Improve Analyst Job Satisfaction With the Right Security Analysis Software

Day in and day out, they’re on the front lines of the war against cybercrime. Their hours may be long, and the work is sometimes tedious, but security operations center (SOC) analysts stand as an organization’s most powerful defense against data breaches, ransomware, hacking, and a host of other malicious acts. Their knowledge, expertise, and diligence keep sensitive customer data, valuable intellectual property, and coveted financial information safe.

They’re also in short supply. According to government data, there are currently over 300,000 unfilled cybersecurity positions in the United States. Researchers predict that there will be as many as 3.5 million cybersecurity job openings worldwide by 2021.

In a field with virtually zero unemployment, and where demand for workers far outstrips supply, business leaders must think carefully about what their organizations can do to win and retain top talent. Nearly one-third of the analysts surveyed in our “Voice of the Analyst” study were actively seeking a different job, and the average analyst’s job tenure is a mere 12 to 18 months.

Employers aren’t just losing security talent to other companies. Many promising junior employees are leaving the field of cybersecurity entirely. They’re doing so out of frustration, stress, or boredom with the monotony of the tasks assigned to them. This is especially true of entry-level analysts, whose SOC duties typically consist primarily of monitoring a number of alerts and deciding which events warrant further investigation and escalation to incident responders. “Monitoring” means spending many hours in front of a console, watching repetitive streams of log data, knowing that the vast majority of alerts are false positives, but to miss that “needle in the haystack” event linked to a real attack might cost them their career.

This is a problem, not just for CISOs or SOC managers, but for everyone with a vested interest in protecting digital assets, business processes, systems, and devices. Reducing attrition and recruiting the best and the brightest into the cybersecurity field will require collaboration across organizations and the industry as a whole. We all need to work together to make these jobs more attractive.

Monotony and Stress Lead to Burnout and High Turnover

As a former SOC manager, I have firsthand experience of the pressures and challenges the frontline analysts encounter on a daily basis. They spend enormous amounts of time chasing false positives or trying to figure out the relationships between different types of uncorrelated alert data.

At the end of the day, many SOC analysts leave work feeling like they haven’t accomplished much. Often the job can feel like a wild goose chase, and it’s extremely frustrating for analysts to think they’re not using their time and efforts wisely.

Many bright people enter this field because they’re passionate about technology, but even more common among them is a burning desire to do good, prevent crime, and defeat criminals. As one respondent in the “Voice of the Analyst” survey put it, “I like challenges and making a difference.” Another listed his motivations as “Fight[ing] evil; stop[ping] badness.” These attitudes are commonplace in the SOC.

The Right Security Operations Software Makes the SOC Analyst’s Job More Cognitively Challenging and Engaging

Among SOC analysis tasks, employees prefer those that require careful thought, investigation, and mental engagement. Although monitoring incoming alerts will probably always be among their responsibilities, SOC analysts experience greater job satisfaction—and have a more positive attitude towards professional development—when their duties are varied.

As Bart Bailey, Security Operations Manager at Windstream Communications explains:

“Analysts [shouldn’t] be asked to just stare at alerts all day.” He says, “They are more satisfied if they do eyes-on-glass monitoring part of the day, and work on other projects like tuning, acquiring new logs, and working with other teams with different perspectives [the rest of the time.]”

In other words, they’d rather act like detectives than mall cops.

With the Respond Analyst on board their team, they’re able to do exactly this. When security analysis software takes over the mundane aspects of the job, human SOC analysts are able to focus on its more interesting, complex, and “advanced” aspects—spending a greater percentage of their time on higher-value tasks that tend to be varied and exciting.

Security analysis software gives frontline analysts a fuller view of what’s going on across the whole IT environment. It enables them to see each alert, not as a discrete event—or a piece of data streaming across a console—but instead as part of the story that’s taking place. Ultimately, humans enjoy stories, puzzles, and riddles, and take pleasure in understanding and solving them.

Security Analysis Software Can Make Analysts More Effective

For any SOC analyst, detecting real intrusions is rewarding and validating. When employees are able to do so regularly and often, they’re more likely to feel that they’re making a real difference in their careers and for their organizations.

