Security automation: Time for a new playbook

From increasingly sophisticated threats to the mad concoction of on-premise and cloud solutions that comprise most organizations’ IT infrastructure and the plethora of new IoT devices and a highly distributed workforce, enterprises and government agencies face a wide range of challenges that make cyber threat detection and response more difficult than ever before.

security automation

Simultaneously, the cybersecurity industry is facing a shortage of skilled workers, putting increasing strain on enterprise security teams and their ability to effectively identify and respond to threats.

Considering this contextual backdrop, Security Orchestration, Automation and Response (SOAR) products offer an appealing solution, promising efficiencies in detecting and responding to threats. However, organizations need to understand how these solutions can also introduce new challenges if not implemented correctly. Without proper planning, organizations adopting security automation tools can fall victim to common missteps that quickly lead to less efficiency and a weaker security posture.

Introducing SOAR

When introducing SOAR tools to an organization, the most important first step isn’t how the solution is configured, or the act of connecting it to other systems, or even determining what data sources it needs to integrate. The most important first step is having mature security processes on which to build. Simply taking the pre-built playbooks or automation scripts that SOAR vendors provide and plugging them into your environment will seldom yield the desired results.

Start by examining the processes and procedures your organization’s security team already has in place and identify the tasks that consume the majority of team member’s time. These will be the key use cases where SOAR can provide the most benefit by applying efficiency, speed and consistency. For example, in many organizations this might include processes such as looking up asset information or reviewing additional data points related to a security alert or a reported phishing email.

It could be the process of pulling data on what’s running in memory on a device and adding that detail to an existing incident management ticket to assist in an investigative decision. Or it could be isolating hosts or blocking an IP range on the network in order to stop a threat from spreading. These are all common use cases that can be effectively automated, but only if the underlying processes and procedures are mature and well-defined.

Different categories of automation require different levels of maturity in the underlying processes. If you plan to introduce any type of automated response – such as automated threat containment – you must be absolutely certain that the underlying processes are mature, or it could have a greater than intended impact the availability of systems and people. Mature processes are those that have been proven, measured, inspected and performed iteratively at volume that you can understand and account for any variance in the way it works.

In a mature process you also understand how actions will impact downstream systems. Otherwise, if you apply automation to a process that is not mature and an edge case occurs, your automation may cause your own denial of service, potentially impacting critical systems.

One of the best areas to begin applying automation is within an organization’s security operations center (SOC) to speed the process of pulling together threat intelligence and asset information from several different sources to aid in the investigative and triage process for threats. Because it involves information gathering rather than performing a response, this scenario introduces less risk while still providing significant gains in efficiency by quickly bringing data from various sources into one view for SOC analysts to interpret and make decisions.

A related area that can benefit from SOAR is incident management where applying SOAR tools to the process of gathering information, artifacts and audit logs related to incidents can not only speed responses but also help improve process maturity by ensuring consistent documentation and record collection is taking place during the incident management process.

I often encounter security professionals who have an idea of what they want to automate, and they jump straight into applying SOAR solutions around that idea – this can work, but often does not scratch the surface of the potential power of SOAR for the organization. Even when starting with a single use case, I recommend mapping out the idea into a process flow, then turning that process flow into a playbook for automation that can run in a supervised mode. That way, you have an iterative plan for how to mature that process before you run it in an autonomous mode (or iteratively less supervised modes).

Conclusion

Introducing SOAR to an organization’s security operations is rarely a simple undertaking, and the complexity should not be underestimated. If you don’t plan for adequate resources and expertise up-front to implement this technology, you won’t get the return on investment (ROI) you are expecting, and certainly not on the timeline expected.

The SOAR implementation must also be managed and maintained over time, as it will need to continually evolve as your environment changes. Organizations that don’t have the staff or the skill sets on their security team to adequately maintain the SOAR implementation may benefit from a consultative and managed services model that can keep it functioning properly over time.

Ultimately, automation should be viewed as an outcome amplifier for the security team – not as a replacement for the security team itself. With proper planning, you can identify the most mature processes that your team performs often and map out detailed playbooks for automating them. These will introduce the least risk and provide the most benefit by creating greater efficiencies, enhancing your security team’s skills and freeing up their time to perform higher-level functions.

Which security practices lead to best security outcomes?

A proactive technology refresh strategy and a well-integrated tech stack are, according to a recent Cisco report, two security practices that are more likely than many others to help organizations achieve goals such as keeping up with business, creating security culture, managing top risks, avoiding major incidents, and so on.

best security practices

A well integrated IT and security tech stack is a practice that is most conducive to retaining security talent, creating a security culture, and running cost-effectively, while a proactive tech refresh strategy will (most prominently) help achieve business goals, meet compliance regulations, avoid major incidents, and streamline IR processes.

Additional findings

Cisco’s report is based on a double-blind study that polled over 4,800 active IT, security, and privacy professionals from 25 countries around the world.

The analysis of the results revealed many expected and unexpected things:

  • Identifying top cyber risks and having someone in the company who “owns” the compliance function (i.e., has “compliance” in the job title) does not correlate with any of the wanted outcomes.
  • A well-integrated tech stack improves recruitment and retention of security talent.
  • A strong security culture embraced by all employees depends on good equipment, a clearly communicated and sound security strategy, and timely fixes when things break.

best security practices

  • Major incidents and losses can be avoided by proactively refreshing the technology used and by learning from prior incidents, through prompt disaster recovery, sufficient security tech, timely incident response and accurate threat detection.
  • The effective use of automation helps companies keep up with business, run cost-effectively, minimize unplanned work, retain security talent and streamline IR processes, but does not correlate with meeting compliance regulation or avoiding major incidents.
  • Organizations that successfully minimized the impact of COVID-19 on operations maintained a modern IT and security infrastructure, had adequate security staffing levels and invested in role-based training, and kept top executives informed.
  • Meeting and maintaining compliance is the goal that’s easiest to achieve, while minimizing unplanned work is the hardest.

The most important success factors

In general, proactive tech refresh, well-integrated tech timely incident response and prompt disaster recovery significantly contribute to nearly every security outcome. Other practices may correlate to one or two specific outcomes or to all, but to a lesser extent.

“Beyond adherence to specific practices, we also asked respondents about where their security programs place the greatest priority in terms of investment, resources, and effort. We used the high-level security functions defined in the NIST Cybersecurity Framework (CSF) for this,” the company noted.

“While the CSF’s Protect function isn’t at the bottom for every outcome, it ranks next to last for contributing to the overall success of the security program (Identify ranks #1). That’s certainly counterintuitive, but we don’t see this as suggesting protection isn’t important. Rather, it indicates that the best programs invest in a well-rounded set of defenses to identify, protect, detect, respond, and recover from cyber threats. The field has long been protection-heavy; this says that protection alone is not the most effective strategy.”

The company has also published individual reports that cover various regions and the healthcare and financial services sectors

Organizations plan to use AI and ML to tackle unknown attacks faster

Wipro published a report which provides fresh insights on how AI will be leveraged as part of defender stratagems as more organizations lock horns with sophisticated cyberattacks and become more resilient.

tackle unknown attacks

Organizations need to tackle unknown attacks

There has been an increase in R&D with 49% of the worldwide cybersecurity related patents filed in the last four years being focussed on AI and ML application. Nearly half the organizations are expanding cognitive detection capabilities to tackle unknown attacks in their Security Operations Center (SOC).

The report also illustrates a paradigm shift towards cyber resilience amid the rise in global remote work. It considers the impact of COVID-19 pandemic on cybersecurity landscape around the globe and provides a path for organizations to adapt with this new normal.

The report saw a global participation of 194 organizations and 21 partner academic, institutional and technology organizations over four months of research.

Global macro trends in cybersecurity

  • Nation state attacks target private sector: 86% of all nation-state attacks fall under espionage category, and 46% of them are targeted towards private companies.
  • Evolving threat patterns have emerged in the consumer and retail sectors: 47% of suspicious social media profiles and domains were detected active in 2019 in these sectors.

Cyber trends sparked by the global pandemic

  • Cyber hygiene proven difficult during remote work enablement: 70% of the organizations faced challenges in maintaining endpoint cyber hygiene and 57% in mitigating VPN and VDI risks.
  • Emerging post-COVID cybersecurity priorities: 87% of the surveyed organizations are keen on implementing zero trust architecture and 87% are planning to scale up secure cloud migration.

Micro trends: An inside-out enterprise view

  • Low confidence in cyber resilience: 59% of the organizations understand their cyber risks but only 23% of them are highly confident about preventing cyberattacks.
  • Strong cybersecurity spend due to board oversight & regulations: 14% of organizations have a security budget of more than 12% of their overall IT budgets.

Micro trends: Best cyber practices to emulate

  • Laying the foundation for a cognitive SOC: 49% of organizations are adding cognitive detection capabilities to their SOC to tackle unknown attacks.
  • Concerns about OT infrastructure attacks increasing: 65% of organizations are performing log monitoring of Operation Technology (OT) and IoT devices as a control to mitigate increased OT Risks.

Meso trends: An overview on collaboration

  • Fighting cyber-attacks demands stronger collaboration: 57% of organizations are willing to share only IoCs and 64% consider reputational risks to be a barrier to information sharing.
  • Cyber-attack simulation exercises serve as a strong wakeup call: 60% participate in cyber simulation exercises coordinated by industry regulators, CERTs and third-party service providers and 79% organizations have dedicated cyber insurance policy in place.

Future of cybersecurity

  • 5G security is the emerging area for patent filing: 7% of the worldwide patents filed in the cyber domain in the last four years have been related to 5G security.

Vertical insights by industry

  • Banking, financial services & insurance: 70% of financial services enterprises said that new regulations are fuelling increase in security budgets, with 54% attributing higher budgets to board intervention.
  • Communications: 71% of organizations consider cloud-hosting risk as a top risk.
  • Consumer: 86% of consumer businesses said email phishing is a top risk and 75% enterprises said a bad cyber event will lead to damaged band reputation in the marketplace.
  • Healthcare & life sciences: 83% of healthcare organizations have highlighted maintaining endpoint cyber hygiene as a challenge, 71% have highlighted that breaches reported by peers has led to increased security budget allocation.
  • Energy, natural resources and utilities: 71% organizations reported that OT/IT Integration would bring new risks.
  • Manufacturing: 58% said that they are not confident about preventing risks from supply chain providers.

