Improve Analyst Job Satisfaction With the Right Security Analysis Software

Day in and day out, they’re on the front lines of the war against cybercrime. Their hours may be long, and the work is sometimes tedious, but security operations center (SOC) analysts stand as an organization’s most powerful defense against data breaches, ransomware, hacking, and a host of other malicious acts. Their knowledge, expertise, and diligence keep sensitive customer data, valuable intellectual property, and coveted financial information safe.

They’re also in short supply. According to government data, there are currently over 300,000 unfilled cybersecurity positions in the United States. Researchers predict that there will be as many as 3.5 million cybersecurity job openings worldwide by 2021.

In a field with virtually zero unemployment, and where demand for workers far outstrips supply, business leaders must think carefully about what their organizations can do to win and retain top talent. Nearly one-third of the analysts surveyed in our “Voice of the Analyst” study were actively seeking a different job, and the average analyst’s job tenure is a mere 12 to 18 months.

Employers aren’t just losing security talent to other companies. Many promising junior employees are leaving the field of cybersecurity entirely. They’re doing so out of frustration, stress, or boredom with the monotony of the tasks assigned to them. This is especially true of entry-level analysts, whose SOC duties typically consist primarily of monitoring a number of alerts and deciding which events warrant further investigation and escalation to incident responders. “Monitoring” means spending many hours in front of a console, watching repetitive streams of log data, knowing that the vast majority of alerts are false positives, but to miss that “needle in the haystack” event linked to a real attack might cost them their career.

This is a problem, not just for CISOs or SOC managers, but for everyone with a vested interest in protecting digital assets, business processes, systems, and devices. Reducing attrition and recruiting the best and the brightest into the cybersecurity field will require collaboration across organizations and the industry as a whole. We all need to work together to make these jobs more attractive.

Monotony and Stress Lead to Burnout and High Turnover

As a former SOC manager, I have firsthand experience of the pressures and challenges the frontline analysts encounter on a daily basis. They spend enormous amounts of time chasing false positives or trying to figure out the relationships between different types of uncorrelated alert data.

At the end of the day, many SOC analysts leave work feeling like they haven’t accomplished much. Often the job can feel like a wild goose chase, and it’s extremely frustrating for analysts to think they’re not using their time and efforts wisely.

Many bright people enter this field because they’re passionate about technology, but even more common among them is a burning desire to do good, prevent crime, and defeat criminals. As one respondent in the “Voice of the Analyst” survey put it, “I like challenges and making a difference.” Another listed his motivations as “Fight[ing] evil; stop[ping] badness.” These attitudes are commonplace in the SOC.

The Right Security Operations Software Makes the SOC Analyst’s Job More Cognitively Challenging and Engaging

Among SOC analysis tasks, employees prefer those that require careful thought, investigation, and mental engagement. Although monitoring incoming alerts will probably always be among their responsibilities, SOC analysts experience greater job satisfaction—and have a more positive attitude towards professional development—when their duties are varied.

As Bart Bailey, Security Operations Manager at Windstream Communications explains:

“Analysts [shouldn’t] be asked to just stare at alerts all day.” He says, “They are more satisfied if they do eyes-on-glass monitoring part of the day, and work on other projects like tuning, acquiring new logs, and working with other teams with different perspectives [the rest of the time.]”

In other words, they’d rather act like detectives than mall cops.

With the Respond Analyst on board their team, they’re able to do exactly this. When security analysis software takes over the mundane aspects of the job, human SOC analysts are able to focus on its more interesting, complex, and “advanced” aspects—spending a greater percentage of their time on higher-value tasks that tend to be varied and exciting.

Security analysis software gives frontline analysts a fuller view of what’s going on across the whole IT environment. It enables them to see each alert, not as a discrete event—or a piece of data streaming across a console—but instead as part of the story that’s taking place. Ultimately, humans enjoy stories, puzzles, and riddles, and take pleasure in understanding and solving them.

Security Analysis Software Can Make Analysts More Effective

For any SOC analyst, detecting real intrusions is rewarding and validating. When employees are able to do so regularly and often, they’re more likely to feel that they’re making a real difference in their careers and for their organizations.

The sheer volume of alert data generated by sensors across any enterprise IT environment is simply too great for any human security analyst to monitor thoroughly and consistently. Nathan Light, Security Specialist at Windstream Communications, reports that before deploying the Respond Analyst in their organization, his SOC team was confronted with over 250,000 Intrusion Detection System (IDS) events per day. No matter how diligently they worked, or how well they tuned their platforms, they simply weren’t able to keep up with this alert volume. And the vast majority of these alerts were what Nathan calls “junk events”—false positives that further investigation would reveal to be meaningless.

This is why tools like the Respond Analyst have such strong potential to improve SOC analysts’ job performance.

Not only will they see fewer false positives when working with security analysis software, but the alerts that are generated are likely to be “of better quality,” as Nathan puts it, giving teams “a greater true positive detection rate.”

Because security operations software can consider every one of those 250,000 daily IDS events, there are fewer gaps in coverage, and significant anomalies are far less likely to be missed.