The sheer volume of alert data generated by sensors across any enterprise IT environment is simply too great for any human security analyst to monitor thoroughly and consistently. Nathan Light, Security Specialist at Windstream Communications, reports that before deploying the Respond Analyst in their organization, his SOC team was confronted with over 250,000 Intrusion Detection System (IDS) events per day. No matter how diligently they worked, or how well they tuned their platforms, they simply weren’t able to keep up with this alert volume. And the vast majority of these alerts were what Nathan calls “junk events”—false positives that further investigation would reveal to be meaningless.

This is why tools like the Respond Analyst have such strong potential to improve SOC analysts’ job performance.

Not only will they see fewer false positives when working with security analysis software, but the alerts that are generated are likely to be “of better quality,” as Nathan puts it, giving teams “a greater true positive detection rate.”

Because security operations software can consider every one of those 250,000 daily IDS events, there are fewer gaps in coverage, and significant anomalies are far less likely to be missed.

Adding the Respond Analyst to Your Team Gives Human Members More Time for Professional Growth and Development

When SOC analysts begin their careers, it is typically at a Tier 1 level, where they’re responsible primarily for reviewing and monitoring alert data. As they gain experience, they develop specialized skills—as threat hunters, forensic analysts, or malware experts, for instance.

Incorporating security analysis software into your SOC’s workflows can enable your analysts to develop their advanced analytical skills faster. Because they’re spending less time with the “low-level, boring alerts that no one wants to look at anyway,” they have more time to spend on the “projects that will make them better analysts.” They’re also likely to have additional time for the tasks that can have a measurable impact on risk reduction, and thus can save the entire organization—and its reputation—from the consequences of a successful attack.

As Nathan says:

Working with the Respond Analyst “breaks up the monotony, adds variety to what an analyst does, and gets them actively engaged in other aspects of security.”

When it comes to bringing in and retaining top talent, this is a win for the entire field of cybersecurity.

To learn how the Respond Analyst can become a valuable member of your SOC analysis team and can help improve job satisfaction among its human co-workers, contact us to schedule a demo today.

Work Smarter, Not Harder: How to Automate Security Analysis and Incident Remediation

One thing that’s true of many of the tasks in today’s security incident workflows is that many of the mundane and time-consuming data sifting tasks within them are ill-suited for humans to perform.

It’s nearly impossible for human analysts to cover the majority of cybersecurity monitoring and analysis tasks: given the vast amounts of data generated across most environments, analysts are simply not able to consider more than a small percentage of the alert events that our networks generate.

This means that when we assign humans the duty of keeping their eyes on a console, we’re misallocating some of our most valuable and scarce resources. These are the time, attention, and cognitive capabilities of the analysts who staff our Security Operations Centers (SOCs).

One of the primary benefits of adding security analysis software to analyze security events and incidents is that it extends the SecOps team’s capacity and enables human analysts to focus more of their energies on incident response and remediation. This is the portion of the incident response workflow where their uniquely “human” abilities—creativity, collaboration, communication, and teamwork—are most needed. It’s also where teams stand to make the interventions that can have the biggest impact on the overall efficacy of end-to-end security operations.

Incident Response Process Improvements Enable Teams to Make Major Security Gains

Once an event has been escalated for human investigation, the speed with which the security team is able to contain the threat determines the size of the risk that the incident will result in a breach or other significant security event. The quicker remediation can occur, the greater the likelihood that the attack will be stopped before it has time to grow in scope and impact or progress down the kill chain. And the faster the incident is fully resolved and all affected systems brought back online, the less likely the business’s operations are to be interrupted or otherwise impacted.

A full-scale incident remediation workflow should include a thorough investigation of every incident’s scope and impact in order to improve future response capabilities. By looking at how and why it happened, security teams can mitigate the risk of the same thing happening again.

This kind of analysis requires collaboration and communication, however. Security team members may need to delve deep into the operating system or software application event logs and then share their findings with colleagues. It also takes time—something that’s in short supply for today’s security operations teams, who often struggle to monitor the voluminous alert data that confronts them. When conducting SOC analysis, security team members are well aware that spending too much time on incident response might cause them to miss the earliest stages of the next attack.

Security Operations Software Frees Teams to Make Better Use of Time

Mental fatigue and eye strain are real problems for today’s security operations teams. To monitor security event data effectively, security analysts must give every alert the same amount of attention, with an entirely consistent approach. Each event can require as many as 40 to 60 different checks, and it’s impossible to perform these quickly or without full concentration. Even though the vast majority of alerts a SOC analyst encounters are false positives, they cannot skip one, because that one might turn out to be critically important. It’s near impossible to maintain focus in these conditions.