Bhanumurthy B.M, President and Chief Operating Officer, Wipro said, “There is a significant shift in global trends like rapid innovation to mitigate evolving threats, strict data privacy regulations and rising concern about breaches.

“Security is ever changing and the report brings more focus, enablement, and accountability on executive management to stay updated. Our research not only focuses on what happened during the pandemic but also provides foresight toward future cyber strategies in a post-COVID world.”

Security teams stretched to breaking point trying to secure new remote working regimes

The cybersecurity skills shortage means that many organizations are in urgent need of talented and experienced security professionals. This has been intensified by the pandemic, with security teams stretched to breaking point trying to secure new remote working regimes against the influx of opportunistic cyberattacks. There is a human cost to this high-pressure environment and new research from SIRP shows that the additional burdens placed on security operations center (SOC) teams due to COVID-19 has … More

The post Security teams stretched to breaking point trying to secure new remote working regimes appeared first on Help Net Security.

Security teams increasingly stressed due to lack of proper tools, executive support

93% of security professionals lack the tools to detect known security threats, and 92% state they are still in need of the appropriate preventative solutions to close current security gaps, according to LogRhythm.

security teams stress

Based on a global survey of more than 300 security professionals and executives, LogRhythm sought to understand the root causes of the stress under which security teams operate, obtain feedback on the ways in which it could be alleviated, and identify the best paths to remediation. It found 75% of security professionals now experience more work stress than just two years ago.

“Now, more than ever, security teams are being expected to do more with less leading to increasing stress levels. With more organizations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern,” said James Carder, CSO and VP of LogRhythm Labs. “This is a call to action for executives to prioritize alleviating the stress and better support their teams with proper tools, processes, and strategic guidance.”

Lack of executive leadership contributes to stress in the security team

When asked what causes the most work-related stress, the two most selected answers were not having enough time (41%) and working with executives (18%). In fact, 57% of respondents indicated their security program lacks proper executive support — defined as providing strategic vision, buy-in and budget.

Furthermore, security professionals cited inadequate executive accountability for strategic security decisions as the top reason (42%) they want to leave their job. An alarming statistic, given 47% of companies are trying to fill three or more security positions.

Deployment of redundant security tools

Sixty-eight percent of respondents admitted their organization has deployed redundant security tools, and 56% confess this overlap is accidental — once again emphasizing the need for improved strategic oversight from executives. Despite duplicative tools, 58% of respondents said they still need increased funding for tools when asked what additional support their security programs require.

Consequently, the report highlights the growing value of IT consolidation. Security professionals rate the value of solution consolidation highly, citing top benefits as less maintenance (63%), faster issue detection (54%), identification (53%), and resolution (49%), as well as lower costs (46%) and improved security posture (45%). Yet, only one in three companies (32%) have a real-time security dashboard which provides a clear, consolidated view of all their security solutions.

security teams stress

Top five ways to reduce stress among security teams

When asked what would help alleviate their stress, the top five responses included:

  • 44%: Increased security budget
  • 42%: Experienced security team members
  • 42%: Better cooperation from other IT teams
  • 41%: Supportive executive team
  • 39%: Fully staffed security team

“All employees, from the CEO to the frontline IT worker, need to feel that they play a significant role in maintaining the security of the company for which they work,” concluded Carder.

Closing the skills gap can minimize the business impact of cyberattacks

CISOs who are successful at reducing or closing the critical skills gap have the highest probability of minimizing the business impact of cyberattacks – even when budgets and staffing are constrained, according to the results of a new SANS Institute survey.

closing skills gap

The pandemic brings uncertainty

The survey happened to kick off within days of the World Health Organization declaring COVID-19 a pandemic. As such, the results reflect a high degree of uncertainty around future hiring plans as well as an increase in plans to use outsourced services until staffing plans stabilize.

Even with the future uncertainty brought on by the pandemic, the survey covered staff changes in 2019, qualitative responses on what skills security managers see a need for, which needs they plan on staffing internally, and where they plan on using external service providers.

Closing the skills gap

Other than at very small businesses and in the government vertical, the survey found that turnover and attrition rates for cybersecurity staff is at or below industry averages. Even so, security managers indicated they tend to fall back on attrition as the reason for requesting staff increases, which reflects a lack of meaningful cybersecurity metrics being employed at many organizations.

Security operational skills were cited as most needed by survey respondents, and cloud security skills were more sought after than network or endpoint security skills.

While the most successful source for new cybersecurity employees was the company’s existing internal IT staff, hiring managers indicated they would most like to see new hires with hands-on experience using common cybersecurity products – open-source tools, in particular.

“This skills gap survey once again pointed out that despite all the headlines about a cybersecurity headcount shortage, it is really a skills gap – security people with hands-on experience with the top security tools and how to use them across hybrid cloud/on-premises systems are being hired for the skills, not just to add bodies,” says John Pescatore, SANS Director of Emerging Security Trends. “By investing in training and tools skills as well as the maintenance of those skills, the increased productivity and reduced security staff attrition provides a huge return on investment.”

Infosec is a mindset as well as a job, but burnout can happen to anyone

Time and again (and again), survey results tell us that many cybersecurity professionals are close to burnout and are considering quitting their jobs or even leaving the cybersecurity industry entirely.

OPIS

The reasons for this dire situation vary depending on their role and position within the organization. For example, a recent Ponemon report has revealed that security operations center (SOC) team members are stressed by many things: from increasing workloads, lack of visibility in to the network and IT infrastructure and being on call 24/7/365, to information and alert overload, inability to recruit and retain expert personnel, and lack of resources.

When asked what steps can be taken to alleviate their SOC team’s pain, the pollees’ responses were also wide-ranging (multiple responses were permitted):

OPIS

In a lively discussion that followed the publication of the report, Joshua Marpet, Chief Operating Officer of Red Lion and long-time tech and security professional, noted that there’s also other things that are getting SOC members down.

“SOC has little career path, very little respect inside or outside the industry, massive responsibilities, not the best pay, and almost no authority to do anything about what they find,” he pointed out.

The problem(s) with the SOC analyst role

“In olden days, being a SOC analyst was a respected gig. Entry-level SOC analyst was how you broke into the industry, learned about alarms, alerts, and notifications, and earned your chops in incident response, root cause analysis, report writing/documentation, and potentially, if you were awesome, in presenting it to the boss(es). Then you were either put on the incident response team, or moved over to digital forensics, or you could maybe switch a bit to DevOps/SecDevOps if that caught your interest. Even pentesting, if you got really good at blue teaming, which is a pretty good pathway into breaking and red teaming,” Marpet explained what he meant to Help Net Security.

“Now, in many companies, SOC analyst is a dead-end job. With the extreme specialization and commoditization of SOC analyst jobs, anything interesting is taken away almost immediately: ‘Oh! This looks bad, send it to Incident Response!’ or ‘I’m not sure what this is, send it to Security!’ SOC analysts became security dispatchers a while ago.”

K.C. Yerrid, an IT security professional who’s no stranger to burnout, also says that it’s difficult to grow from a SOC analyst role in an organization.

“There are six documented causes of burnout: workload, perceived lack of control, insufficient reward, strength of community, fairness, and a values mismatch. Any or all of these can exist and do exist at the SOC Analysts level,” he noted.

“Alert fatigue (workload) is a real phenomenon, and the rate at which alerts can come in could lead to a perceived lack of control in the outcome of one’s responses. We all know that SOC analyst jobs lack sufficient reward, and company culture dictates the strength of community. Finally, as mentioned, it’s an uphill climb to be promoted out of a SOC analyst role. The value mismatch can come from the manager or organizational level.”

A SOC is still a great place to learn all of the above things, but it is generally not a career path starter, Marpet notes.

“If it’s a job you can get, take it – for a year,” he counseled. “Unless you find a great place. I’ve heard that Dave Kennedy’s Binary Defense is a fantastic place. Lots of good places still exist. You just have to find them.”

To SOC analysts who are overworked and close to burning out, he advises thinking hard about the next step.

“If you’re understaffed and overworked due to COVID-19, and it should let up in a month or two, that’s ok. But if your manager is not taking care of you, informing you of what’s happening, if your company has shown no sign of fixing the issue, or set timelines to fix it, why are you there? Go network and find another job. If you have problems doing that, go to CyberSecJobs.com, and check out their listings. If you’re scared of change, hit me up – I do career guidance all the time.”

For those who decide to stay where they are, there’s always the option to try and minimize or remove the stressors that can lead to burnout.

Advice for entering and staying in infosec

To those just entering the information security industry, Marpet advises figuring out who’s the go-to person(s) for the field they want to specialize in – say, digital forensics or pentesting – then finding out when and where they’re speaking.

“Go there, say hello. Don’t gush, don’t beg, don’t cry – just say ‘Hi! Nice to meet you!’ About the fourth time you do this, you’ll see them answering a question you have an opinion on. Mention it. If it’s a good point, you’ll make them think.Then they recognize you from the times you said hi. They know you have a brain. And they know they want to know you.”

Those who still don’t know what they want to concentrate on should go to a conference (when and where possible), meet people, find a village with interesting stuff going on, ask questions, watch and learn.

“Networking is your friend. Meet people. Set up your LinkedIn. People will change their email address, but not their LinkedIn, or MeWe, or whatever is your social network of choice. Say hello and interact with them.”

For staying and thriving in the infosec industry, his best recommendation is to always keep learning: set up a home lab, a development environment, or anything else that will keep you learning everyday.

“Do you know how awesome it is as an interviewer to hear the interviewee get excited about their home lab or new open source tool they just put a commit into or a firewall vuln they figured out? That gets you hired anywhere and everywhere,” he stressed.

