Security engineers supporting a Security Operations Center (SOC) face the difficult job of providing an appropriate quantity of actionable alerts to SOC analysts. Typically, they are tasked with presenting alerts of interest to the analyst and they accomplish this by managing detection technologies, developing detection content and integrating security context. As they try to maintain the analyst’s console, their duties become overly complicated and riddled with hidden costs.
The most obvious hidden cost appears in the collection and processing of security events within a SIEM. Security engineering is often tasked with making hasty decisions regarding the size requirements and often end up purchasing excessive storage and processing power. During implementation, they are pushed to collect all events to show immediate results. Although they are congratulated on a job well done, it comes at the expense of processing, storage, and content development complexity, as well as excessive volume presented to the analysts.
This leads us to how security engineers manage the console for the analysts. During content development, they build content according to a set of Boolean rules that group alerts in a way that will support analysis. What can’t be done efficiently today is the correlation between disparate event sources. This requires that a human look at a security anomaly and decide whether there is enough additional evidence to warrant escalating an incident. The additional analysis becomes tedious with a time-consuming negotiation between the security engineer and SOC simply to refine a detection capability that will change in a week. At this point, the security engineer is spending hours on end looking for ways to refine the content.
Another common issue is the lack of communication between IT operations and security teams. Corporate environments are added or changed without security operation involvement, leaving gaps in coverage and broken integration points. By the time the change is discovered, the engineers are pressured to correct the gaps resulting in unexpected surges in volume and another round of refinement. All kinds of corners are cut during these rushed projects, infrastructure complexity is increased and technical debt is accumulated.
The Respond Analyst™ can help alleviate some of this stress. The information collected can be limited to only the information required for analysis. Additionally, the tedious time-consuming checks that are difficult for humans are simple for machines. Finally, by spending less time working through recurring and ridiculous issues, the engineers can work with enterprise security teams to improve the sensor grid and prepare for the next security integration project.
John Petropoulos is a security architect with over 16 years of experience working with all types of security operation centers, large and small. Specializing in breach detection and incident response, John has designed content development strategies and integration approaches that support some of the largest security operations in the world. Here at Respond Software, John is developing probabilistic models based on his experiences that evolved while working with a wide array of products and environments.View all posts by John Petropolous