Integrating security analysis software like the Respond Analyst into your network and endpoint intrusion monitoring workflow allows your team to make better use of the tools you already have in place. It removes the bottleneck that too much data has introduced into your security operations, and supports your team in making better decisions at speed.

End-to-End Solutions Facilitate Enormous Process Improvements

Adding the Respond Analyst’s monitoring capabilities to your security incident workflow indirectly but significantly improves your security team’s incident response capabilities by taking over the tasks that aren’t practical for humans to perform, saving your team’s limited time and attention for forensics, analysis and investigation. This helps teams work smarter not harder by allowing them to apply their greatest efforts where they’ll make the biggest difference.

Integrating the Respond Analyst with the Palo Alto Networks Demisto Security Orchestration and Automation platform, can also directly improve the speed and efficacy of your incident response procedures. The Demisto platform can ingest results from the Respond Analyst, enabling it to initiate incident response playbooks in real time as soon as events are escalated.

This combination of analytic and content creation and maintenance capabilities with downstream remediation and response capabilities gives security teams the power to monitor and investigate events from a broad array of data sources for full, end-to-end incident oversight. It has the potential to liberate security teams from the need to perform incident response processes that can be standardized, allowing them to instead spend their time on the ones that cannot.

The Respond Analyst works well together with several Palo Alto Networks solutions. With the addition of the Demisto platform to this security operations software’s portfolio of integrations, security teams can augment their automated monitoring capabilities with streamlined incident management and response. This saves them even more time for investigation, collaboration, and conversation—the high-value activities that are truly the best uses of their time.

The Respond Analyst app for Cortex by Palo Alto Networks now available. Learn more.

To learn more about how the Respond Analyst can be integrated with the existing security solutions in your technology environment to help them—and your SOC team—better, contact us today.

What’s Old is New: How Old Math Underpins the Future of A.I. in Security Operations

Most of us engineers know the truth—A.I. is just old math theory wrapped in a pretty package.  The deep learning algorithms used for Neural Networks? Yep, you guessed it, those were developed in 1943!

For those of us in Security Operations, the underpinning mathematical theories of probability will lead us into the future. Probability theory will automate human analysis–making real-time decisions on streaming data.

Probabilistic modeling will fill the gaps that our SecOps teams deal with today:  Too much data and not enough time. We humans have a very difficult time monitoring a live streaming console of security events.  We just can’t thread it all together with our limited knowledge, biases, and the small amount of time we have to interact with each new event.

Making instant decisions as data is streamed real-time is near impossible because there is:

    • too much info and data to process,
    • not enough meaning—we don’t understand what the data is telling us,
    • poor memories—can’t remember things two hours ago let alone, days, week’s or months before.

Enter Probability Theory

Watch my short video to learn how Probability Theory will fundamentally change the future of Security Operations by expanding our ability to analyze more data across our environments than ever before.

Click here to watch now.

Jumping to a New Curve

In the business classic “The Innovator’s Dilemma“, author Clayton Christensen shows how jumping to a new productivity curve is difficult for incumbent leaders but valuable for new innovators.  I think a lot about this concept for cybersecurity. The world has changed dramatically these last 5-10 years and the curve most enterprises are on results in lots of siloed detectors, rudimentary processing, people-centric processes, and high costs to maintain platforms. The solutions for these problems had great promise in the beginning but still can’t provide the level of productivity necessary to keep up with advances by the adversary. Workflow automation helps, but not enough to address the “orders of magnitude” problem that exists. The scale is definitely tipped in favor of the attackers.  So how do we think out of the box to help companies jump to that new productivity curve?

Helping Customers Jump to a New Curve of Productivity

Three years ago, we started on a mission to help security operations teams right the balance between attackers and defenders. We are on the front-lines to change the status quo and to bring in a new way of thinking to defend the enterprise.

At Respond Software, we strive to unlock the true potential of Man + Machine —without bankrupting security teams. We aim to elevate the human analysts/incident responders to do what they do best (be curious, think outside the box, proactively take action) and let the machines do what machines do best (consistently analyze huge amounts of data thoroughly and accurately based on hundreds of dimensions). In short, security teams can use modern processing and computing techniques to help jump to a new curve and better defend their enterprise.