Looming infosec industry challenges

Coincidentally, continuous knowledge acquisition is also a way to counteract one of the key challenges the information security industry will have to deal with over the next fixe years: the rising tide of ineptitude.

Colleges are churning out qualified graduates, he says, but many of them are actually not. Infosec has become an overhyped profession, a “sexy” option for those who want to be “cool”. But infosec is a mindset as well as a job, he points out. Most importantly, at the end of the day, you have to be able to do the job.

Other imminent infosec industry challenges? Data security and artificial intelligence that isn’t intelligent.

“Becoming a data-centric business is vital, but most companies have no idea where their data is, what data they own matters, who has rights to that data, and frankly, what security is wrapped around that data,” he noted.

AI/ML is awesome, fun, and amazing, but if you ask the wrong questions, or don’t ask questions that are broad enough, or targeted enough, you get garbage output. AI does not think for itself (yet), so it can’t tell you how bad an idea your question is – so you have to be careful.”

Security alerts more than doubled in the last 5 years, SecOps teams admit they can’t get to them all

Sumo Logic announced the findings of a global survey that highlight the barriers security professionals are facing on the path to modernizing the security operations center (SOC).

volume of security alerts

High volume of security alerts

The struggle to effectively manage high volumes of security alerts and the complexities associated with traditional SIEMs are driving the demand for a new approach to effectively address challenges in the SOC through cloud-native SIEMs combined with security automation capabilities.

“Today’s security operations teams are faced with constant threats of security breaches that can lead to severe fallout including losing customers, diminished brand reputation and reduced revenue. To effectively minimize risk and bridge the gap, many companies rely on automated solutions that provide real-time analysis of security alerts,” said Diane Hagglund, principal for Dimensional Research.

“These findings highlight the challenges SOC teams are facing in a cloud-centric world, but more importantly why enterprises are aggressively looking to cloud-native alternatives for security analytics and operations.”

The study reveals that managing the sheer volume of these alerts poses a significant problem for IT security professionals. Although automated security alert processing can help to mitigate this issue, it is still a work in progress for most security teams.

Security alert volumes create problems for security operations

  • 70% have more than doubled the volume of security alerts in the past five years
  • 99% report high volumes of alerts cause problems for IT security teams
  • 83% say their security staff experiences “alert fatigue”

Automation helps, but it is still a work in progress

  • 65% of teams with high levels of automation resolve most security alerts the same day compared to only 34% of those with low levels of automation
  • 92% agree automation is the best solution for dealing with large volumes of alerts
  • 75% report they would need three or more additional security analysts to address all alerts the same day

Better technology is needed to manage security alert volumes

  • 88% face challenges with their current SIEM
  • 84% see many advantages in a cloud-native SIEM for cloud or hybrid environments
  • 99% would benefit from additional SIEM automation capabilities

volume of security alerts

“Enterprises are arguably dealing with more data today than ever before, and the pain security operations teams are feeling is significant. There’s never been a more important time to ensure IT security operations are up to par,” said Greg Martin, general manager for the security business unit at Sumo Logic.

“Companies need to adopt solutions that let them quickly identify, prioritize and respond to only the most critical warning signals, so that they’re not left drowning in alert overload with no direction.”

Companies still struggle with SOC staff shortages, security skills gap

Exabeam’s 2020 State of the SOC Report reveals that 82% of SOCs are confident in the ability to detect cyberthreats, despite just 22% of frontline workers tracking mean time to detection (MTTD), which helps determine hacker dwell time.

SOC staff shortages

Compounding this unfounded confidence, 39% of organizations still struggle with SOC staff shortages and finding qualified people to fill the cybersecurity skills gap.

The survey, conducted among 295 respondents across the U.S., the U.K., Canada, Germany and Australia, was also fielded to determine how analysts and SOC management view key aspects of their operations, hiring and staffing, retention, technologies, training and funding.

“From 2018-2019, we learned that dwell time – or, the time between when a compromise first occurs and when it is first detected – has grown. Based on this, it is surprising for SOCs to report such inflated confidence in detecting cyberthreats,” said Steve Moore, chief security strategist at Exabeam. “We see great progress in the SOC with attention paid to employee well-being, measures for better communication and more. However, disparate perceptions of the SOCs’ effectiveness could be dangerously interpreted by the C-suite as assurances that the company is well-protected and secure, when it’s not.”

Highlighting the imbalance is that SOC leaders and frontline analysts do not agree on the most common threats facing the organization. SOC leaders believe that phishing and supply chain vulnerabilities are more important issues, while analysts see DDoS attacks and ransomware as greater threats.

Technology trends

Small- and medium-sized teams especially are more concerned with downtime or business outage (50%) over threat hunting as an operational metric, yet threat hunting stands out as a must-have hard skill (61%). Other prominent findings include:

  • SOC outsourcing in the U.S. has declined YoY (36% to 28%).
  • U.K. outsourcing had a YoY increase (36% to 47%).
  • Germany reported 47% outsourcing, primarily of threat intelligence services.
  • Australian SOCs struggle in most categories and need improvement in technology updates, monitoring events and responding to/analyzing incidents.

In general, monitoring and analytics, access management and logging are higher priorities this year for all SOC roles.

  • More than half of SOCs were found to log at least 40% of events in a SIEM.
  • The U.K. utilizes logging the most, compared with geographic counterparts.
  • SOCs are least able (35%) to create content, the skill around the creation of detection logic, validation, tuning and reporting.

To support this, most SOCs expect to see security orchestration, automation and response (SOAR) tools take precedence over other technologies in upcoming years.

SOC staff shortages

SOC staff shortages

The U.S. and the U.K. SOCs have shown YoY improvements in recruiting costs and identifying candidates with the right expertise. Workplace benefits, high wages and a positive culture were this year’s top drivers for retention in nearly 60% of SOCs. Notably, there remain challenges:

  • 23% of SOC personnel across the U.S. and 35% across Canada report being understaffed by more than 10 employees.
  • 64% of frontline employees in the SOC reported a lack of career path as a reason for leaving jobs.
  • Less effective SOCs reported feeling they lacked the necessary investment in technology, training and staffing to do their jobs well.

When SOCs never stop: How to fill the intelligence gaps in security

Demand for security analysts and security operations centre experts is high – so high that Frost and Sullivan found only two percent unemployment in the sector and that demand continues outstrip the supply of newly skilled professionals. (ISC)² suggests that the number of skilled professionals will have to grow from 2.8 million worldwide to 4.07 million to close the skills gap. All these roles will require the right skills and the right data. Alongside filling … More

The post When SOCs never stop: How to fill the intelligence gaps in security appeared first on Help Net Security.

Creating an emergency ready cybersecurity program

A large part of the world’s workforce has transitioned to working remotely, but as plans are being drawn up to reopen economies, the security industry is being challenged to develop stronger screening practices, emergency operations planning, and to deploy tools to detect and minimize the impact that future pandemics, natural disasters and cyberattacks can have on a company.

emergency ready cybersecurity program

Things like global security operation centers (SOCs), managed security services, thermal imaging and temperature screening for on-site visitors and employees and enhanced employee tracking capabilities are new areas of increased focus.

As security professionals are forced to reassess how the systems they monitor are working in this new environment, companies and organizations must still deal with day-to-day operations that are now more likely to occur on unsecured wireless networks. From data loss prevention and email spam protection to denial of service and data breach or leakage, there’s a large number of challenges to address as more and more workers work from home. So, what should businesses focus on to ensure security and safety?

The greatest vulnerabilities

One major cybersecurity shortcoming of companies is just how much of their network is accessible, both within an office and externally. As technology has advanced, the need for a secure network infrastructure is of the utmost importance to protect all company assets. That need is even more acute now, with many workers currently working from home on personal devices and unsecure wireless networks.

With the likely shift towards a more remote workforce in the coming years, across industries, wireless networks will need to be designed and revamped with security in mind.

Beyond the COVID-19 impact, IT teams still face non-standard deployments of technology in regard to security devices, as well as “bring your own device” options that are currently being used in every aspect of the IT world. IT groups also currently deal with a great deal of infrastructure that is aging without a replacement and/or a life-cycle management plan.

Additionally, “flat networks”, which were originally designed just to make sure everything could communicate, are still common. These networks were designed with very little regard for the security of edge devices and all other endpoints. Many enterprise customers are now retrofitting these networks to meet current cybersecurity requirements and recommendations. It is clear that security issues extend beyond our current, unforeseen circumstances and must still be dealt with promptly.

A strong incident response program

The success of security policies and systems depends on their proper implementation and a continuous improvement process to sustain the security program on a day-to-day basis. The program must meet business needs and appropriately mitigate security risks. By implementing an effective incident response program, a company will be able to use information generated from things like access control and video systems and ensure that a company’s security events are “real” and not falsely positives due to technological problems. Any strong IR program should be quick and accurate and with workers spread out around the globe.

Technology plays a growing role in almost all security programs but cannot be the ultimate factor when it comes to deciding which incidents require a response. As information becomes more integrated and easier to reach, successful IR programs ensure that the information delivered is accurate, relevant and actionable to security personnel. Technology may be providing the information avalanche, but it can also be used to effectively cull through the information and make sure the human operators only see what they are supposed to see.

The automation of security

How much of the world’s security can really be automated? Many simple tasks with access control and video systems are becoming more and more automated by the day. For example, video analytics are becoming more common on even the most basic security cameras and are less dependent on high-end servers than in the past.

Today, identification of people and vehicles can be accomplished through automation, rather than through human interaction. With remote workers, this is crucial. Many companies are now facing unexpected financial pressures and security budgets are being tightened. As such, automated processes for sending alerts and warnings have also taken on a larger role.

It is now expected, at the enterprise level, that every system should be able to auto-generate reports. Future deployment of all security-related technologies will further shrink the possibility of human error and the risk associated with those events, while providing a greater view for all stakeholders.

It goes without saying that we are in uncharted territory. As security experts work to shift security systems to accommodate the new reality we are living in, companies must find new ways to ensure the safety of their employees and their work – not just from COVID-19, but from additional challenges that come along with it.