Adding the Respond Analyst to Your Team Gives Human Members More Time for Professional Growth and Development

When SOC analysts begin their careers, it is typically at a Tier 1 level, where they’re responsible primarily for reviewing and monitoring alert data. As they gain experience, they develop specialized skills—as threat hunters, forensic analysts, or malware experts, for instance.

Incorporating security analysis software into your SOC’s workflows can enable your analysts to develop their advanced analytical skills faster. Because they’re spending less time with the “low-level, boring alerts that no one wants to look at anyway,” they have more time to spend on the “projects that will make them better analysts.” They’re also likely to have additional time for the tasks that can have a measurable impact on risk reduction, and thus can save the entire organization—and its reputation—from the consequences of a successful attack.

As Nathan says:

Working with the Respond Analyst “breaks up the monotony, adds variety to what an analyst does, and gets them actively engaged in other aspects of security.”

When it comes to bringing in and retaining top talent, this is a win for the entire field of cybersecurity.

To learn how the Respond Analyst can become a valuable member of your SOC analysis team and can help improve job satisfaction among its human co-workers, contact us to schedule a demo today.

Work Smarter, Not Harder: How to Automate Security Analysis and Incident Remediation

One thing that’s true of many of the tasks in today’s security incident workflows is that many of the mundane and time-consuming data sifting tasks within them are ill-suited for humans to perform.

It’s nearly impossible for human analysts to cover the majority of cybersecurity monitoring and analysis tasks: given the vast amounts of data generated across most environments, analysts are simply not able to consider more than a small percentage of the alert events that our networks generate.

This means that when we assign humans the duty of keeping their eyes on a console, we’re misallocating some of our most valuable and scarce resources. These are the time, attention, and cognitive capabilities of the analysts who staff our Security Operations Centers (SOCs).

One of the primary benefits of adding security analysis software to analyze security events and incidents is that it extends the SecOps team’s capacity and enables human analysts to focus more of their energies on incident response and remediation. This is the portion of the incident response workflow where their uniquely “human” abilities—creativity, collaboration, communication, and teamwork—are most needed. It’s also where teams stand to make the interventions that can have the biggest impact on the overall efficacy of end-to-end security operations.

Incident Response Process Improvements Enable Teams to Make Major Security Gains

Once an event has been escalated for human investigation, the speed with which the security team is able to contain the threat determines the size of the risk that the incident will result in a breach or other significant security event. The quicker remediation can occur, the greater the likelihood that the attack will be stopped before it has time to grow in scope and impact or progress down the kill chain. And the faster the incident is fully resolved and all affected systems brought back online, the less likely the business’s operations are to be interrupted or otherwise impacted.

A full-scale incident remediation workflow should include a thorough investigation of every incident’s scope and impact in order to improve future response capabilities. By looking at how and why it happened, security teams can mitigate the risk of the same thing happening again.

This kind of analysis requires collaboration and communication, however. Security team members may need to delve deep into the operating system or software application event logs and then share their findings with colleagues. It also takes time—something that’s in short supply for today’s security operations teams, who often struggle to monitor the voluminous alert data that confronts them. When conducting SOC analysis, security team members are well aware that spending too much time on incident response might cause them to miss the earliest stages of the next attack.

Security Operations Software Frees Teams to Make Better Use of Time

Mental fatigue and eye strain are real problems for today’s security operations teams. To monitor security event data effectively, security analysts must give every alert the same amount of attention, with an entirely consistent approach. Each event can require as many as 40 to 60 different checks, and it’s impossible to perform these quickly or without full concentration. Even though the vast majority of alerts a SOC analyst encounters are false positives, they cannot skip one, because that one might turn out to be critically important. It’s near impossible to maintain focus in these conditions.

Integrating security analysis software like the Respond Analyst into your network and endpoint intrusion monitoring workflow allows your team to make better use of the tools you already have in place. It removes the bottleneck that too much data has introduced into your security operations, and supports your team in making better decisions at speed.

End-to-End Solutions Facilitate Enormous Process Improvements

Adding the Respond Analyst’s monitoring capabilities to your security incident workflow indirectly but significantly improves your security team’s incident response capabilities by taking over the tasks that aren’t practical for humans to perform, saving your team’s limited time and attention for forensics, analysis and investigation. This helps teams work smarter not harder by allowing them to apply their greatest efforts where they’ll make the biggest difference.

Integrating the Respond Analyst with the Palo Alto Networks Demisto Security Orchestration and Automation platform, can also directly improve the speed and efficacy of your incident response procedures. The Demisto platform can ingest results from the Respond Analyst, enabling it to initiate incident response playbooks in real time as soon as events are escalated.

This combination of analytic and content creation and maintenance capabilities with downstream remediation and response capabilities gives security teams the power to monitor and investigate events from a broad array of data sources for full, end-to-end incident oversight. It has the potential to liberate security teams from the need to perform incident response processes that can be standardized, allowing them to instead spend their time on the ones that cannot.