Today, our product, the Respond Analyst, is fulfilling that mission for customers around the globe. In fact, over the last 30 days, our Robotic Decision Automation product actively monitored billions of live events, vetted those into tens of thousands of cases, and escalated (only!) hundreds of incidents to our customers’ incident responders. What’s more, our security operations software customers were able to give the Respond Analyst feedback on what they liked, what they didn’t like and how to improve the results.  They now have an analyst on their team that can plow through the alerts and invoke expert judgement to group and prioritize them into incidents. This eliminates a huge amount of time wasted chasing false positives while freeing analysts to focus on threat hunting, deeper investigations, and proactive security measures.  What a change for those teams!

New $20 Million Investment = More Status Quo Busting

To continue these efforts and to expand to meet increasing demand, we are pleased to announce our $20M Series B round of financing.  The round was led by new investor ClearSky Security, with additional investment from our existing investors, CRV and Foundation Capital.

We are extremely pleased to add ClearSky Security to our team. ClearSky’s depth of cybersecurity knowledge and experience—both personally amongst the partners and from backing successful companies such as Demisto and Cylance—will be extremely helpful as we look to establish our innovative robotic decision automation software in more security operations teams. On top of it, we get Jay Leek, current ClearSky Managing Director and former CISO at Blackstone, to be on our Board.  See our press release (and the accompanying video) for more details and his perspective.

I’d also like to thank the hard work and dedication of the entire group of Responders that got us to where we are today. As I recently told the security operations software team, I’m certainly psyched to get the endorsement and funding from three world-class investors. Even more so, I look forward to using the funds to work with ClearSky to further innovate, provide service to customers, and expand our reach to help more security operations teams take the fight to the adversaries…and save money while they do it.  It’s time for security operations to bust through the status quo and jump to a new curve of productivity, capability and job satisfaction.

It’s time for the next phase of Respond Software.

Watch and Read More:


Video:  Jay Leek shares his reasons for investing in Respond Software (on the way to the airport in an Uber)!

Press Release:  Respond Software Raises $20 Million to Meet Growing Demand for Robotic Decision Automation in Security Operations

 

Managing Security Events: Not as Difficult as Finding Magic Stones

These days finding a qualified and available Security Analyst seems more difficult than locating an Infinity Stone in the Marvel Universe.  Like Thanos, I’m sure many CISOs are wishing they could snap their fingers, but instead of destroying half the population, creating an army of security professionals to manage the complex threat landscape.

Due to the massive gap in available security skill sets and qualified people, many organizations are outsourcing at least a portion of their operations to Managed Security Service Providers (MSSP).  This seems to be a reasonable alternative, but just like in-house security operations, MSSPs have their share of challenges. In this blog, we will discuss those challenges to help you determine if an MSSP is the right security operations model for your organization.  Then if you decide to keep security operations in-house, we’ll share a better alternative that doesn’t involve voyaging through the galaxy hunting for magical stones.  

.     
source: helpnetsecurity.com


6 considerations when working with or hiring an MSSP  

 

  1. Get ready for a long ramp: According to Gartner, onboarding time for an MSSP is 1 to 4 months.*  This elongated time means organizations that are thinking about hiring an MSSP must be patient.  Just remember those bad actors are not so tolerant and will not wait for you to get on board and set up with your MSSP before they attack.

  2. Typical outsourcing issues:  MSSPs have many customers, therefore they lack intimate knowledge of a single customer’s network or infrastructure. This makes it extremely difficult to perform effective analysis of that customer’s unique security configuration and requirements.

  3. Take a number:  Like any organization, MSSP’s have resource constraints. MSSPs will typically devote resources to larger customers who tend to pay the most when the largest incidents hit or volumes peak.

  4. We’ve got you covered—not so much:  Due to the high volume of alerts they are trying to manage, MSSPs will usually tune down sensors.  That means the MSSP’s ability to identify an attack will degrade.

  5. Law of diminishing returns:  Just like any organization, MSSPs face high analyst turnover and resource shortages.  When an analyst leaves the MSSP, customers suffer, as they are paying the same price for lower quality results.  Additionally, the MSSP must re-focus their attention to hire new talent from an already dwindling pool of candidates adversely impacting the current level of service that the customer receives.  This problem can often become worse over time.
  6. Cookie cutter solutions: MSSPs have an uncustomizable delivery model.  In other words, the MSSP model is optimized for their business, not for the requirements of the customer.   

