Organizations plan to use AI and ML to tackle unknown attacks faster

Wipro published a report which provides fresh insights on how AI will be leveraged as part of defender stratagems as more organizations lock horns with sophisticated cyberattacks and become more resilient.

tackle unknown attacks

Organizations need to tackle unknown attacks

There has been an increase in R&D with 49% of the worldwide cybersecurity related patents filed in the last four years being focussed on AI and ML application. Nearly half the organizations are expanding cognitive detection capabilities to tackle unknown attacks in their Security Operations Center (SOC).

The report also illustrates a paradigm shift towards cyber resilience amid the rise in global remote work. It considers the impact of COVID-19 pandemic on cybersecurity landscape around the globe and provides a path for organizations to adapt with this new normal.

The report saw a global participation of 194 organizations and 21 partner academic, institutional and technology organizations over four months of research.

Global macro trends in cybersecurity

  • Nation state attacks target private sector: 86% of all nation-state attacks fall under espionage category, and 46% of them are targeted towards private companies.
  • Evolving threat patterns have emerged in the consumer and retail sectors: 47% of suspicious social media profiles and domains were detected active in 2019 in these sectors.

Cyber trends sparked by the global pandemic

  • Cyber hygiene proven difficult during remote work enablement: 70% of the organizations faced challenges in maintaining endpoint cyber hygiene and 57% in mitigating VPN and VDI risks.
  • Emerging post-COVID cybersecurity priorities: 87% of the surveyed organizations are keen on implementing zero trust architecture and 87% are planning to scale up secure cloud migration.

Micro trends: An inside-out enterprise view

  • Low confidence in cyber resilience: 59% of the organizations understand their cyber risks but only 23% of them are highly confident about preventing cyberattacks.
  • Strong cybersecurity spend due to board oversight & regulations: 14% of organizations have a security budget of more than 12% of their overall IT budgets.

Micro trends: Best cyber practices to emulate

  • Laying the foundation for a cognitive SOC: 49% of organizations are adding cognitive detection capabilities to their SOC to tackle unknown attacks.
  • Concerns about OT infrastructure attacks increasing: 65% of organizations are performing log monitoring of Operation Technology (OT) and IoT devices as a control to mitigate increased OT Risks.

Meso trends: An overview on collaboration

  • Fighting cyber-attacks demands stronger collaboration: 57% of organizations are willing to share only IoCs and 64% consider reputational risks to be a barrier to information sharing.
  • Cyber-attack simulation exercises serve as a strong wakeup call: 60% participate in cyber simulation exercises coordinated by industry regulators, CERTs and third-party service providers and 79% organizations have dedicated cyber insurance policy in place.

Future of cybersecurity

  • 5G security is the emerging area for patent filing: 7% of the worldwide patents filed in the cyber domain in the last four years have been related to 5G security.

Vertical insights by industry

  • Banking, financial services & insurance: 70% of financial services enterprises said that new regulations are fuelling increase in security budgets, with 54% attributing higher budgets to board intervention.
  • Communications: 71% of organizations consider cloud-hosting risk as a top risk.
  • Consumer: 86% of consumer businesses said email phishing is a top risk and 75% enterprises said a bad cyber event will lead to damaged band reputation in the marketplace.
  • Healthcare & life sciences: 83% of healthcare organizations have highlighted maintaining endpoint cyber hygiene as a challenge, 71% have highlighted that breaches reported by peers has led to increased security budget allocation.
  • Energy, natural resources and utilities: 71% organizations reported that OT/IT Integration would bring new risks.
  • Manufacturing: 58% said that they are not confident about preventing risks from supply chain providers.

Bhanumurthy B.M, President and Chief Operating Officer, Wipro said, “There is a significant shift in global trends like rapid innovation to mitigate evolving threats, strict data privacy regulations and rising concern about breaches.

“Security is ever changing and the report brings more focus, enablement, and accountability on executive management to stay updated. Our research not only focuses on what happened during the pandemic but also provides foresight toward future cyber strategies in a post-COVID world.”