The Respond Analyst works well together with several Palo Alto Networks solutions. With the addition of the Demisto platform to this security operations software’s portfolio of integrations, security teams can augment their automated monitoring capabilities with streamlined incident management and response. This saves them even more time for investigation, collaboration, and conversation—the high-value activities that are truly the best uses of their time.

The Respond Analyst app for Cortex by Palo Alto Networks now available. Learn more.

To learn more about how the Respond Analyst can be integrated with the existing security solutions in your technology environment to help them—and your SOC team—better, contact us today.

Managing Security Events: Not as Difficult as Finding Magic Stones

These days finding a qualified and available Security Analyst seems more difficult than locating an Infinity Stone in the Marvel Universe.  Like Thanos, I’m sure many CISOs are wishing they could snap their fingers, but instead of destroying half the population, creating an army of security professionals to manage the complex threat landscape.

Due to the massive gap in available security skill sets and qualified people, many organizations are outsourcing at least a portion of their operations to Managed Security Service Providers (MSSP).  This seems to be a reasonable alternative, but just like in-house security operations, MSSPs have their share of challenges. In this blog, we will discuss those challenges to help you determine if an MSSP is the right security operations model for your organization.  Then if you decide to keep security operations in-house, we’ll share a better alternative that doesn’t involve voyaging through the galaxy hunting for magical stones.  

.     
source: helpnetsecurity.com


6 considerations when working with or hiring an MSSP  

 

  1. Get ready for a long ramp: According to Gartner, onboarding time for an MSSP is 1 to 4 months.*  This elongated time means organizations that are thinking about hiring an MSSP must be patient.  Just remember those bad actors are not so tolerant and will not wait for you to get on board and set up with your MSSP before they attack.

  2. Typical outsourcing issues:  MSSPs have many customers, therefore they lack intimate knowledge of a single customer’s network or infrastructure. This makes it extremely difficult to perform effective analysis of that customer’s unique security configuration and requirements.

  3. Take a number:  Like any organization, MSSP’s have resource constraints. MSSPs will typically devote resources to larger customers who tend to pay the most when the largest incidents hit or volumes peak.

  4. We’ve got you covered—not so much:  Due to the high volume of alerts they are trying to manage, MSSPs will usually tune down sensors.  That means the MSSP’s ability to identify an attack will degrade.

  5. Law of diminishing returns:  Just like any organization, MSSPs face high analyst turnover and resource shortages.  When an analyst leaves the MSSP, customers suffer, as they are paying the same price for lower quality results.  Additionally, the MSSP must re-focus their attention to hire new talent from an already dwindling pool of candidates adversely impacting the current level of service that the customer receives.  This problem can often become worse over time.
  6. Cookie cutter solutions: MSSPs have an uncustomizable delivery model.  In other words, the MSSP model is optimized for their business, not for the requirements of the customer.   

 

These challenges are merely a sampling of a much larger set of difficulties that service providers face demonstrating that the MSSP alternative may not be the best for every organization.  When moving to an MSSP or using one, carefully think through all of the challenges listed above, as these will impact the amount of time you need to investigate false positives and may cause you to miss important attacks or threats.  Of course, you might decide to keep your security operations in-house, but you will likely face many of the same challenges as the MSSP.

And finally, remember there is a third alternative that doesn’t require you to search the galaxy for that illusive security expert.  Robotic Decision Automation software for security operations will automate event analysis, management, and triage.  The Respond Analyst delivers these capabilities, performing just like an expert analyst, but at machine speed and with 100% consistency.

If addressing the skills gap shortage with software seems like an alternative for you, please visit the following pages for more information:

*Gartner, “How to Work with an MSSP to Improve Security,” January 30, 2018

Robots Have a Better Memory Than You

Can you remember what happened at 3:45pm last Tuesday?  How about what you had for dinner three nights ago? What if you had to somehow correlate those two pieces of information together to make a life-changing decision in just a few seconds?  The answer is, unless you are Data from Star Trek the Next Generation, you would likely not be able to do it at all, let alone in a timely fashion.


This is Data.  He has a really good memory…

But that is exactly what we ask security analysts to do multiple times per day.  It’s one of the toughest challenges they face – the capability to store and recall bits of information that may be relevant to an event, and then make a decision about what is happening to rectify the problem.  Hmm, perhaps that is why so many companies are having difficulties finding and hiring security analysts these days.¹ But I digress…

In reality, many threats reveal themselves over time, lurking in the background until perhaps it’s too late. That’s exactly how ransomware works. Once a system is penetrated, the ransomware will exist there for days, weeks or months before it is activated. This makes it very difficult for human beings to detect, correlate and remediate the effects of ransomware. So, how can human beings remember events that may seem insignificant or normal when they occur and then correlate that information to new data to realize a security breach is happening?

One way to tackle this problem is by pairing humans with technology.  Just like when Data from Star Trek helps Captain Piccard work through calculations at machine speed to make the right decision, Dynamic Scoping a feature of Robotic Decision Automation (RDA) does the same thing.  It enables security teams to process massive quantities of information leveraging probability to determine the correct path to remediation.