 

These challenges are merely a sampling of a much larger set of difficulties that service providers face demonstrating that the MSSP alternative may not be the best for every organization.  When moving to an MSSP or using one, carefully think through all of the challenges listed above, as these will impact the amount of time you need to investigate false positives and may cause you to miss important attacks or threats.  Of course, you might decide to keep your security operations in-house, but you will likely face many of the same challenges as the MSSP.

And finally, remember there is a third alternative that doesn’t require you to search the galaxy for that illusive security expert.  Robotic Decision Automation software for security operations will automate event analysis, management, and triage.  The Respond Analyst delivers these capabilities, performing just like an expert analyst, but at machine speed and with 100% consistency.

If addressing the skills gap shortage with software seems like an alternative for you, please visit the following pages for more information:

*Gartner, “How to Work with an MSSP to Improve Security,” January 30, 2018

Robots Have a Better Memory Than You

Can you remember what happened at 3:45pm last Tuesday?  How about what you had for dinner three nights ago? What if you had to somehow correlate those two pieces of information together to make a life-changing decision in just a few seconds?  The answer is, unless you are Data from Star Trek the Next Generation, you would likely not be able to do it at all, let alone in a timely fashion.


This is Data.  He has a really good memory…

But that is exactly what we ask security analysts to do multiple times per day.  It’s one of the toughest challenges they face – the capability to store and recall bits of information that may be relevant to an event, and then make a decision about what is happening to rectify the problem.  Hmm, perhaps that is why so many companies are having difficulties finding and hiring security analysts these days.¹ But I digress…

In reality, many threats reveal themselves over time, lurking in the background until perhaps it’s too late. That’s exactly how ransomware works. Once a system is penetrated, the ransomware will exist there for days, weeks or months before it is activated. This makes it very difficult for human beings to detect, correlate and remediate the effects of ransomware. So, how can human beings remember events that may seem insignificant or normal when they occur and then correlate that information to new data to realize a security breach is happening?

One way to tackle this problem is by pairing humans with technology.  Just like when Data from Star Trek helps Captain Piccard work through calculations at machine speed to make the right decision, Dynamic Scoping a feature of Robotic Decision Automation (RDA) does the same thing.  It enables security teams to process massive quantities of information leveraging probability to determine the correct path to remediation.

Because RDA is by definition a robot, it is able to correlate seemingly insignificant events that occurred in the past to new data that is collected.  Then, it applies logic and intelligence to re-scope the probability if an attack or threat really exists. While RDA is far from Data from Star Trek, implementing it into an environment is like adding an expert security analyst that never forgets.

Learn more about how the Respond Analyst scopes and re-prioritizes at this link.

¹Indeed.com: Slight Dip in Clicks on US Cybersecurity Job Listings, Kelly Jackson Higgins, Dark Reading

 

Plays Well With Others: The Respond Analyst Integrates with Palo Alto Networks for 24×7 Continuous Monitoring and Analysis

We talk a lot about coverage here at Respond Software. It’s a fact: the more visibility you have into your environment, the better you’re able to contain and manage the cybersecurity risks you face. The relationship between security sensor data and risk is simple and linear. The more useful sensor data you can collect and effectively monitor in real time, the lower your risk.

This is why we partner with industry leaders like Palo Alto Networks. Palo Alto Networks Next-Generation Firewall solutions enhance visibility across today’s complex networks. You can build truly comprehensive coverage into your network security monitoring program with Palo Alto Networks integrated solutions, including Threat Prevention Services with Network Intrusion Detection and Prevention System (NIDPS) tools, advanced URL filtering, and the Traps endpoint protection and response platform.

Boost Your Ability to Analyze Data from Your Palo Alto Security Sensors

With more than 60,000 customers worldwide, Palo Alto Networks offers tightly integrated network security monitoring solutions that simplify the process of gathering data from billions of these customers’ devices and platforms. By implementing multiple modules from Palo Alto Networks security stack, you can collect detailed information from a wide range of sources, including network traffic logs and URL and endpoint event records.

Palo Alto Networks tools and solutions provide your security team with a wealth of data. Pair them with the Respond Analyst to be sure that you’re able to extract maximum value from that data, even with limited time and employee resources.

Better Together: With The Respond Analyst, More Data= Better Decisions = Effective Security Operations

By nature, Palo Alto Network IDPS and endpoint protection tools generate a high volume of events. It can be challenging for security teams to sort through all – or even just a few – of them.