SecOps teams turn to next-gen automation tools to address security gaps

SOCs across the globe are most concerned with advanced threat detection and are increasingly looking to next-gen automation tools like AI and ML technologies to proactively safeguard the enterprise, Micro Focus reveals.

next-gen automation tools

Growing deployment of next-gen tools and capabilities

The report’s findings show that over 93 percent of respondents employ AI and ML technologies with the leading goal of improving advanced threat detection capabilities, and that over 92 percent of respondents expect to use or acquire some form of automation tool within the next 12 months.

These findings indicate that as SOCs continue to mature, they will deploy next-gen tools and capabilities at an unprecedented rate to address gaps in security.

“The odds are stacked against today’s SOCs: more data, more sophisticated attacks, and larger surface areas to monitor. However, when properly implemented, AI technologies such as unsupervised machine learning, are helping to fuel next-generation security operations, as evidenced by this year’s report,” said Stephan Jou, CTO Interset at Micro Focus.

“We’re observing more and more enterprises discovering that AI and ML can be remarkably effective and augment advanced threat detection and response capabilities, thereby accelerating the ability of SecOps teams to better protect the enterprise.”

Organizations relying on the MITRE ATT&K framework

As the volume of threats rise, the report finds that 90 percent of organizations are relying on the MITRE ATT&K framework as a tool for understanding attack techniques, and that the most common reason for relying on the knowledge base of adversary tactics is for detecting advanced threats.

Further, the scale of technology needed to secure today’s digital assets means SOC teams are relying more heavily on tools to effectively do their jobs.

With so many responsibilities, the report found that SecOps teams are using numerous tools to help secure critical information, with organizations widely using 11 common types of security operations tools and with each tool expected to exceed 80% adoption in 2021.

Key observations

  • COVID-19: During the pandemic, security operations teams have faced many challenges. The biggest has been the increased volume of cyberthreats and security incidents (45 percent globally), followed by higher risks due to workforce usage of unmanaged devices (40 percent globally).
  • Most severe SOC challenges: Approximately 1 in 3 respondents cite the two most severe challenges for the SOC team as prioritizing security incidents and monitoring security across a growing attack surface.
  • Cloud journeys: Over 96 percent of organizations use the cloud for IT security operations, and on average nearly two-thirds of their IT security operations software and services are already deployed in the cloud.

Most cybersecurity pros believe automation will make their jobs easier

Despite 88% of cybersecurity professionals believing automation will make their jobs easier, younger staffers are more concerned that the technology will replace their roles than their veteran counterparts, according to a research by Exabeam.

cybersecurity automation jobs

Overall, satisfaction levels continued a 3-year positive trend, with 96% of respondents indicating they are happy with role and responsibilities and 87% reportedly pleased with salary and earnings. Additionally, there was improvement in gender diversity with female respondents increasing from 9% in 2019 to 21% this year.

“The concern for automation among younger professionals in cybersecurity was surprising to us. In trying to understand this sentiment, we could partially attribute it to lack of on-the-job training using automation technology,” said Samantha Humphries, security strategist at Exabeam.

“As we noted earlier this year in our State of the SOC research, ambiguity around career path or lack of understanding about automation can have an impact on job security. It’s also possible that this is a symptom of the current economic climate or a general lack of experience navigating the workforce during a global recession.”

AI and ML: A threat to job security?

Of respondents under the age of 45, 53% agreed or strongly agreed that AI and ML are a threat to their job security. This is contrasted with just 25% of respondents 45 and over who feel the same, possibly indicating that subsets of security professionals in particular prefer to write rules and manually investigate.

Interestingly, when asked directly about automation software, 89% of respondents under 45 years old believed it would improve their jobs, yet 47% are still threatened by its use. This is again in contrast with the 45 and over demographic, where 80% believed automation would simplify their work, and only 22% felt threatened by its use.

Examining the sentiments around automation by region, 47% of US respondents were concerned about job security when automation software is in use, as well as SG (54%), DE (42%), AUS (40%) and UK (33%).

In the survey, which drew insights from professionals throughout the US, the UK, AUS, Canada, India and the Netherlands, only 10% overall believed that AI and automation were a threat to their jobs.

On the flip side, there were noticeable increases in job approval across the board, with an upward trend in satisfaction around role and responsibilities (96%), salary (87%) and work/life balance (77%).