Because RDA is by definition a robot, it is able to correlate seemingly insignificant events that occurred in the past to new data that is collected.  Then, it applies logic and intelligence to re-scope the probability if an attack or threat really exists. While RDA is far from Data from Star Trek, implementing it into an environment is like adding an expert security analyst that never forgets.

Learn more about how the Respond Analyst scopes and re-prioritizes at this link.

¹Indeed.com: Slight Dip in Clicks on US Cybersecurity Job Listings, Kelly Jackson Higgins, Dark Reading

 

Plays Well With Others: The Respond Analyst Integrates with Palo Alto Networks for 24×7 Continuous Monitoring and Analysis

We talk a lot about coverage here at Respond Software. It’s a fact: the more visibility you have into your environment, the better you’re able to contain and manage the cybersecurity risks you face. The relationship between security sensor data and risk is simple and linear. The more useful sensor data you can collect and effectively monitor in real time, the lower your risk.

This is why we partner with industry leaders like Palo Alto Networks. Palo Alto Networks Next-Generation Firewall solutions enhance visibility across today’s complex networks. You can build truly comprehensive coverage into your network security monitoring program with Palo Alto Networks integrated solutions, including Threat Prevention Services with Network Intrusion Detection and Prevention System (NIDPS) tools, advanced URL filtering, and the Traps endpoint protection and response platform.

Boost Your Ability to Analyze Data from Your Palo Alto Security Sensors

With more than 60,000 customers worldwide, Palo Alto Networks offers tightly integrated network security monitoring solutions that simplify the process of gathering data from billions of these customers’ devices and platforms. By implementing multiple modules from Palo Alto Networks security stack, you can collect detailed information from a wide range of sources, including network traffic logs and URL and endpoint event records.

Palo Alto Networks tools and solutions provide your security team with a wealth of data. Pair them with the Respond Analyst to be sure that you’re able to extract maximum value from that data, even with limited time and employee resources.

Better Together: With The Respond Analyst, More Data= Better Decisions = Effective Security Operations

By nature, Palo Alto Network IDPS and endpoint protection tools generate a high volume of events. It can be challenging for security teams to sort through all – or even just a few – of them.

For each security event that your PAN solution generates, you must ask yourself the following questions:

  • Why was this event generated?
  • Which assets are involved, and how critical are they?
  • What stage has this attack reached? Are the attackers just gaining a foothold, or has it progressed further?
  • Were any vulnerabilities targeted?
  • Where are the external systems or sites involved located? Do we have intelligence to suggest they are suspicious?

Building context like this for every alert you receive is neither simple nor effortless. But without it, you’re not going to be able to make the best decision every time. The standard way of dealing with this problem is to turn off or ignore security controls that are too noisy. Until recently, this was the only workable solution. Its unfortunate result was that significant amounts of relevant security data was disregarded, limiting security teams’ ability to see potentially important events, and increasing time to detection.

With autonomous security monitoring software like the Respond Analyst on board, you can rest assured that you’re not overlooking threats by filtering out valuable information. The Respond Analyst is security analysis software that can take over the task of monitoring the feeds from your Palo Alto Networks solutions, enriching every alert with deep contextual information that’s easy to interpret. The Respond Analyst performs consistent and logical analysis, and it has all the skill of an experienced human security analyst built into it. But it operates at the speed and scale of a machine.

From a technical perspective, the Respond Analyst and Palo Alto Networks tools simply work well together. The Respond Analyst can consume the logs that these tools generate without significant onboarding time or “training.” It’s ready to begin adding value to your implementation right out of the box. All you need to do is forward the feed, and the Respond Analyst takes over from there.

The Respond Analyst Helps Security Teams Defend Against Attacks They’d Otherwise Miss

Let’s take a look at a real incident that the Respond Analyst handled in a real customer environment last year. All identifying information, including names and IP addresses, have been anonymized to protect confidentiality..

In this incident, the Respond Analyst alerted our customer’s security team to a man-in-the-middle (MITM) attack that affected an employee’s iPhone. The employee, “Jim,” had downloaded a third-party app to his iOS device, and the app exploited a known vulnerability in Apple’s FairPlay digital rights management technology to install additional malware on the iPhone.

With access to event data generated by the NIDPS tools included in the Threat Prevention service component of Palo Alto Networks Next-Generation Firewall, the Respond Analyst was able to detect the anomalous network traffic patterns the attack was generating right away. 19 different events were detected by the NIDPS, and because our customer also had the Palo Alto Networks URL filtering module deployed, their security team was able to see that an additional 14 web filter events were correlated to the attack.

The Respond Analyst gave the incident response team a wealth of detail about the attack—including an assessment of its severity, the reasons that assessment was made, the assets involved, the times that the suspicious communications occurred, and details for the external IP addresses involved. With so much detail provided on a dashboard display that’s easy to understand and interpret, security team members are much better positioned to remediate the incident with speed and confidence.