For each security event that your PAN solution generates, you must ask yourself the following questions:

  • Why was this event generated?
  • Which assets are involved, and how critical are they?
  • What stage has this attack reached? Are the attackers just gaining a foothold, or has it progressed further?
  • Were any vulnerabilities targeted?
  • Where are the external systems or sites involved located? Do we have intelligence to suggest they are suspicious?

Building context like this for every alert you receive is neither simple nor effortless. But without it, you’re not going to be able to make the best decision every time. The standard way of dealing with this problem is to turn off or ignore security controls that are too noisy. Until recently, this was the only workable solution. Its unfortunate result was that significant amounts of relevant security data was disregarded, limiting security teams’ ability to see potentially important events, and increasing time to detection.

With autonomous security monitoring software like the Respond Analyst on board, you can rest assured that you’re not overlooking threats by filtering out valuable information. The Respond Analyst is security analysis software that can take over the task of monitoring the feeds from your Palo Alto Networks solutions, enriching every alert with deep contextual information that’s easy to interpret. The Respond Analyst performs consistent and logical analysis, and it has all the skill of an experienced human security analyst built into it. But it operates at the speed and scale of a machine.

From a technical perspective, the Respond Analyst and Palo Alto Networks tools simply work well together. The Respond Analyst can consume the logs that these tools generate without significant onboarding time or “training.” It’s ready to begin adding value to your implementation right out of the box. All you need to do is forward the feed, and the Respond Analyst takes over from there.

The Respond Analyst Helps Security Teams Defend Against Attacks They’d Otherwise Miss

Let’s take a look at a real incident that the Respond Analyst handled in a real customer environment last year. All identifying information, including names and IP addresses, have been anonymized to protect confidentiality..

In this incident, the Respond Analyst alerted our customer’s security team to a man-in-the-middle (MITM) attack that affected an employee’s iPhone. The employee, “Jim,” had downloaded a third-party app to his iOS device, and the app exploited a known vulnerability in Apple’s FairPlay digital rights management technology to install additional malware on the iPhone.

With access to event data generated by the NIDPS tools included in the Threat Prevention service component of Palo Alto Networks Next-Generation Firewall, the Respond Analyst was able to detect the anomalous network traffic patterns the attack was generating right away. 19 different events were detected by the NIDPS, and because our customer also had the Palo Alto Networks URL filtering module deployed, their security team was able to see that an additional 14 web filter events were correlated to the attack.

The Respond Analyst gave the incident response team a wealth of detail about the attack—including an assessment of its severity, the reasons that assessment was made, the assets involved, the times that the suspicious communications occurred, and details for the external IP addresses involved. With so much detail provided on a dashboard display that’s easy to understand and interpret, security team members are much better positioned to remediate the incident with speed and confidence.

Working together with Palo Alto Networks IDPS and advanced endpoint protection modules, the Respond Analyst helps security teams monitor their environments with greater effectiveness and efficiency. With the Respond Analyst’s help, they’re able to detect and contain threats quickly—successfully preventing attackers from reaching their targets.

To learn more about integrating the Respond Analyst with the existing security solutions within your organization’s infrastructure to build a stronger security monitoring program, contact us to schedule a consultation with a member of our team of experts.

Core Telemetries: Focus on the Right Data Sources to Achieve An Enterprise-Grade Security Monitoring Program

According to the most recent Verizon Data Breach Investigations Report, 73% of cyberattacks can be attributed to outsiders. This means that, generally speaking, the attacker will have to compromise an endpoint device and cross the enterprise threshold to accomplish their goals. Imagine a drive-by download that compromises a remote user’s laptop: the endpoint may run the malicious code, but the attackers still need to use the network to move laterally and access your data.

In this case, as in most attacks, the attack might have been detected on the endpoint as well as from any one of many other points within your environment. If your security monitoring system is able to collect sensor data from at least one of these points and if you’re able to monitor that data effectively, you’ll discover the attack and prevent a breach.

Each additional source of security data provides an extra layer of defense against cyberattacks. The deeper your defenses, and the more redundancy that’s built into them, the stronger your security monitoring program.

But even the most diligent SecOps teams are challenged by data overload.  Teams report that less than 10 percent of the data they collect is analyzed.

Many organizations with limited resources find it challenging to prioritize security projects. Which data sources are most important? What solutions should be deployed first?