Diversity showing positive signs of improvement

When asked what else they enjoyed about their jobs, respondents listed working in an environment with professional growth (15%) as well as opportunities to challenge oneself (21%) as top motivators.

53% reported jobs that are either stressful or very stressful, which is down from last year (62%). Interestingly, despite being among those that are generally threatened by automation software, 100% of respondents aged 18-24 reported feeling secure in their roles and were happiest with their salaries (93%).

Though the number of female respondents increased this year, it remains to be seen whether this will emerge as a trend. This year’s male respondents (78%) are down 13% from last year (91%).

In 2019, nearly 41% were in the profession for at least 10 years or more. This year, a larger percentage (83%) have 10 years or less, and 34% have been in the cybersecurity industry for five years or less. Additionally, one-third do not have formal cybersecurity degrees.

“There is evidence that automation and AI/ML are being embraced, but this year’s survey exposed fascinating generational differences when it comes to professional openness and using all available tools to do their jobs,” said Phil Routley, senior product marketing manager, APJ, Exabeam.

“And while gender diversity is showing positive signs of improvement, it’s clear we still have a very long way to go in breaking down barriers for female professionals in the security industry.”

Security teams stretched to breaking point trying to secure new remote working regimes

The cybersecurity skills shortage means that many organizations are in urgent need of talented and experienced security professionals. This has been intensified by the pandemic, with security teams stretched to breaking point trying to secure new remote working regimes against the influx of opportunistic cyberattacks. There is a human cost to this high-pressure environment and new research from SIRP shows that the additional burdens placed on security operations center (SOC) teams due to COVID-19 has … More

The post Security teams stretched to breaking point trying to secure new remote working regimes appeared first on Help Net Security.

Security teams increasingly stressed due to lack of proper tools, executive support

93% of security professionals lack the tools to detect known security threats, and 92% state they are still in need of the appropriate preventative solutions to close current security gaps, according to LogRhythm.

security teams stress

Based on a global survey of more than 300 security professionals and executives, LogRhythm sought to understand the root causes of the stress under which security teams operate, obtain feedback on the ways in which it could be alleviated, and identify the best paths to remediation. It found 75% of security professionals now experience more work stress than just two years ago.

“Now, more than ever, security teams are being expected to do more with less leading to increasing stress levels. With more organizations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern,” said James Carder, CSO and VP of LogRhythm Labs. “This is a call to action for executives to prioritize alleviating the stress and better support their teams with proper tools, processes, and strategic guidance.”

Lack of executive leadership contributes to stress in the security team

When asked what causes the most work-related stress, the two most selected answers were not having enough time (41%) and working with executives (18%). In fact, 57% of respondents indicated their security program lacks proper executive support — defined as providing strategic vision, buy-in and budget.

Furthermore, security professionals cited inadequate executive accountability for strategic security decisions as the top reason (42%) they want to leave their job. An alarming statistic, given 47% of companies are trying to fill three or more security positions.

Deployment of redundant security tools

Sixty-eight percent of respondents admitted their organization has deployed redundant security tools, and 56% confess this overlap is accidental — once again emphasizing the need for improved strategic oversight from executives. Despite duplicative tools, 58% of respondents said they still need increased funding for tools when asked what additional support their security programs require.

Consequently, the report highlights the growing value of IT consolidation. Security professionals rate the value of solution consolidation highly, citing top benefits as less maintenance (63%), faster issue detection (54%), identification (53%), and resolution (49%), as well as lower costs (46%) and improved security posture (45%). Yet, only one in three companies (32%) have a real-time security dashboard which provides a clear, consolidated view of all their security solutions.

security teams stress

Top five ways to reduce stress among security teams

When asked what would help alleviate their stress, the top five responses included:

  • 44%: Increased security budget
  • 42%: Experienced security team members
  • 42%: Better cooperation from other IT teams
  • 41%: Supportive executive team
  • 39%: Fully staffed security team

“All employees, from the CEO to the frontline IT worker, need to feel that they play a significant role in maintaining the security of the company for which they work,” concluded Carder.