Working together with Palo Alto Networks IDPS and advanced endpoint protection modules, the Respond Analyst helps security teams monitor their environments with greater effectiveness and efficiency. With the Respond Analyst’s help, they’re able to detect and contain threats quickly—successfully preventing attackers from reaching their targets.

To learn more about integrating the Respond Analyst with the existing security solutions within your organization’s infrastructure to build a stronger security monitoring program, contact us to schedule a consultation with a member of our team of experts.

Core Telemetries: Focus on the Right Data Sources to Achieve An Enterprise-Grade Security Monitoring Program

According to the most recent Verizon Data Breach Investigations Report, 73% of cyberattacks can be attributed to outsiders. This means that, generally speaking, the attacker will have to compromise an endpoint device and cross the enterprise threshold to accomplish their goals. Imagine a drive-by download that compromises a remote user’s laptop: the endpoint may run the malicious code, but the attackers still need to use the network to move laterally and access your data.

In this case, as in most attacks, the attack might have been detected on the endpoint as well as from any one of many other points within your environment. If your security monitoring system is able to collect sensor data from at least one of these points and if you’re able to monitor that data effectively, you’ll discover the attack and prevent a breach.

Each additional source of security data provides an extra layer of defense against cyberattacks. The deeper your defenses, and the more redundancy that’s built into them, the stronger your security monitoring program.

But even the most diligent SecOps teams are challenged by data overload.  Teams report that less than 10 percent of the data they collect is analyzed.

Many organizations with limited resources find it challenging to prioritize security projects. Which data sources are most important? What solutions should be deployed first?

Build the Foundation with Endpoint Protection and Network Security Monitoring

If you haven’t already implemented it, setting up a basic endpoint protection platform (EPP) is a critical first step towards securing your network. EPP solutions allow you to collect, monitor, and analyze data from endpoint devices, reporting on known threats, preventing malware from executing, and in some cases quarantining unknown files until they can be investigated. Endpoint protection is relatively simple to deploy, and provides a valuable first layer of defense.

To improve visibility into your environment, consider adding a Network Intrusion Detection and Prevention Solution (NIDPS). Most NIDPS solutions rely on signatures to detect a broad range of threats, and are able to provide comprehensive network threat detection for your network, as well as from connected mobile and remote devices and cloud-based resources. NIDPS modules can be enabled within many Unified Threat Management (UTM) solutions as well, so you might actually already have a solution in place that you simply need to start monitoring.

Go Deeper With Advanced Solutions

If you’d like to improve upon the basic coverage offered by EPP and NIDPS, you can add one of today’s more advanced solutions, such as web proxy filtering and monitoring, URL filtering, email filtering (or anti-phishing solutions) or endpoint detection and response (EDR). These solutions can provide additional coverage of commonly exploited attack vectors (such as web browsers or email), or a more detailed record of the actions taken by the operating system. This can add up to deeper and more comprehensive coverage, but only if you are able to effectively monitor the larger amounts of log and event data they supply.

Boost Your Security Data Monitoring Capabilities With Security Analysis Software

Adding telemetries to your security stack can mitigate your risks and improve your security posture, but only if you are able to monitor those additional data sources continuously and effectively. Incorporating advanced solutions that you don’t have the time or ability to monitor doesn’t help.

And effectiveness in security monitoring is defined not by the number of data sources you monitor, but rather by how continuous and thorough your analysis of that data is.

This is where automated solutions can add the most value. The Respond Analyst can monitor sensor data from both foundational and advanced solutions. It’s able to work 24/7/365, and is capable of handling more events per hour than 14 human security analysts. The Respond Analyst is quick to deploy, and seamlessly integrates with a broad range of third-party security solutions, enabling it to ingest and monitor their data feeds without significant onboarding time, data tagging, or “training.”

The Respond Analyst enables smaller teams to monitor telemetries across their infrastructure—something they could not hope to accomplish manually. It makes it possible for smaller organizations to collect, monitor, and analyze security alerts and relevant contextual information on a scale that was previously available only to the largest enterprises. Along the way, the Respond Analyst brings advanced security capabilities within reach for businesses large and small, in numerous industries and verticals.

To learn more about how the Respond Analyst can work together with your existing security solutions, or with those you’re currently considering, contact us to schedule a demo.

Fight Fire with Fire:
How Security Automation Can Close the Vulnerability Gap Facing Industrial Operations

“Be stirring as the time; be fire with fire; threaten the threatener and outface the brow of bragging horror.”
William Shakespeare 1592

…or as Metallica once sang in 1982, Fight Fire with Fire!

There is a fire alight in our cyber world.  Threats are pervasive, the tech landscape is constantly changing, and now industrial companies are increasingly vulnerable with the advent of automation within their operations.  Last week a ransomware attack halted operations at Norsk Hydro ASA in both the U.S. and Europe, and just days later two U.S. chemical companies were also affected by a network security incident.

 

As manufacturing processes become increasingly complex and spread out around the world,
more companies will have to navigate the risk of disruption from cyber attacks. 