As businesses across the world start to reopen, executives should be thinking about their cybersecurity protocols, and the best ways to utilize technology to their advantage. The most successful businesses will have strong, uniform IT standards and will be able to conduct their security work from any location, with a quick response.

Maintaining the SOC in the age of limited resources

With COVID-19, a variety of new cyber risks have made their way into organizations as a result of remote working and increasingly sophisticated, opportunistic threats. As such, efficiency in the security operations center (SOC) is more critical than ever, as organizations have to deal with limited SOC resources.

limited SOC resources

Limited SOC resources

The SOC is a centralized team of analysts, engineers, and incident managers who are responsible for detecting, analyzing, and responding to incidents and keeping security operations tight and resilient – even when security strategy fails. During the first 100 days of COVID-19, there was a 33.5 percent rise in malicious activity, putting increased pressure on these teams. Rapidly changing attack methods make keeping up an immense challenge.

With all of this in mind, it’s easy for the SOC to become overwhelmed and overworked. To avoid this and protect the business, it’s important to keep morale high, production efficient and automation reliance balanced on need. Read on to explore the do’s and don’ts of maintaining SOC operations throughout the pandemic.

Do: Prevent burnout before it’s too late

The SOC requires a high level of technical expertise and, because of that, the number of suitable and competent analysts holding positions in the field are scarce.

Beyond the skills shortage, the job of a SOC is made even more difficult and overwhelming by the lack of employee awareness and cybersecurity training. Untrained employees – those who don’t know how to appropriately identify a live threat – can lead to a high noise-to-signal ratio by reporting things that may not be malicious or have high click-through rates. This means organizations are not putting enough emphasis on building what could be the strongest defense for their business – the human firewall. Ninety-five percent of cyberattacks begin with human error, causing more issues than the SOC can handle.

For those that are implementing training, it’s likely they’re not seeing their desired results, meaning an uptick in employee mistakes. For one, cyber hygiene across organizations saw large deterioration by late March, with blocked URL clicks increasing by almost 56 percent. The organizations experiencing this downgrade in employee cyber resiliency should take the time to re-think their methods and find alternatives that keep their staff engaged rather than implementing irregular, intensive training with boring content just to check a box.

Coupling this with rapidly changing threat activity, the SOC is under immense pressure, which could lead to a vicious cycle where analysts leave their roles, creating open vacancies that are difficult to fill.

Don’t: Jump headfirst into automation

With limited SOC resources, one may think automated alerts and post-breach threat intelligence are the answer to ensuring proper attention is kept on an enterprise’s security.

On one hand, automation can help alleviate time spent on administrative action. For example, it can help detect threats more quickly, giving teams more time to focus on threat analysis.

However, post breach threat intelligence and automated alerts can also lead to fatigue and a lot of time spent investigating, which could be at a higher cost than the administration burden. Not to mention, machine learning can also learn bad behaviors and, in itself, be a vulnerability –threat actors can learn machine patterns to target systems at just the right time.

The SOC should therefore adopt automation and intelligence only where it makes the most sense, layering in preventive measures to reduce that fatigue. Organizations should be critical of the technologies they take on, because ultimately, a quick response can create an added burden. Instead, they should focus on improving the metrics that have a positive impact on the SOC and employees, such as a reduction in reported cases and dwell time, as well as the ratio of good-to-bad things reported. With the right training, technology, and policies, the SOC – and the business – can get the most out of its investment.

Do: Improve virtual collaboration practices

A recent (ISC)2 survey found that 90 percent of cybersecurity executives are working remotely. Like every other employee in a digitally-connected company, an organization’s SOC is also likely not in the office right now. This is a challenge, as some have become accustomed to putting their SOC, other IT teams, and the technology that they use in close proximity to one another to create a stronger, more resilient approach. This extends the SOC’s operational knowledge and creates a faster response in time of crisis.

Given the current pandemic, most teams are unable to have this physical proximity, stretching the bounds of how they operate, which could put a strain on larger business operations. This can inhibit communication and ticketing, which is seamless when seated together. For instance, folks may be working on different schedules while remote, making it hard to communicate in real-time. Remote scenarios can also deepen data silos amongst teams who aren’t in communication. These challenges increase the amount of time it takes the SOC to find and address a potential threat, widening the attack surface.

As such, organizations should be mindful and strategic about their new cross-functional operation and create new ways for teams to collaborate in this new virtual frontier. For instance, businesses should:

  • Ensure access to their enterprise: Start thinking about disaster recovery and business continuity as the tools needed to ensure security or even access to the “castle” that was once considered their enterprise.
  • Consider their tools: Adjust communication styles and interactions by adopting tools, like Microsoft Teams, Slack, or Skype, to help everyone stay in constant communication or keep the channel open during traditional working hours.
  • Focus on training: Develop training and documentation that can be used by operations teams in a consistent fashion. This could include a wiki and other tools that help with consistent analysis and response.
  • Keep operations running globally: Establish formal standups and handovers for global teams.
  • Maintain visibility through technology: Adopt SaaS technologies that enable the workforce and offer visibility to do their jobs.
  • Change the hiring approach: When hiring, realize that this is a “new” world where proximity is no longer a challenge. With the right tools and processes, business can take the chains off when hiring smart people.
  • Recognize and reward success: Morale is the most important thing when it comes to SOC success. Take breaks where needed, reward those that are helping the business succeed and drive success based on goals and metrics.

The cyber threats posed by COVID-19 and impacting the SOC are rapidly evolving. Despite current circumstances, malicious actors are not letting up and organizations continue to be challenged. Due to the limited number of SOC analysts equipped with the skills to keep organizations protected, the risk of burnout risks is high and the industry does not have the staff to fill vacant roles. With all of this in mind, SOC analysts must be supported in their roles as they work to keep businesses safe, by adopting the right technologies, processes and collaboration techniques.

The missing link in your SOC: Secure the mainframe

How confident are you that your security visibility covers every critical corner of your infrastructure? A good SIEM solution will pull data across firewalls, servers, routers, and endpoint devices. But what if there is even one gap—one piece of equipment that can’t be monitored but contains business critical data? That sounds like a glaring hole in the vision of your SOC, doesn’t it? Especially if it can be exploited by hackers, malicious insiders, or simply by accident.

secure the mainframe

I know, I know. I’m preaching to the choir here. You already know your SOC needs to have immediate access to all of your key infrastructure to ensure a fast and effective response to any incident. But I’ll bet that I’m right in saying there is a gap in many of your enterprises that comes down to a single question—is your mainframe protected by the same level of best practices and automation as your servers? I’d wager the answer is either no, or that you simply don’t know.

Consider the mainframe

Let’s discuss the mainframe for a minute. You know, that computer that accounts for 68 percent of IT production workloads and is the backbone of your entire enterprise?

For ages, the mainframe was like macOS – considered natively secure and not at risk of attack or compromise. Because of that, it was ignored by most security engineers who either subscribed to this belief or simply didn’t understand it and couldn’t challenge that notion.

The reality is that the mainframe is securable, but it is definitely not guaranteed to be secure. An attacker inside your network can access it from the same Windows or Linux platform as your administrators, gain elevated privileges, and gather sensitive data. Once they gain initial access, there are several common methods they can use to initiate privilege escalation. Using those elevated privileges, they are able to run a number of harmful scripts to take control over it and hide their tracks.

Training

It’s time to start treating the mainframe as just another computer on your network. This means that it’s time to synchronize the mainframe’s information and event logging into your SIEM in real-time. And if you are one of the few who already have real-time mainframe visibility, you may still lack the knowledge and expertise to successfully leverage and respond to it. For example, if acronyms like RACF and ACF2 are foreign to your security team, how will they distinguish between a false positive and a devastating incident? The data must be both visible and actionable.

So, what is the answer? Most security analysts need more training to put the security knowledge they already possess into practice to better understand and secure the mainframe. But it won’t take long for the mainframe and its alerts to become part of their battle rhythm. To jumpstart this process, successful companies have generally taken a few key actions:

  • Hired individuals with a mainframe background and interest in security
  • Leveraged training programs to learn penetration testing and secure the mainframe
  • Consulted with a mainframe-managed services provider

Hiring the right person

Simply hiring the right person may seem obvious but hiring talent with either mainframe or cybersecurity skills is getting harder as job openings far outpace the number of knowledgeable and available people. And even if your company is able to compete with top dollar salaries, finding the unique individual with both of these skills may still prove to be infeasible. This is where successful organizations are investing in their current resources to defend their critical systems.

This often takes the form of on-the-job training through in-house education from senior technicians or technical courses from industry experts. A good example of this is taking a security analyst with a strong foundation in cybersecurity and teaching the fundamentals of the mainframe.

The same security principles will apply, and a talented analyst will quickly be able to understand the nuances of the new operating system which in turn will provide your SOC with the necessary skills to defend the entire enterprise, not just the Windows and Linux systems that are most prevalent. Training and investing in your staff will pay off dividends not only in the caliber of your security operations but in the loyalty of the employees who execute it.

If your current staff is unable to broaden their skills expertise due to a shortage of time and bandwidth, you may want to consider a mainframe-managed security service. Offloading the security and responsibility to experts who specialize in defending the mainframe will ensure that you are adequately protected from losing your critical mainframe server. Security is the application of business risk reduction and this will often be the fastest way to meet that goal. Fortunately, this can be done on a temporary, on-demand basis while you ramp up your own staff to integrate the security function back into your SOC.

As part of a wider autonomous digital enterprise framework, securing the mainframe isn’t exclusively a security or operations need, it’s a business need for adaptive security. A successful and adaptive cybersecurity program necessitates having well-trained domain experts that can establish the proactive security functions to automatically sense, detect, and respond to security incidents. When you consider how essential the mainframe is to the critical functions of the organization, you simply can’t afford to make security assumptions about it.

