Threat Detection Does Not Have to be Difficult
As someone who’s been in the cybersecurity field my entire career, I’m used to the perennial challenges that a Security Operations Center (SOC) faces. But in a recent conversation with CyberPeak Solutions Principal, Travis Abrams, we both agree that threat detection doesn’t need to be as difficult as it is today.
Throwing more people, technology or data at the problem won’t make it any easier. We can never have enough people, and we have too many tools and too much data. More technology platforms just make an already complex and messy IT environment worse.
One reason Travis and I believe threat detection can be easier is that even though the bad guys don’t want to be found, the clues are usually there, but analysts don’t have time to wade through endless logs to decide what is malicious intent and what’s just a false positive. And scaling people to triage every single alert and user ticket won’t work. There must be another layer, so people are only triaging and remediating incidents that are a threat so they can become detectives focused on the most interesting cases.
Lessen the mess
You must use the right tools, not more tools. And you’re not going to make headway with an outdated “people, process and technology,” approach.
One frustration Travis and I both know well is not being able to influence what gets deployed in the broader IT environment, but we believe the SOC can control its own destiny by deciding what technology platforms it uses. That includes some rationalization because a SOC shouldn't have more than one tool per category. We can reduce our complexity no matter what the broader business users deploy.
While a reseller or a Managed Security Service Provider (MSSP) will tell you that you need more tools, Travis is of the firm belief that less is better, especially when it comes to picking a Security Information and Event Management (SIEM) solution. You should go with the minimum viable option that meets your compliance needs. “None of the SIEM tools today are going to provide the true automation that you need,” he says. “That's part of the reason it's such a mess. Customers have been trying to do SIEM for so long with these static rules and it just doesn't scale and grow to the new threats.”
This is where we see Respond Software being able to help.
There’s no shortage of data
Some will say the key to easier and better threat detection is more data, but from where we sit, there’s more than enough. We must be able to bring the data that matters to the top of the pile and add some context before people get involved.
That being said, there’s a case for bringing in more data from other, neglected sources by adding telemetries and sensors beyond the typical endpoint. As Travis points out, everyone has focused on the endpoint because their Endpoint Detection and Response (EDR) tools say that’s where they’re being hacked. “The advanced attackers don't touch your endpoints.” Obvious hacking tools tend to be noisy and trigger EDR alerts, but in the meantime, the bad guys are running a bunch of commands to attack your active directory and have harvested sensitive data before the alarm goes off. “You can't just be looking at your endpoint,” he emphasizes. “There's way more to be analyzing with the machine learning models than just endpoint data.”
But what about the people who needed to do that, you ask? That's where Respond is focused because it's not feasible to assign a person to track an IP for a week to suss out what Travis calls a “low and slow” attack. “It's almost impossible to do. There's too much data.” We need to provide more context for analysts before they get involved and make it easier for technology generalists to contribute to the organization’s active defense, he says.
At the same time, a lot of the existing tools provide only binary results—yes or no, true or false. If you can’t add people to triage everything that’s coming in, then you must find a way to reduce what they need to make decisions about.
Add context to the clues
Context can help immensely when determining what is a threat and what isn’t, but the triage necessary to understand the context of all the data can’t be done by people alone.
At Respond, we see Extended Detection and Response (XDR) as that needed layer—an engine that allows existing SOC tools to go beyond delivering more data and alerts. It can recognize if a system has behaved the same way in the past, and whether it was malicious or not. It remembers all the vulnerabilities a system may have so it can gauge whether the activity it’s seeing poses a real threat. This allows people to spend their time doing the actual remediation and improving the security of the network.
More importantly, Travis points out, the people that need to get involved can have less cybersecurity experience on the Respond platform to contribute in the SOC—they can perform the basic analysis necessary and get up to speed quickly because the data is accurate and there are far fewer false positives. Because we can scale-up newer team members quickly, the more experienced ones are focused on rolling out better protection capabilities. By the time an XDR has put something in front of the analyst, there's a case that does need the attention of a detective.
Unlike Sherlock Holmes, who had the luxury of working one case at a time, today’s SOC detectives need a filter so they can choose which incidents are worth investigating. “It’s elementary Watson,” Respond has made threat detection easier.
Learn more about how CyberPeak is helping customers generate a return on security operations.
Respond Software is now a part of FireEye.