that SOC team spent in analyzing the eventually ‘ignorable alerts’ is the time not spent in catching actual threats”

Considering these challenges, it’s no surprise that security teams feel perpetually overwhelmed.

Solution

To enhance the Incident Response process for SOC teams and to reduce the mean time to detect(MTTD) and the mean time to respond(MTTR) there are recommendations in the security market to lean towards SOAR(Security Orchestration and Automation Response) and XDR(Extended Detection Response) tools.

SOAR solutions have evolved as a way to help SOC analysts to become more efficient by automating their usual mundane parts of triage procedures.The key capabilities of SOAR solutions include but not limited to

1. Delivering better quality intelligence for an Incident by validating data from a wide range of sources, including threat intelligence platforms
2. Automation of SOC activities as part of Incident response like blocking an High risk Threat Source IP address or quarantining infected endpoints from a network
3. Managing and coordinating case management across SOC member for streamlined reporting

XDR on the other hand will provide visibility across network, emails, cloud and endpoints by coordinating alerts. Expectation from XDR include to

1. Correlate alerts from all vendors to not only have context from all security components but also to confirm the real threat.
2. Combining weak signals from multiple components into stronger signals of malicious intent
3. Provide operational efficiency by reducing larger number of alerts into smaller set of incidents for faster and accurate triage
4. Providing automation capability for repetitive tasks
5. Containing the threats by effective sharing of threat intelligence among security vendors

Lot of vendors offer a mix of XDR and SOAR solutions to efficiently handle the end to end Incident process.

This solution has the potential to help you find the proverbial needle if it’s used properly. I will address what are the top criterias you need to look for when selecting a platform for the efficient Incident Response in my next article.

Callout

• Estimate what is your alert rate (alerts/day, alerts handled by acsoc personnel) and what are your plans to aggregate/minimize the number of alerts
• Estimate how many UI your SOC team switches to analyze a threat and how centralized configuration and hardening capability can help
• Review the scanning processes your SOC team follows to identify the subtle attacks
• Review how much time is spent in manual repetitive tasks
• Understand how the alerts from various tools are being coordinated and how a big picture can help your organization