Build the Foundation with Endpoint Protection and Network Security Monitoring

If you haven’t already implemented it, setting up a basic endpoint protection platform (EPP) is a critical first step towards securing your network. EPP solutions allow you to collect, monitor, and analyze data from endpoint devices, reporting on known threats, preventing malware from executing, and in some cases quarantining unknown files until they can be investigated. Endpoint protection is relatively simple to deploy, and provides a valuable first layer of defense.

To improve visibility into your environment, consider adding a Network Intrusion Detection and Prevention Solution (NIDPS). Most NIDPS solutions rely on signatures to detect a broad range of threats, and are able to provide comprehensive network threat detection for your network, as well as from connected mobile and remote devices and cloud-based resources. NIDPS modules can be enabled within many Unified Threat Management (UTM) solutions as well, so you might actually already have a solution in place that you simply need to start monitoring.

Go Deeper With Advanced Solutions

If you’d like to improve upon the basic coverage offered by EPP and NIDPS, you can add one of today’s more advanced solutions, such as web proxy filtering and monitoring, URL filtering, email filtering (or anti-phishing solutions) or endpoint detection and response (EDR). These solutions can provide additional coverage of commonly exploited attack vectors (such as web browsers or email), or a more detailed record of the actions taken by the operating system. This can add up to deeper and more comprehensive coverage, but only if you are able to effectively monitor the larger amounts of log and event data they supply.

Boost Your Security Data Monitoring Capabilities With Security Analysis Software

Adding telemetries to your security stack can mitigate your risks and improve your security posture, but only if you are able to monitor those additional data sources continuously and effectively. Incorporating advanced solutions that you don’t have the time or ability to monitor doesn’t help.

And effectiveness in security monitoring is defined not by the number of data sources you monitor, but rather by how continuous and thorough your analysis of that data is.

This is where automated solutions can add the most value. The Respond Analyst can monitor sensor data from both foundational and advanced solutions. It’s able to work 24/7/365, and is capable of handling more events per hour than 14 human security analysts. The Respond Analyst is quick to deploy, and seamlessly integrates with a broad range of third-party security solutions, enabling it to ingest and monitor their data feeds without significant onboarding time, data tagging, or “training.”

The Respond Analyst enables smaller teams to monitor telemetries across their infrastructure—something they could not hope to accomplish manually. It makes it possible for smaller organizations to collect, monitor, and analyze security alerts and relevant contextual information on a scale that was previously available only to the largest enterprises. Along the way, the Respond Analyst brings advanced security capabilities within reach for businesses large and small, in numerous industries and verticals.

To learn more about how the Respond Analyst can work together with your existing security solutions, or with those you’re currently considering, contact us to schedule a demo.

Fight Fire with Fire:
How Security Automation Can Close the Vulnerability Gap Facing Industrial Operations

“Be stirring as the time; be fire with fire; threaten the threatener and outface the brow of bragging horror.”
William Shakespeare 1592

…or as Metallica once sang in 1982, Fight Fire with Fire!

There is a fire alight in our cyber world.  Threats are pervasive, the tech landscape is constantly changing, and now industrial companies are increasingly vulnerable with the advent of automation within their operations.  Last week a ransomware attack halted operations at Norsk Hydro ASA in both the U.S. and Europe, and just days later two U.S. chemical companies were also affected by a network security incident.

 

As manufacturing processes become increasingly complex and spread out around the world,
more companies will have to navigate the risk of disruption from cyber attacks. 

Bloomberg Cybersecurity

 

Industrial control systems (ICS), in particular, were not designed with cybersecurity in mind. Historically, they weren’t even connected to the internet or the IT network, but this is no longer the case. Automation and connectivity are essential for today’s industrial companies to thrive but this has also made them more vulnerable to attacks.

 

The more automation you introduce into your systems, the more you need to protect them. Along with other industries, you may potentially start to see a much stronger emphasis on cybersecurity.
Bloomberg Cybersecurity

 

Adding to the problem is a shortage of trained security staff to monitor the large volumes of data generated across the network that inevitably makes a plant’s operation even more vulnerable.

Fight the vulnerabilities that ICS automation causes with security automation

To close the vulnerability gap, industrial companies can fight fire with fire by embracing security automation. Extending automation tools beyond the industrial operations and into a plant’s security operations center can reduce the risk of a cyber attack. Security automation arms security teams with information to quickly identify threats so human analysts can act before a potential threat causes undue harm.