Bloomberg Cybersecurity

 

Industrial control systems (ICS), in particular, were not designed with cybersecurity in mind. Historically, they weren’t even connected to the internet or the IT network, but this is no longer the case. Automation and connectivity are essential for today’s industrial companies to thrive but this has also made them more vulnerable to attacks.

 

The more automation you introduce into your systems, the more you need to protect them. Along with other industries, you may potentially start to see a much stronger emphasis on cybersecurity.
Bloomberg Cybersecurity

 

Adding to the problem is a shortage of trained security staff to monitor the large volumes of data generated across the network that inevitably makes a plant’s operation even more vulnerable.

Fight the vulnerabilities that ICS automation causes with security automation

To close the vulnerability gap, industrial companies can fight fire with fire by embracing security automation. Extending automation tools beyond the industrial operations and into a plant’s security operations center can reduce the risk of a cyber attack. Security automation arms security teams with information to quickly identify threats so human analysts can act before a potential threat causes undue harm.

At Respond Software, we’re helping companies realize the power of automation with a new category of software called Robotic Decision Automation (RDA) for security operations. By augmenting teams with a ‘virtual analyst’, called the Respond Analyst, security teams can quickly automate frontline security operations (monitoring and triage).  Only the incidents with the highest probability of being malicious and actionable are escalated to human analysts for further investigation and response.

We believe that by combining human expertise with decision automation, industrial organizations can reduce their vulnerability risk profile.  The Respond Analyst can do the heavy lifting to cover the deluge of data generated each day and human analysts can elevate to focus on creative endeavors to remediate and contain threats faster.

It’s no question that industrial companies will continue to be targeted by bad actors. But now with front-line security automation, these organizations can also proactively safeguard operations against threats.

Be fire with fire.
W.S.

Read more:
3 Trends That Make Automation a Must for Securing Industrial Control Systems

The Science of Detection Part 2: The Role of Integrated Reasoning in Security Analysis Software

Today’s blog is part two in my science of detection series, and we’ll look at how integrated reasoning in security analysis software leads to better decisions. Be sure to check back in the coming weeks to see the next blogs in our series. In part three, I’ll be taking an in-depth look at the signal quality of detectors, such as signatures, anomalies, behaviors, and logs.

If you’ve been reading our blogs lately, you’ve seen the term “integrated reasoning” used before, so it’s time to give you a deeper explanation of what it means. Integrated reasoning combines multiple sensors and sensor types for analysis and better detection. Before making a security decision, you must take into account a large number of different factors simultaneously.

What Is Integrated Reasoning?

Interestingly, when we started using the term, Julie from our marketing team Googled it and pointed out that it was the name of a new test section introduced in the Graduate Management Admission Test (GMAT) in 2012. What the GMAT section is designed to test in potential MBA candidates is exactly what we mean when we refer to integrated reasoning. It consists of the following skills:

  • Two-part analysis: The ability to identify multiple answers as most correct.
  • Multi-source reasoning: The ability to reason from multiple sources and types of information.
  • Graphic interpretation: The ability to interpret statistical distributions and other graphical information.
  • Table analysis: The ability to interpret tabular information such as patterns or historical data and to understand how useful distinct information is to a given decision.

All of these skills provide a combination of perspectives that allow you to reason and reach a well thought out and accurate conclusion. The same reason we are evaluating our potential MBA candidates against this standard is why we would design to this standard for security analysis software, or if you will, a “virtual” security analyst.

What is an MBA graduate but a decision maker? Fortunately, we are training our future business leaders on integrated reasoning skills, but when the number of factors to be considered increases, humans get worse at making decisions — especially when they need to be made rapidly. Whether from lack of attention, lack of time, bias or a myriad of other reasons, people don’t make rational decisions most of the time.

However, when you’re reasoning and using all of the available information in a systematic manner, you have a much greater chance of identifying the best answer. To put this within a security analysis frame of reference, let’s consider some of the information available to us to make effective security decisions.

What Information Should We Consider?

The most effective security analysis software uses anything that is observable within the environment and reduces the uncertainty that any one event should be investigated.

To achieve integrated reasoning, the software should utilize a combination of detectors, including:

  • Signature-based alerts
  • Detection analytics
  • Behaviors
  • Patterns
  • History
  • Threat intelligence
  • Additional contextual information

In order to make the right decisions, security analysis software should take into account three important factors: sensors, perspective and context. When you combine different forms of security telemetry, like network security sensors and host-based sensors, you have a greater chance of detecting maliciousness. Then, if you deliberately overlap that diverse suite of sensors, you now have a form of logical triangulation. Then add context, and you can understand the importance of each alert. Boom, a good decision!

Like our theoretical MBA candidate, security analysts have to hold hundreds of relevant factors in their minds simultaneously and are charged with making a number of critical decisions every hour. A tall order for a mere mortal, indeed.