Closing the skills gap can minimize the business impact of cyberattacks

CISOs who are successful at reducing or closing the critical skills gap have the highest probability of minimizing the business impact of cyberattacks – even when budgets and staffing are constrained, according to the results of a new SANS Institute survey.

closing skills gap

The pandemic brings uncertainty

The survey happened to kick off within days of the World Health Organization declaring COVID-19 a pandemic. As such, the results reflect a high degree of uncertainty around future hiring plans as well as an increase in plans to use outsourced services until staffing plans stabilize.

Even with the future uncertainty brought on by the pandemic, the survey covered staff changes in 2019, qualitative responses on what skills security managers see a need for, which needs they plan on staffing internally, and where they plan on using external service providers.

Closing the skills gap

Other than at very small businesses and in the government vertical, the survey found that turnover and attrition rates for cybersecurity staff is at or below industry averages. Even so, security managers indicated they tend to fall back on attrition as the reason for requesting staff increases, which reflects a lack of meaningful cybersecurity metrics being employed at many organizations.

Security operational skills were cited as most needed by survey respondents, and cloud security skills were more sought after than network or endpoint security skills.

While the most successful source for new cybersecurity employees was the company’s existing internal IT staff, hiring managers indicated they would most like to see new hires with hands-on experience using common cybersecurity products – open-source tools, in particular.

“This skills gap survey once again pointed out that despite all the headlines about a cybersecurity headcount shortage, it is really a skills gap – security people with hands-on experience with the top security tools and how to use them across hybrid cloud/on-premises systems are being hired for the skills, not just to add bodies,” says John Pescatore, SANS Director of Emerging Security Trends. “By investing in training and tools skills as well as the maintenance of those skills, the increased productivity and reduced security staff attrition provides a huge return on investment.”

Infosec is a mindset as well as a job, but burnout can happen to anyone

Time and again (and again), survey results tell us that many cybersecurity professionals are close to burnout and are considering quitting their jobs or even leaving the cybersecurity industry entirely.


The reasons for this dire situation vary depending on their role and position within the organization. For example, a recent Ponemon report has revealed that security operations center (SOC) team members are stressed by many things: from increasing workloads, lack of visibility in to the network and IT infrastructure and being on call 24/7/365, to information and alert overload, inability to recruit and retain expert personnel, and lack of resources.

When asked what steps can be taken to alleviate their SOC team’s pain, the pollees’ responses were also wide-ranging (multiple responses were permitted):


In a lively discussion that followed the publication of the report, Joshua Marpet, Chief Operating Officer of Red Lion and long-time tech and security professional, noted that there’s also other things that are getting SOC members down.

“SOC has little career path, very little respect inside or outside the industry, massive responsibilities, not the best pay, and almost no authority to do anything about what they find,” he pointed out.

The problem(s) with the SOC analyst role

“In olden days, being a SOC analyst was a respected gig. Entry-level SOC analyst was how you broke into the industry, learned about alarms, alerts, and notifications, and earned your chops in incident response, root cause analysis, report writing/documentation, and potentially, if you were awesome, in presenting it to the boss(es). Then you were either put on the incident response team, or moved over to digital forensics, or you could maybe switch a bit to DevOps/SecDevOps if that caught your interest. Even pentesting, if you got really good at blue teaming, which is a pretty good pathway into breaking and red teaming,” Marpet explained what he meant to Help Net Security.

“Now, in many companies, SOC analyst is a dead-end job. With the extreme specialization and commoditization of SOC analyst jobs, anything interesting is taken away almost immediately: ‘Oh! This looks bad, send it to Incident Response!’ or ‘I’m not sure what this is, send it to Security!’ SOC analysts became security dispatchers a while ago.”

K.C. Yerrid, an IT security professional who’s no stranger to burnout, also says that it’s difficult to grow from a SOC analyst role in an organization.

“There are six documented causes of burnout: workload, perceived lack of control, insufficient reward, strength of community, fairness, and a values mismatch. Any or all of these can exist and do exist at the SOC Analysts level,” he noted.

“Alert fatigue (workload) is a real phenomenon, and the rate at which alerts can come in could lead to a perceived lack of control in the outcome of one’s responses. We all know that SOC analyst jobs lack sufficient reward, and company culture dictates the strength of community. Finally, as mentioned, it’s an uphill climb to be promoted out of a SOC analyst role. The value mismatch can come from the manager or organizational level.”