Five contingency best practices for SOCs to handle uncertainty

With a crush of new teleworkers and a significant increase in endpoints coming online, we’ve entered into a new reality. COVID-19 has disrupted our lives and the business world – possibly for longer than we’d planned. Once the pandemic ends, companies may take six months to get up and running normally, according to a CNBC Global CFO Council survey.

best practices SOCs

The “new reality” extends to security operations centers (SOCs). SOCs are familiar with natural disasters and other inclement weather that includes floods, tornadoes and even ice storms, and it’s critical to keep a SOC operational in the event that there is reduced local staff or access to physical infrastructure.

SOCs operate as busy, open-office environments with team members working closely together to monitor and mitigate threats. Even with so many employees working remotely, you want to find a way to continue to facilitate those impromptu exchanges, during which newly discovered problems are discussed and often resolved.

The loss of available personnel (due to illness or communications outages) and solutions/resources (due to disruptions) is something you want to plan for if you haven’t already. If you’re a CISO or other manager who oversees SOCs, you need to adjust to these times and others you’ll face in the future with a risk-based assessment of your people and resources.

You need to determine what would change should some percentage of them become unavailable, how this would impact operations/business obligations, and how to respond to reduce negative outcomes. In pursuing such an assessment and other proactive contingency planning, here are five best practices to consider.

Implement a follow-the-sun strategy

Establishing SOC operations and personnel in dispersed geographic regions reduces the pressures that would come with operating with a skeleton staff and lessens the chance of major impact. When one location experiences pressure due to disaster, weather or another circumstance, the other locations can step up to ensure SOC functions are not interrupted.

Prioritize your resources

It’s important to identify the top resources for the SOC: the VPN, ticketing systems, cloud infrastructure assets, etc. Then, you want to determine which capabilities you would lose if those assets went down, and how this would impact service-level agreements (SLAs) and additional business-critical functions.

Your risk-reduction strategy should ensure that “minimum acceptable” business disruption is the worst-case possibility, no matter which technologies are affected and how severely they are damaged. From there, you build up scenarios to depict what business operations will look like in going from “minimum acceptable” with a significant number of resources down, to increasingly productive cases in which you have more resources up and running.

Then, you should think about your connectivity back-up plan. What would happen if your chat functionality went down? What if your phone system was no longer available? How does your SOC team react in these situations to enable business to continue?

A sound game plan begins with multiple fallback options for every form of communications that your team relies upon. If you’re only using a single VoIP solution for phone and video conferencing, for example, then make sure your employees can quickly switch to a secondary messaging solution if phone/video conferencing services go down.

Having multiple licenses for multiple communications forms increases the likelihood that “impact” doesn’t shut everything down. Take a look at the breadth of tools available to you today, more often than not you will find additional solutions to support you in your BCP.

Don’t neglect the “people” part of the picture

It’s not all about tech – employees are a crucial resource as well. As indicated, you will face the realities of sicknesses, a distributed workforce and potential internet/communications outages during a pandemic or other natural disaster or inclement weather.

As part of your risk assessment, ask yourself: “What is the least amount of staffing I need to still deliver meaningful support for business units, and reduced incident response time?”

Again, while you may still see decreases in business functionality and response capabilities, you can determine what the minimum acceptable levels of these are. You can then map out what your team performance and priorities will look like with varying count of absent staff, and estimate whether you’ll meet (and ideally exceed) the minimum acceptable levels in either scenario.

Keep a watchful eye

Once you have mapped your tech resources and people, you should invest in monitoring tools which will track your staffers and solutions while knowing where all of your single points of failure are, and how these failures could affect business-critical functions.

Organizations should re-evaluate their managed detection and response (MDR) capabilities and assess new providers if there are obvious gaps that need to be addressed quickly. Again, as part of a risk-based assessment, you are monitoring to get a better sense of what you are obligated to do; track the personnel and tools you require to do it; and effectively respond if you no longer have certain employees and/or tools in place (either temporarily or for an extended period).

Take it to the cloud

The more you invest in cloud-based tools for your SOC, the better prepared you’ll be for COVID-19 and any other health or disaster-related event which threatens to disrupt your operations. That’s because the cloud is obviously not confined to a specific, physical location.

Fortunately, organizations are universally looking to make these investments, as 97 percent plan to either move “some or all” of their existing SOC analytics infrastructure to the cloud, replace on-premises security analytics solutions with native cloud-based alternatives, or supplement on-premise analytics tech with additional cloud-based capabilities, according to research from the Enterprise Strategy Group.

We have never been through anything like COVID-19 and, hopefully, we never will again. But there will always be hurricanes, tornadoes, ice storms, earthquakes and wildfires. Cyber attackers won’t “stand down” during these times. In fact, they’ll likely seek to exploit the opportunity.

That’s why CISOs and SOC managers must incorporate risk assessment and “what if?” planning into their entire business-supporting ecosystem – both people and “parts” – to keep everything running. With this, they’ll prepare themselves for anything that comes their way, regardless of the nature of the disaster.

Threat detection and the evolution of AI-powered security solutions

Ashvin Kamaraju is a true industry leader. As CTO and VP of Engineering, he drives the technology strategy for Thales Cloud Protection & Licensing, leading a researchers and technologists that develop the strategic vision for data protection products and services. In this interview, he discusses automation, artificial intelligence, machine learning and the challenges related to detecting evolving threats.

AI-powered security solutions

Given the complexities of modern security architectures, what are the most significant challenges related to tracking risk and detecting breaches? How important is automation for security operations?

Discovering an unknown cyber-threat is like trying to find a needle in a haystack. With this enlarged target surface area and a growing number of active hackers, automation and specifically machine learning can be important in aiding this issue through its ability to provide CISOs with the insights they need.

Consequently, it enables an opportunity for CISOs to more effectively deploy their human analysts against potential cyber-attacks and data breaches. However, just because an organization has an automation/AI system in place, this doesn’t mean it’s secure. Countering cyber-threats is a constant game of cat and mouse and hackers always want to get the maximum reward from the minimum effort, tweaking known attack methods as soon as these are detected by the AI. CTOs therefore need to make sure that the AI system is routinely exercised and fed new data and that the algorithms are trained to understand the new data.

Based on your experience, what difficulties do large enterprises encounter when it comes to using artificial intelligence to boost their information security programs?

The first thing to note is AI should not be confused with machine learning. What most people associate with AI is actually machine learning algorithms with no human level intelligence. AI is based on heuristics whereas machine learning requires a lot of data and algorithms that must be trained to learn the data and provide insights that will help to make decisions.

While the insights provided by AI/machine learning algorithms are very valuable, they are dependent on the data used. If the data has anomalies or is not representative of the entire scope of the problem domains, there will be bias in the insights. These must then be reviewed by an expert team in place to add technical and contextual awareness to the data. AI is here to stay, as data sets become more and more complex, but it will only be effective when added with human intelligence.

Does every organization need AI and machine learning for security purposes? Are we at a point where the benefits are worth the investment at every level?

AI is beneficial to organizations if it can be used effectively, in addition to human intelligence, not in lieu of. Due to the rapid rise of the amount of data out there, and with the growing number of threat businesses now face, AI and machine learning will play an increasingly important role for those that embrace it.

However, it requires constant investment, not necessarily from a cost perspective, but from a time aspect, as it needs to be kept up-to-date with fresh data to adapt to the changing threat landscape. Organizations need to decide if they have the capabilities to use AI in the right way, or it can soon become an expensive mistake.

How has automation changed over the years, and how do you see AI-powered security solutions evolve in the near future?

Cyber-attacks are getting harder to detect with the evolution of technology to more closely align with how business operates creating new issues. The adoption of mobile phones, tablets, and IoT devices as part of digital transformation strategies is increasing the threat landscape by opening companies up to connect with more people outside their organization.

As the attack surface area expands, and thousands more hackers get in on the action, IT experts are being forced to deal with protecting near-infinite amounts of data and multiple entry points where hackers can get in. Where hacking once took dedication and expertise, with zero-day attacks targeting mostly unknown vulnerabilities, anyone can launch a DDoS attack with hacking toolkits and thousands of tutorials freely available online.

So, to defend themselves going into the future, AI can play a key part. With a new, evolved role in cybersecurity, experts and researchers can leverage AI to identify and counteract sophisticated cyber-attacks with minimal human intervention in the first instance. However, AI will always need that human intelligence to provide the context of the data that it is evaluating and has flagged as potentially malicious.

What advice would you give to a newly appointed CISO that was tasked with improving overall threat detection for a large enterprise?

Any new CISO walking into a large enterprise could be forgiven for potentially feeling daunted at the responsibility for protecting that company’s assets. Several questions would spring to mind, from where to start to what to protect. Here are six simple steps to get them started:

1. Know the “where” and the “what” of your data – Prior to implementing any long-term security strategy, CISOs must first conduct a data sweep. Auditing all data within the perimeter helps identify not only what it has collected, but where they’re holding their most sensitive data. It’s impossible to protect data if they don’t know where it is.

2. Securing sensitive data is the key – Technology such as encryption will provide a key layer of defense for the data, rendering it useless even if its hackers access it. Whether it’s stored in their own servers, in a public cloud, or a hybrid environment – security-minded tools like encryption must be implemented.

3. Protect the data encryption keys – Encrypting data creates an encryption key – a unique tool used to unlock the data, making it only accessible to those who have access to the key. Safe storage of these keys is crucial and needs to be done offsite to ensure they aren’t located in the same place as the data, putting both at risk.

4. Forget single-factor authentication – The next step is to employ strong multi-factor authentication, ensuring authorized parties can access only the data they need. Two-factor authentication requires an extra layer of information to verify the user’s password, such as entering a specific code they receive through their smartphone. Since passwords can be hacked easily, two-factor authentication is necessary for a successful security strategy. Multi-factor authentication takes this a step further by requiring additional context such as a device ID, location or IP address.

5. Up-to-date software – Vendors are constantly patching their software and hardware to prevent cyber criminals from exploiting bugs and other vulnerabilities that emerge. For many companies, they have relied on software that isn’t regularly patched or simply hasn’t updated new patches soon enough. Companies must install the most recent patches or risk becoming a victim of hackers.