Imagine this: A user receives a phishing email, clicks on the link a week later and is infected by malware. The system anti-virus reports “cleaned” but only found 1 of 4 pieces of malware installed. The remaining malware communicates to a command-and-control server and is used as an internal waypoint for lateral exploration very low and slow. This generates thousands of events over a period of weeks or months, but all of them have varying levels of fidelity. More likely, this is the backstory that an incident responder would eventually assemble potentially months — or years — after the fact to explain a breach.

Integrated Reasoning is a must for making sound decisions when it comes to deciding which security alerts to escalate for further examination. But with the amount of incoming data increasing by the minute, security teams are having a hard time keeping up. Your best bet is to choose security analysis software, like the Respond Analyst, that has built-in integrated reasoning capabilities to help with decision-making, so teams can focus on highly likely security incidents.

Curious to see how the Respond Analyst’s integrated reasoning capabilities can help your security team make better decisions? Request a demo today.

The Science of Detection Part 1: 5 Essential Elements of a Data Source

I’m passionate about the science of detection. It used to be a black art, like long distance high-frequency radio communication, but with modern cybersecurity technology, we’re putting the science back in. With that in mind, I plan to write a series of blogs about the science of detection with an aim to enable more effective and rapid identification of “maliciousness” in our enterprise technology.

In today’s blog, we’ll look at the key elements of a data source to ensure effective detection. Be sure to check back in the coming weeks to see the next blogs in the series. In parts two and three, I’ll be taking an in-depth look at how integrated reasoning will fundamentally change detection technology and the signal quality of detectors, such as signatures, anomalies, behaviors and logs.

In operational security, we monitor various pieces of technology in our network for hackers and malware. We look at logs and specialized security sensors, and we use context and intelligence to try to identify the “bad guys” from the noise. Often, a lot of this work is “best effort” since we’re collecting data from other technology teams who are only using it to troubleshoot performance, capacity and availability issues — not security. It can be a challenge to configure these sources to make them specific to the needs of security, and this greatly complicates our success rate.

When we look at the data sources or telemetries that we monitor, there are five elements that are important for their effectiveness in detecting malicious activity.

1. Visibility

Visibility is one of the most important elements of a data source. What can you see? Is this a network sensor? Are you decrypting traffic so that you can see the patterns or signatures of an attack? Or is this a system log source where stealthy user or administrator behaviors can be captured? When you’re considering visibility, there are two things that are key: the location of the sensor and the tuning of the events, alerts or logs that it generates. For signature-based data sources, it’s tremendously important that you keep them up to date consistently and tuned for maximum signal.

2. Signal Quality

We look at signal quality to help determine the likelihood that any given signature or alarm will reliably indicate the presence of malicious activity. When you consider network intrusion detection and prevention sensors, things get really complicated. I have seen the same IDS signature alarm between different hosts in one day where one instance was a false-positive, and the other instance was malicious. How are we supposed to separate those two out? Not without deep analysis that considers many additional factors.

3. Architecture

With the advent of autonomous analysis and integrated reasoning, the architecture of your sensor grid can provide significant advantages. The most important is sensor overlap, which means different types of sensors should be implemented in the infrastructure so that attackers must get past more than one detection point.

A good example would be host-based endpoint protection agents in a user environment. By forcing users to then transit a network intrusion detection sensor and maybe even a URL filter in order to conduct business on the internet, you end up with three perspectives and three chances to recognize systems that are behaving maliciously. This means it’s important to deploy internal (East – West) network sensors to corroborate your other sensing platforms in order to reduce false positives and produce high fidelity incidents. You can fool me once, but fooling me twice or a third time gets much harder.

4. Data Management

All of our sensors should be easy to aggregate into a single data platform using common log transport methods. This can be a SIEM or a big data platform. It’s also tremendously important to capture all of the fields that can help us contextualize and understand the alerts we’ve observed. This data platform becomes the incident response and forensic repository for root cause analysis and is a good hunting ground for a hunt team.

5. Event Alignment

Given the complex nature of the modern enterprise, it’s possible for a user’s laptop to have 10 or 15 different IP addresses in any given day. We need to be able to reassemble that information to find the host that’s infected. A good example would be to collect hostname rather than just IP address,where it’s available. Proxies, firewalls and NAT devices can all effectively blind you when looking for malicious internal hosts. In fact, one Security Operations Center I built could not locate 50% of known compromised assets due to a combination of network design and geography.

A combination of perspectives provides the most effective sensor grid. Leveraging multiple forms of visibility, improving the signal quality of your sources, architecting for sensor overlap and key detection chokepoints, and streaming all of this data into an effective big data management system where it can be analyzed and leveraged across the operational security lifecycle can provide a far more effective security operations capability.

How the Respond Analyst Can Help You

The Respond Analyst is able to understand these telemetries and contextual data sources and considers all factors in real-time. This frees you from monitoring a console of alerts, which allows you to focus on higher-value work. It also frees your detection programs from the volume limitations of human monitoring. Putting all of these elements together provides a massive improvement in your ability to detect intruders before they can do major damage to your enterprise technology. We’re putting machines in front of alerts so that humans can focus on situations.