At Respond Software, we’re helping companies realize the power of automation with a new category of software called Robotic Decision Automation (RDA) for security operations. By augmenting teams with a ‘virtual analyst’, called the Respond Analyst, security teams can quickly automate frontline security operations (monitoring and triage).  Only the incidents with the highest probability of being malicious and actionable are escalated to human analysts for further investigation and response.

We believe that by combining human expertise with decision automation, industrial organizations can reduce their vulnerability risk profile.  The Respond Analyst can do the heavy lifting to cover the deluge of data generated each day and human analysts can elevate to focus on creative endeavors to remediate and contain threats faster.

It’s no question that industrial companies will continue to be targeted by bad actors. But now with front-line security automation, these organizations can also proactively safeguard operations against threats.

Be fire with fire.
W.S.

Read more:
3 Trends That Make Automation a Must for Securing Industrial Control Systems

Introducing “Inferred Context” or
How to Enjoy a Spring Day

Moving at a brisk pace across the campus of your company, laptop stowed under your arm, you hardly have a moment to admire the beauty of an early spring day. During the short trip and perhaps unbeknownst to you, your computer has changed IP addresses multiple times. This common practice helps IT organizations centrally and automatically manage IP addresses resulting in improved reliability and reduced network administration.

However, constant IP address changes can create havoc for Security Analysts because each address will appear as an independent system when a security alert occurs. For instance, an Analyst may start investigating an event based on an IP address and an attack name. The next step is to identify what has happened in association with that IP address, as well as what other systems may be involved in the attack. Depending on the information returned, the Analyst can make a completely inaccurate decision in terms of resolving the event.  If you cannot determine the location or owner of the target machine, you can’t fix the problem.

The decision-making process is further impacted by incomplete, outdated or inaccurate critical asset lists. This is an all too common occurrence that contributes to high numbers of false positives and even worse, false negatives.

Inferred Context – Advanced decision-making skills

Watch video on Inferred Context

The latest release of the Respond Analyst comes equipped with a new set of features called Inferred Context. Inferred Context improves the Respond Analyst’s ability to make informed, accurate decisions that lead to faster incident response times.

Two examples of how applying Inferred Context will result in better security decisions:

Dynamic Host Configuration (DHCP)

The first component of Inferred Context automatically and intelligently maintains an up to date mapping of an IP address to hostname through ingestion of Dynamic Host Configuration Protocol (DHCP) information. This enhances the accuracy of the Respond Analyst’s findings by attributing all relevant events to the infected/targeted asset (and only that asset!) and enabling reasoning across data sources where one source includes IP addresses (such as network IDS/IPS events). The result is fewer false positives, more accurate prioritization of events and faster time to resolution.

Critical Assets – Shades of Gray

Many customers are challenged in keeping up-to-date lists of systems and their level of criticality. To address this, the second component of Inferred Context collects vulnerability scan data in the Respond Analyst that includes information about the host such as operating system, as well as which ports are open. Because applications communicate over open ports, the Respond Analyst infers that an application is running there. For example, a Simple Mail Transfer Protocol (SMTP) server runs on port 25, so if that port is open, the Respond Analyst will infer that is a mail server, which is considered a critical asset.

Inferred Context is supported on all of the models listed on the Respond Software Integrations page.  Additionally, this release is expanding support to give security teams more visibility into their existing alerting telemetries for the following systems:

● Endpoint Protection Platforms: Trend Micro Deep Security, Trend Micro OfficeScan, Palo Alto TRAPs
● Web proxy/URL filtering: McAfee Secure Web Gateway
● Network IDS/IPS: Checkpoint

Inferred Context is helping the Respond Analyst quickly find the target of the attack, so security teams can resolve them quickly. Analysts will no longer have to investigate a multitude of false positives or try to manually search for the affected system, system owner and/or the system name. Instead of staring at a screen filled with endless events, let the Respond Analyst automate the process so you can get out there and enjoy a spring day.

For more on Inferred Context, please read our recent press release or better yet, check out our YouTube channel.

The Respond Analyst’s decision-making skills are continuously expanding. To learn more about what the Respond Analyst can do for your organization or to gain access to Future Early Access programs, tellmemore@respond-software.com

Join our growing community! Subscribe to our newsletter, the "First Responder Notebook," delivered straight to your inbox.