6. Evaluate and go again – After implementing the above, the process must be repeated for all new data that comes into the system. GDPR-led compliance is a continual process and applies to future data as much as it does to what is just entering the system and what is already there. Making a database unattractive to hackers is central to a good cybersecurity strategy. Done correctly, these processes will make data relevant only to those allowed to access it.

vFeed: Leveraging actionable vulnerability intelligence as a service indicators

vFeed is a truly exciting company and we had to include them in our list of the 10 hot industry newcomers to watch at RSA Conference 2020. In this podcast, Rachid Harrando, Advisory Board Member at vFeed, talks about how their correlation algorithm analyzes a large plethora of scattered advisories and third-party sources, and then standardizes the content with respect to security industry open standards.

vFeed

Here’s a transcript of the podcast for your convenience.

Hello, my name is Rachid Harrando. I’m in the Office of the CISO at ServiceNow and partner and advisor for vFeed.io that I will introduce today.

What is vFeed? We would like to tagline vFeed with vulnerability intelligence as a service. That’s our tagline. Of course, we have to explain what it is, right? What we found out is there are more and more systems that have more and more vulnerabilities. And it’s difficult for any security team to maintain a good repository of all the different indicators and information related to those vulnerabilities.

The founders of vFeed have spent many years doing that tracking to do their security job. That’s where the idea comes from, to maintain an accurate and complete database that you can quickly refer to when you do your security investigation, to find security issues and remediate and prioritize. What happened after so many years is, this database became automated, and now provided to customers such as large SOC teams who have many areas going on. But they need information data to be able to pinpoint a rapid remediation or prioritization to know what to look for.

And vFeed is helping large SOC teams doing exactly that, because large SOC teams need to focus on their infrastructure. We don’t want to spend our time go looking for all the sources that would help them to fix it. They can rely on vFeed to maintain the most comprehensive and accurate database, to help large or even small SOC teams focus on the issues we have at hand, which is already a big task.

They don’t need to go and maintain these databases. We do it for them, we are part of their team, they can trust us. And we only do that, we only maintain the database. We are a pure player in that space, we don’t want to do anything else. We were doing other things in the past, but to be the best at what we do, we need to stay focused. So, a small team at vFeed is doing that and only that.

vFeed

Like I said before – who can use it are the SOC team, or security team, who already are doing the job of looking for threats, looking for incidents. And of course, once they’ve found the incident, they need to have information to help them remediate as soon as possible, and make sure they are working on the most important issues. That’s what vFeed is helping them to do, by providing them the best data that exists.

When you don’t have a SOC team and you don’t have solutions, it’s going to be difficult to ingest vFeed data. You need to have that, since we provide only this database, which is, we are hiding the complexity of going and fetching these data sources and putting them in aggregate form, with all the correlation that you need to do to make it a nice format for you to consume.

You can find more information on our website – vfeed.io. You will find different use cases, the names of our customers as well, some of them have agreed to put the names on, and you can understand what type of data we are. We also give a free trial, people can of course try before they buy, it’s clear.

Every day there are new vulnerabilities, and every day we have a new update, new information, and that’s what we provide.

Security operations and the evolving landscape of threat intelligence

In this podcast recorded at RSA Conference 2020, we’re joined by the ThreatQuotient team talking about a threat-centric approach to security operations, the evolution of threat intelligence and the issues surrounding it.

threat intelligence perspective

Our guests are: Chris Jacob, VP of Threat Intelligence Engineering, Michel Huffaker, Director of Threat Intelligence at ThreatQuotient, and Ryan Trost, CTO at ThreatQuotient.

Here’s a transcript of the podcast for your convenience.

We are here today with the ThreatQuotient team to talk about all things security operations, the human element of cybersecurity, and the evolving landscape of threat intelligence. I am joined by Ryan Trost, Chris Jacob and Michel Huffaker. Will you all please introduce yourselves?

Ryan Trost, co-founder and CTO at ThreatQuotient. Ultimately kind of a SOC dweller for most of my career – from system administration, up to security analyst, up to incident response and then SOC manager. Most formally at General Dynamics.

Michel Huffaker, I’m the Director of Threat Intelligence at ThreatQuotient. I started my career in the air force and kind of moved up through government, eventually landing in the private sector at iSIGHT Partners for five years, and then ultimately came to ThreatQuotient.

I’m Chris Jacob. I’m the Vice President of Threat Intelligence Engineering. I’ve been on the cyber side of things for about the last five or six years, before that grew up more in the infosec side of the world, spending most of my time at Sourcefire.

The first question for today’s discussion is about customer challenges. I know at ThreatQuotient you hear a lot about, and this is a direct quote I believe, your “customers struggle with ingesting all the stuff”. Let’s dissect this a little bit. What is the stuff that these customers are referring to that they’re challenged by?

Ryan: From my experiences, threat intelligence teams that didn’t come through the military and didn’t have formal training, ultimately ended up being pack rats and basically getting their hands on anything and everything they could, which has its benefits but also has a lot of deep dark skeletons from a collection standpoint, how to sort through it.

And I think teams have to really set goals on “this is my objective, this is what I want to do, this is the data that I need to do it”. You start to really look at data from a “nice to have” versus a “must have”. And then as you meet those objectives, you can widen that net, as they say, versus just trying to boil the ocean, which gets teams in lots and lots of trouble.

Michel: Yeah, I agree. There are a lot of data hoarders. People just wanted to have as much information as they could, but it’s very difficult to operationalize that. I think it you still need as much information as you can get, but it needs to be the right information. I think that as the industry has matured over time, people are really starting to understand, you still have to deal with a lot of data, but you have the relevant data, you get the right data, and you can actually take action on that.

Chris: Unsurprisingly, I agree with both these guys. I think it’s not a bad thing to have all the data, as long as you can get to the data you need easily, as long as it’s not masked by, you know, it’s got to be the needle in the haystack and not which haystack do I even look in? So as long as you can get to the data quickly, having it all can be good in some instances because, depending on the tools that you’re using to operationalize the data, if you’re using SIEMs for instance, you can cast a much wider net. They handle big pieces of, or large amounts of data.

But if you’re dealing person to person, or you’re dealing with tools that are firewalls, things that have a lower threshold for the amount of data they can handle, you need to make sure that you’re sending the right data there and using that lens. It’s capture it all, but make sure you can bubble up to the top what’s really important to your organization.

So, all of these points remind me a lot of the highly debated “which came first, the chicken or the egg” discussion as it relates to threat intelligence. So, when it comes to security operations, which should a company be implementing first, the threat intelligence feeds or an actual platform? Or does that even matter?

Ryan: Optimally, both. However, teams have to have somewhat of a strategy and a roadmap to it. In previous lives we had the same build it or buy it. And you need to really create those milestones or justification to get the approval to buy certain things and certain tools. So, a lot of teams ultimately focused on “okay, let’s start with open source”. It’s, it’s free, it’s widely available, there’s so many open source feeds out there, and they’ll have to figure out where to put that stuff.

Early analysts were putting it just into a spreadsheet, so every analyst had their own spreadsheet and it got to the point where there’s benefit in that. However, you quickly reached the ceiling of value and you hopefully hit a couple milestones that you can really get traction on with the executives, and then escalate to buying something. In conclusion, it’s ultimately both, but it ultimately kind of depends on the team and the logistics, and so forth.

Chris: I think we focus so much on incoming information, and that being the purpose for having a platform. But I think we need to spend some more time talking about the delivery of it. That’s the reason that a platform like this is so important, isn’t just for the analyst to have a tool to store things in and to work in, but ultimately for them to deliver that product, that intel that they’ve refined and sort of polished up.

How do they get that to the security teams? That’s an important part of the platform that, I think, gets overlooked quite a bit. In my opinion, you have to start with a platform. Obviously, they’re intel feeds out there, whether they’re open source all the way up to very expensive types of feeds. But you have to have the infrastructure in place for the analyst to be able to work in number one, but also, again, ultimately be able to deliver that finished product to their customers, which would be the security teams.

Michel: I agree that bringing external information and intelligence in is important, but at the same time it’s often overlooked – the wealth of information you have internally. If you have the right tools, the right platforms to pull that kind of metadata out of your own security stack, that’s the best way to understand who’s actually coming after you, who are the people who’ve been there before.

If you, like Ryan was saying, if you don’t have the budget tolerance to do both, if you bring the platform in first, then you can at least see what’s happened in your organization in the past, and then kind of predict based on that. Then you kind of create your own feed at the same time that you bring the platform in.

Michel, I heard you say “knowing who’s coming after you”. On that note, attribution has always been a hot topic related to threat intelligence. To some of us, it’s more important to know the motivation behind an attack rather than know exactly who that attacker is. What, between three of you are your thoughts on this, and how does the theme of the human element tie into that topic of attribution?

Michel: Attribution matters to some people. There are some organizations that have the maturity to care, and I say that because in the end it doesn’t matter. If you’re head down and you’re looking at your organization, you’re trying to figure out who’s coming after you, that’s less important than what they’re after, what their motivations are.

There are some benefits to it, in the sense of an internal marketing effort. If you could put a scary face or a scary mascot on top of something as a threat intel team, it gives you the ability to communicate internally really well. You can say scary guy one, two, three is after us, and that means something to your C-suite.

But on the whole, there’s a huge level of effort for very little gain, in terms of just finding out who that is. From the human perspective, it’s easy for us in the industry to batch all these actions together under one adversary group. But I think it’s important to remember these are humans on the other side, right? It’s humans fighting humans in this weird cyberspace.

If you think about it in that sense, it gives you a little bit of a leg up understanding operational patterns and things like that. It’s important to remember that they’re actually people.

Ryan: I completely agree with Michel. I think adversaries are just human by nature, and humans are creatures of habit. A lot of the adversaries, they’ll become experts in one attack vector, maybe one or two, and they’ll stick with that because that’s benefited them and that’s what they know.