Mid-sized Enterprises: Want Robust, Sustainable SecOps? Remember 3 C’s

Cybersecurity is tricky business for the mid-sized enterprise.

Attacks targeting mid-sized companies are on the rise, but their security teams are generally resource constrained and have a tough time covering all the potential threats.

There are solutions that provide sustainable security infrastructures but the vendor landscape is confusing and difficult to navigate. With smaller teams and more than 1,200 cybersecurity vendors in the market, it’s no wonder mid-sized enterprise IT departments often stick with “status quo” solutions that provide bare-minimum coverage. The IT leaders I talk to, secretly tell me they know bare-bones security is a calculated risk but often executive support for resources is just not there.  These are tradeoffs that smaller security teams should not have to make.

Here’s the good news.  Building a solid enterprise-scale security program without tradeoffs is possible. To get started IT leaders should consider the 3 C’s of a sustainable security infrastructure: Coverage, Context, and Cost.

In part 1 of this 3-part blog series, we will deep-dive into the first “C”: Coverage.

When thinking about coverage, there are two challenges to overcome. The first challenge is to achieve broad visibility into your sensors. There is a wide array of security sensors and it’s easy to get overwhelmed by the avalanche of data they generate. Customers often ask me: Do we have to monitor everything? Where do I begin? Are certain sensor alerts better indications of compromise than others?

Take the first step: Achieve visibility with appropriate sensor coverage

To minimize blind spots, start by achieving basic 24 x 7 coverage with continuous monitoring of Network Intrusion Detection & Prevention (NIDS/NIPS) and Endpoint Protection Platform (EPP) activity. NIDS/NIPS solutions leverage signatures to detect a wide variety of threats within your network, alerting on unauthorized inbound, lateral, and outbound network communications. Vendors like Palo Alto Networks, TrendMicro and Cisco have solid solutions. Suricata and Snort are two popular open-source alternatives. EPP solutions (Symantec, McAfee, Microsoft) also leverage signatures to detect a variety of threats (e.g. Trojans, Ransomware, Spyware, etc) and their alerts are strong indicators of known malware infections.

Both NIDS/NIPS and EPP technologies use signatures to detect threats and provide broad coverage of a variety of attacks, however, they do not cover everything.  To learn more on this topic read our eBook: 5 Ingredients to Help your Security Team Perform at Enterprise-Scale

To gain deeper visibility IT departments can eventually start to pursue advanced coverage.

With advanced coverage, IT teams can augment basic 24 x 7 data sensor coverage by monitoring web proxy, URL filtering, and/or endpoint detection and response (EDR). These augmented data sources offer opportunities to gain deeper visibility into previously unknown attacks because they report on raw activity and do not rely on attack signatures like NIDS/NIPS and EPP. Web proxy and URL filtering solutions log all internal web browsing activity, and as a result, provides in-depth visibility into one of the most commonly exploited channels that attackers use to compromise internal systems. In addition, EDR solutions act as a DVR on the system, recording every operation performed by the operating system—including all operations initiated by adversaries or malware. Of course, the hurdle to overcome with these advanced coverage solutions is managing the vast amounts of data they produce.

This leads to the second coverage challenge to overcome—obtaining the required expertise and capacity necessary to analyze the mountains of data generated.

As sensor coverage grows, more data is generated with each sensor type, creating data with unique challenges. Some sensors are extremely noisy and generate massive amounts of data. Others generate less data but are highly specialized and require a great deal more skill to analyze. To deal with the volume of data, common approaches are to ‘tune down’ sensors (which literally filters out potentially valuable data). This type of filtering is tempting since it essentially reduces the workload of a security team to a more manageable level. In doing so, however, clues to potential threats stay hidden in the data.

Take the second step: Consider security automation to improve coverage with resource-constrained teams.

Automation effectively offers smaller security teams the same capability that a full-scale Security Operations Center (SOC) team provides a larger organization, at a fraction of the investment and hassle.

Automation improves the status quo and stops the tradeoffs that IT organizations make every day. Smaller teams benefit with advanced security operations. Manual monitoring stops. Teams can keep up with the volume of data and can ensure that the analysis of each and every event is thorough and consistent. Security automation also provides continuous and effective network security monitoring and reduces time to respond. Alert collection, analysis, prioritization, and event escalation decisions can be fully or partially automated.

So to close, more Coverage for smaller security teams is, in fact, possible: First, find the right tools to gain more visibility across the network and endpoints. Second, start to think about solutions that automate the expert analysis of the data that increased visibility produces.

But, remember, ‘Coverage’ is just 1 part of this 3-part puzzle. Be sure to check back next month for part 2 of my 3 C’s (Coverage, Context, Cost) blog series. My blog on “Context” will provide a deeper dive into automation and will demonstrate how mid-sized enterprise organizations can gain more insights from their security data—ultimately finding more credible threats.

In the meantime, please reach out if you’d like to talk to one of our Security Architect to discuss coverage in your environment.

Join our growing community! Subscribe to our newsletter, the "First Responder Notebook," delivered straight to your inbox.