The more the defenders know about that person, that human element, and what they gravitate towards, it’s much easier to defend against. So, I think that it’s very important to know who it is. Maybe not the attribution, unless you’re prosecuting, in that capacity, it doesn’t really make any sense. But again, it’s helping you organize your defense and organize your tools and technologies, to stop the adversary left of boom.

Chris: I think to that point, who it is, doesn’t really matter. To be able to put a box around it, to be able to say: “This is the container I’m using to track the tactics and techniques that I see here”. That allows you to test your theories: “This looks familiar to me. I think it’s this adversary and let me deploy these countermeasures to defend.” And also, the test proved that this is in fact the same group, the same organization or this is someone different.

I think the vast majority of people in the commercial world aren’t directly facing named adversaries. That said, you shouldn’t minimize it. Again, it’s good to be able to group things together so that you can recognize the patterns and know how to protect your organization from specific types of threats.

Pulling on that thread a little bit more. When we actually talk about a security incident as it’s unfolding, who is responsible for coordinating actions within a company? Is this more of a human response or an automated response from technology? Is it both putting ThreatQ into the conversation at this point? Can you guys walk us through what that process might be like internally? How does a tool like ThreatQ Investigations play into this? Who is responsible for those security incidents as they’re happening?

Ryan: In my experience, it ranges drastically based on the team, the budget, the technologies involved, and so on and so forth. In two previous roles, largely the incident is triggered or the event is triggered from a SIEM correlation or some type of hunting expedition. The technology raises the red flags, as this is suspicious.

That’s ultimately going to trigger an analyst to really look at it and dive in information gathering, to see if their spidey sense is triggered, or potentially an automated playbook will gather that information, whether it’s snapshotting the host and running it through a couple of smoke tests, and so forth.

Ultimately, an analyst is going to see it and review the information to determine does this event or alert need to be escalated to an incident. Once that handoff is given, then the incident response team usually gets involved, and then that’s run through a team lead who ultimately runs it for the life cycle of the case, and so forth. But again, it ranges drastically whether your team is two, whether your team is 50, geographically spread out, it really unfortunately is all over the place.

threat intelligence perspective

Chris: The better question there to dig into is how this is all coordinated, right? Because there are multiple teams involved, and those teams don’t necessarily communicate well with each other. Having a platform that allows those teams to just perform their work but capture all that information so that all of them are singing off the same sheet of music.

If the SOC is going through SIEM matches and adding color, adding information, then the incident response team has that information at their fingertips through using a platform and having integrations. Because ultimately, it’s all about the context. Team A might have this piece of information that doesn’t mean anything to them, so they don’t think to share it with the team down the hall that’s working the same incident. But if the team down the hall had that little piece of information, it would change their view of the incident altogether.

It’s about really coordinating across the teams because, you talked about the human element, people don’t communicate with each other well. So if we can do it machine to machine, it works out a lot better. And then to get into investigations TQI, that is a chance for all those teams to come back together, after each one has worked their incidents separately. Let’s get together and build out the evidence map of how we’re going through the incident and uncover those little pieces that we may not see if we work in our own silos.

Ryan: And Chris is absolutely right, where you get multiple teams working together, and this is where IR tabletop exercises really are critical for a team success, because a lot of times the IR coordinating it, but they don’t have access to the financial databases. So, they need to go to the financial team, or they don’t have certain access to the apps, or certain things that require you to reach out to a completely different department that isn’t security focused and ask for help. And usually they’re completely open, especially when it’s wrapped around an incident. It’s essential.

Michel: And there’s a pacing element to that as well. All these teams work at different paces, right? If you think of the difference between emergency responder from a fire perspective, there’s the people that come in and put the fire out, and then there are the people that do the investigation to see what caused it. And those are two drastically different paces to address two drastically different problems that ultimately come together.

When you’re talking about who handles things, having a place where people can work at their own pace, but still benefit from each other’s work at the pace that’s necessary for their specific job function is critical. Because if you allow that investigation to go on too long from the threat intelligence perspective, you lose sight of the urgency where you can get the cooperation from the other business units. So, you need those people who can go out and tactically respond, and then those that come in overarching and do the in-depth investigation.

What I’m hearing you all talk about is really how security operations help internally orchestrate all of the technology, all of the people, and ultimately help an organization make better business decisions. So, changing gears a bit, let’s talk about another important piece of that, which is most security teams have to do some sort of reporting. How has this evolved over the years? Where is the process of reporting metrics to executive leadership today? And how important is the ability to generate metrics from threat intelligence tools that organizations are using?

Ryan: From my experience, reporting is a huge benefit to an organization or a tool when it’s done correctly. I think a decade ago, reporting was purely quantitative. How many alerts, how many incidents, how many investigations, how many vulnerabilities, so on and so forth, and that was it. And it only got to the director level, it never went up.

However, with more security in the focus and more “okay, why and what next?”, a lot of reporting has matured to the sense of you get the traditional quantitative stuff. But now it’s “okay, let’s break down those numbers of alerts” based on the attack vector or based on the adversary attribution. So, it’s a lot more of trending versus a point in time. And that’s making it up to the C-levels, if not board of director levels. And that’s huge.

And a lot of security teams, historically, again, it wasn’t a primary focus for them. I was running a government SOC, and literally we had two FTEs dedicated to reporting to the point where the reports were beautiful brochures. But that’s what the government wanted. They wanted that sexy eye candy and eye charts that were in the reports, the infographics and stuff like that. That’s what spoke to them.

I think a lot more teams need that little bolster and something that escalates in visibility, and really shows the larger organization “this is what I’ve done for you lately, this is how I’m helping, this is when I’m predicting”. And hopefully hit a couple of those milestones.

Chris: I think reports, in my mind, fall into two different buckets. You have on one side, the more human consumable where you’re writing about a trend, maybe you are tracking a specific adversary or TTPs. And those are more human consumable type reports. But the other side that I think could be very interesting is reporting on the efficacy of the tools.

It’s interesting to do a before and after report based on implementing a threat intelligence platform. “What effect am I having on the efficacy of my security tools? I had X amount of alerts before I started to apply this threat intelligence. Now do I have Y? Did it get better? Did it get worse?” That’s an interesting side of reporting that I don’t think people spend a lot of time thinking about.

Michel: Going back to what Ryan was saying a little bit, the curse of well-done security just like with well-done intelligence is that you don’t hear anything about it. If everything is effective, there’s nothing to say. It’s just all quiet, everything’s good. It’s expensive to implement a really well-done security operations team including threat intelligence.

For a lot of time there were C-suite that were questioning this huge investment without any sort of feedback and what was happening. And I think that view of security as a cost center has changed a lot with people actually being able to say: “Look at the loss that we prevented, had this incident occurred within our network. It didn’t, because we have these platforms, we have this intelligence in play, but look what it would have done. Look what we saved you.”

I think changing it from a cost center to a loss prevention perspective has really helped. And that’s all built around qualitative metrics of how effective is your threat intelligence program, how effective are your tools, and how well is everything operationalized and working together.

Thank you all so much for the discussion today. Before we wrap up, is there anything else that you would like to add or share with the listeners?

Chris: If you’re interested in learning more, we’ve actually broken down different use cases for different teams, and have that all written up on our website. Whether you’re live in the SOC, whether you’re an incident response person, check out the different use cases, different write-ups, and the different videos that we have for each of those personas.

Take your SOC to the next level of effectiveness

Enterprise security infrastructures average 80 security products, creating security sprawl and a big management challenge for SOC teams. With high volumes of data generated from security controls across the infrastructure, SOC teams often rely on Security Information and Event Management (SIEM) solutions to aggregate data and deliver insight into events and alerts. Similarly, Security Orchestration, Automation and Response (SOAR) platforms can take the results and automate them into action.

However, the business needs to know that it’s safe—now. That’s why organizations are turning to Breach and Attack Simulation (BAS) integration with the SOC. BAS integration with SIEM and SOAR solutions enables SOC teams to continually evaluate the effectiveness of their security controls and improve the company’s security posture with real-time, accurate metrics.

SIEM integration

BAS validates that your SIEM is effectively picking up events and alerts. You can:

  • Validate SIEM integrations with other security controls across the infrastructure.
  • Refine SIEM rules using forensic artifacts—such as hash values, domain names, host artifacts, etc.—provided in attack simulation analyses.
  • Evaluate effectiveness of preventative controls, such as EPP, web gateways, email gateways, firewalls, and IPS.
  • Assess effectiveness of behavior-based detection controls, such as EDR, EUBA, deceptions, and honeypots.

The best BAS solutions deliver specific details about myriad controls’ ability to detect suspicious activity. A SOC team can launch an Immediate Threats Intelligence assessment to simulate the latest threats seen in the wild. Data from lateral movement, data exfiltration, and other attack vector simulations can be pulled into the SIEM for parsing, creating alerts, and remediation purposes.

SOAR Integration

BAS can run daily, hourly, or continuously with results pulled into the SOAR. Team members can prioritize remediation and take corrective steps right from the SOAR dashboard. Use BAS-generated data to:

  • Refine SOAR incident-response playbooks.
  • Assess effectiveness of post-breach controls.
  • Determine effectiveness of monitoring and response workflows.
  • Prioritize mitigation efforts according to heuristic cyber exposure scores.

Integration with GRC systems

Besides compliance risk, companies need to manage and report on risk associated with digital transformation efforts and supply-chain relationships. When BAS is integrated with Governance, Risk, and Compliance (GRC) tools, such as RSA Archer, organizations gain granular data to:

  • Proactively identify and preempt potential adverse impacts of IT configuration changes, software updates, and new technology deployments.
  • Measure control effectiveness at specific points in time and over time.
  • Reduce supply chain risk by continuously challenging security controls that defend portals, email and web gateways, and endpoints.

Power up vulnerability management tools

BAS data powers up vulnerability scanning, giving SOC teams visibility into common vulnerability and exposure (CVE) data combined with attack simulation results. Teams can prioritize and accelerate remediation according to various parameters, such as asset type, user privileges, and proximity to critical digital assets.

Integration with EDR tools

BAS enables teams to verify that EDR solutions are effectively detecting IoCs and attack techniques of the latest simulated threats. Teams can simulate specific threat behaviors on their endpoints and verify that response tools work as expected.

API Integration

BAS integration via API enables SOC teams to retrieve all assessment results from simulated attacks—including IoCs, TTPs, payload names, mitigations, other data—and move into their own environments. This gives them:

  • Immediate insights: BAS data is always available for incorporation with other SOC tools.
  • Latest threat intelligence: Detailed attacker TTP and daily threat data gives SOC teams the latest insight without needing a team of experts.
  • Unified visibility: Combining BAS results with SOC tools maximizes team productivity for decision-making and prioritization.
  • Mitigation guidelines: Teams receive specific guidance mapped to the MITRE ATT&CK™ framework for accelerating remediation.
  • Comprehensive coverage: BAS challenges controls across all vectors and the entire kill chain.
  • Continuous automated testing: SOC teams can continuously challenge controls and immediately identify infrastructure changes or security gaps before they are exploited.
  • Control optimization: Gain consistent assessment across the kill chain, ensuring that mitigation efforts deliver the expected benefit.

With just a few clicks, SOC teams can initiate thousands of attack simulations and see exactly where they’re exposed and how to fix it. Now, it’s possible to surface new threats daily, defend against advanced stealth techniques, preempt adverse effects of continuous IT change, and ensure that security controls maximize protection against state-sponsored threat actors and complex supply-chain attacks.

For more information visit Cymulate and sign up for a free trial.

What is the actual role of a threat hunter?

The role and tasks of a threat hunter are confusing, according to a ThreatQuotient and SANS study based on data collected from 575 participating companies that either work with or operate their own threat hunting teams.

threat hunter role

Threat hunter role: How threat hunting teams are tasked in an environment

Unlike the Security Operations Centre (SOC) and Incident Response (IR) teams, threat hunters not only respond to network threats, they proactively search for them. This involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data.

“However, the reality within corporate IT is often different,” says Markus Auer, Regional Sales Manager CE at ThreatQuotient. “In many teams, the distinction between SOC, IR and threat hunting is too blurred, and threat hunters are used for reactive processes contrary to their actual role.”

The study confirms that most threat hunters react to alerts (40%) or data such as indicators of compromise from the SIEM (57%). Only 35% of participants say that they work with hypotheses during threat hunting – a process that should be part of the arsenal of every threat hunter.

“Responding to threats is important for security, but it is not the main task of the threat hunter. They should be looking for threats that bypass defenses and never trigger an alert,” Auer emphasises.

Targeted threat discovery is important

The fact that threat hunting is still in its infancy is evident based on suboptimal prioritization of resources. “Many companies are still in the implementation phase and are more willing to spend money on tools than on qualified experts or training existing employees to be threat hunters,” says Mathias Fuchs, Certified Instructor at SANS and co-author of the study.

“When threat hunting is carried out, it is more of an ad hoc approach than a planned program with budget and resources.” In fact, 71% of participating companies consider technology to be first or second in terms of resource allocation for threat hunting. Only 47% of respondents focus on hiring new personnel and 41% on training employees.

threat hunter role

Due to the proactive nature of threat hunting, companies often find it difficult to accurately measure the economic benefits of these security measures. Ideally, the experts prevent threats from becoming a critical problem in the first place. However, 61% of respondents said their overall IT security status has improved by at least 11% due to threat hunting.

These figures show that targeted threat discovery is important and that investing in dedicated threat hunting teams delivers measurable improvement in IT security for organizations.

It’s the most vulnerable time of the year

With the holiday season upon us, it can be all too easy to get swept up in the festivities. As soon as the Halloween hangover starts to finally wear off, you’re already preparing for Thanksgiving, and then it’s Black Friday and Cyber Monday and then there’s Christmas lights and menorahs everywhere and you’re buying presents and plane tickets and… deep breath… calm down… put some Frankie Goes to Hollywood on and just relax. We need to remember that the holidays can actually be a pretty dangerous period for cybersecurity. To riff off Andy Williams, it’s the most vulnerable time of the year.

holiday cybersecurity risks

The Cybersecurity and Infrastructure Security Agency (CISA) recently warned the public of malicious cyber campaigns where bad actors attempt to send emails and e-cards with malware infected links or attachments. A main driver for risk during the holiday season is the spike in online shopping. These days, more and more people are opting to skip the chaos of Black Friday for the safety and comfort of Cyber Monday. While many are worrying about trusting online companies to deliver their gifts on time, a growing number of customers are also worrying about trusting companies to safeguard their personal information.

With over 1,244 million recorded data breaches in 2018 in the United States alone, and more than 446.5 million records becoming exposed, consumers have a right to be concerned. Deloitte recently found that 56% of shoppers feel little to no control over their consumer data and 79% of shoppers are concerned about shopping at retailers with either multiple data breaches or data breaches within the last year.

For those of us managing security operations, this season of heightened risk requires heightened alertness. Not only do more people shop online, but they’re using even more devices than ever to do so. The proliferation of connected devices has led to more vulnerabilities, making our jobs that much more difficult. Fortunately, there are new solutions as well. One trending response has been the adoption of Security Orchestration, Automation and Response (SOAR) platforms as a new category of security tools.

Threat intelligence management

Batman and the Joker, Neo and Agent Smith, stormtroopers and trees – rule number one of dealing with any threat is to know your enemy. Threat intelligence is the knowledge of a threat’s capabilities, infrastructure, motives, goals, and resources. It allows you to identify and contextualize bad actors, and it’s the first requirement for a safe and effective cyber security defense.

SOAR platforms build upon traditional threat intelligence platforms (TIPs) by taking vulnerability and threat data from multiple sources and then enriching that data with threat intelligence. In other words, they aggregate and validate data from a wider range of sources, and then more efficiently integrate it into an intelligence management system. Businesses are striving to keep up with the current threat landscape with a lack of resources, skills and budgets, and an abundance of tedious manual processes. SOAR solutions are improving the efficiency and quality of work for security operations.

Information is useless unless it can be put to action – it just becomes noise. SOAR sifts through the racket to identify attackers’ tactics, techniques and procedures (TTPs), as well as indicators of compromise (IOCs). With proper management of the information, security analysts are better equipped to contextualize incidents, make more well-informed decisions, and accelerate incident response.

The retail industry frequently suffers from vulnerabilities and gaps in coverage. Centralizing threat intelligence and correlating IOCs with your organization’s Priority Intelligence Requirements (PIRs) is crucial for analyzing and responding to the most pertinent vulnerabilities.

Reporting

There’s a reason people use GUIs instead of text-based interfaces – being able to view information in a more practical and organic way facilitates its usage. Filtering raw data into a more manageable form allows it to be more appropriately aggregated and understood. Like Cypher, you might be able to just see the code, but why would you want to? Analysts’ time is better spent letting the platform do the work for them.

A good SOAR platform presents the data in an easily visualizable manner, allowing security analysts to gain a better understanding of the threats their organizations face. If a retailer invests in curating a cohesive aesthetic for their Instagram profile and followers, shouldn’t they also make sure their security dashboards are just as easy to follow and share with stakeholders? The best platforms have flexible and dynamic dashboarding capabilities, allowing SOC departments to tailor it to their own needs.

What’s more, this aids users by allowing them to tailor it to the needs of others as well. Many in the security industry have long faced the issue of how to illustrate the value that they provide in a concrete way – it can be difficult to explain to others that are less tech savvy what exactly we do. Fortunately, with access to ROI data, tracking, and custom metrics, that value can be made a bit more tactile and apparent. The more effectively we communicate our value, the better it will ultimately be for both our security teams and the companies we work within.

Incident management

There are days where being in cybersecurity operations feels like a warzone. Bombs are going off all around you, tickets are flying in non-stop, and it’s all you can do to triage as much as you can while trying to keep up. By the end of the day, you and your team are overworked, stressed, and burnt out. Security teams are regularly tasked with fixing all things, all the time, 24/7, without the tools or resources necessary to do so.

An effective SOAR platform helps to deal with this by orchestrating and automating responses. Analysts can employ their knowledge through “playbooks” to automate redundant, tedious, stressful tasks. By working at a higher level, analysts can translate their experience and knowledge into more effective processes and smooth over their workflow. Instead of having to deal with everything on a case-by-case basis, they can leverage their understanding of the relevant threats and indicators to create a steadier day-to-day flow.

The point here is to put the analyst in the captain’s seat, think more Picard, less Data. Just write the playbook and set it on its path – you’ll be humming “Make it So” just in time for the holidays. And if you’re worried about missing critical information while your “Out of Office” message is set, a platform with capabilities to provide instant updates is critical. Team-based notification systems can allow teams to stay in touch even when half the office is taking a “work from home” day after the annual holiday party.

Holiday cybersecurity risks

Security breaches are not only costly for the company’s profits, they are costly for the brand’s reputation. With the holidays approaching, cyber analysts face their most hectic time of the year. Bad actors are seeing green, and the sheer increase in activity will be sure to lead to a concomitant increase in work for cyber analysts. We need to make the best use of our resources to not only relieve security analysts of unnecessary stress, but to arm them with the most efficient way to deal with threats.

The holidays are going to be stressful enough – venturing out of the house in the cold, finding the right presents, helping grandma with her IT problems even though you’re on vacation from your IT job. Why not take some of the edge away by destressing our professional life and let technology lend a helping hand?

Let this National Computer Security Day not only serve as a reminder of the data you need to protect, but as inspiration for your holiday wish list when searching for new software and platforms now available to help keep privacy protected.

Want to build a successful SOC? Here’s what you need to know

There is no arguing the fact that networks are continually growing in complexity and the cyberattack surface is constantly expanding. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats. When the inevitable attack happens, timely identification, reaction and collaboration is everything, and a business with a successful SOC will be far quicker and coordinated … More

The post Want to build a successful SOC? Here’s what you need to know appeared first on Help Net Security.