A SOC is still a great place to learn all of the above things, but it is generally not a career path starter, Marpet notes.

“If it’s a job you can get, take it – for a year,” he counseled. “Unless you find a great place. I’ve heard that Dave Kennedy’s Binary Defense is a fantastic place. Lots of good places still exist. You just have to find them.”

To SOC analysts who are overworked and close to burning out, he advises thinking hard about the next step.

“If you’re understaffed and overworked due to COVID-19, and it should let up in a month or two, that’s ok. But if your manager is not taking care of you, informing you of what’s happening, if your company has shown no sign of fixing the issue, or set timelines to fix it, why are you there? Go network and find another job. If you have problems doing that, go to, and check out their listings. If you’re scared of change, hit me up – I do career guidance all the time.”

For those who decide to stay where they are, there’s always the option to try and minimize or remove the stressors that can lead to burnout.

Advice for entering and staying in infosec

To those just entering the information security industry, Marpet advises figuring out who’s the go-to person(s) for the field they want to specialize in – say, digital forensics or pentesting – then finding out when and where they’re speaking.

“Go there, say hello. Don’t gush, don’t beg, don’t cry – just say ‘Hi! Nice to meet you!’ About the fourth time you do this, you’ll see them answering a question you have an opinion on. Mention it. If it’s a good point, you’ll make them think.Then they recognize you from the times you said hi. They know you have a brain. And they know they want to know you.”

Those who still don’t know what they want to concentrate on should go to a conference (when and where possible), meet people, find a village with interesting stuff going on, ask questions, watch and learn.

“Networking is your friend. Meet people. Set up your LinkedIn. People will change their email address, but not their LinkedIn, or MeWe, or whatever is your social network of choice. Say hello and interact with them.”

For staying and thriving in the infosec industry, his best recommendation is to always keep learning: set up a home lab, a development environment, or anything else that will keep you learning everyday.

“Do you know how awesome it is as an interviewer to hear the interviewee get excited about their home lab or new open source tool they just put a commit into or a firewall vuln they figured out? That gets you hired anywhere and everywhere,” he stressed.

Looming infosec industry challenges

Coincidentally, continuous knowledge acquisition is also a way to counteract one of the key challenges the information security industry will have to deal with over the next fixe years: the rising tide of ineptitude.

Colleges are churning out qualified graduates, he says, but many of them are actually not. Infosec has become an overhyped profession, a “sexy” option for those who want to be “cool”. But infosec is a mindset as well as a job, he points out. Most importantly, at the end of the day, you have to be able to do the job.

Other imminent infosec industry challenges? Data security and artificial intelligence that isn’t intelligent.

“Becoming a data-centric business is vital, but most companies have no idea where their data is, what data they own matters, who has rights to that data, and frankly, what security is wrapped around that data,” he noted.

AI/ML is awesome, fun, and amazing, but if you ask the wrong questions, or don’t ask questions that are broad enough, or targeted enough, you get garbage output. AI does not think for itself (yet), so it can’t tell you how bad an idea your question is – so you have to be careful.”

Security alerts more than doubled in the last 5 years, SecOps teams admit they can’t get to them all

Sumo Logic announced the findings of a global survey that highlight the barriers security professionals are facing on the path to modernizing the security operations center (SOC).

volume of security alerts

High volume of security alerts

The struggle to effectively manage high volumes of security alerts and the complexities associated with traditional SIEMs are driving the demand for a new approach to effectively address challenges in the SOC through cloud-native SIEMs combined with security automation capabilities.

“Today’s security operations teams are faced with constant threats of security breaches that can lead to severe fallout including losing customers, diminished brand reputation and reduced revenue. To effectively minimize risk and bridge the gap, many companies rely on automated solutions that provide real-time analysis of security alerts,” said Diane Hagglund, principal for Dimensional Research.

“These findings highlight the challenges SOC teams are facing in a cloud-centric world, but more importantly why enterprises are aggressively looking to cloud-native alternatives for security analytics and operations.”

The study reveals that managing the sheer volume of these alerts poses a significant problem for IT security professionals. Although automated security alert processing can help to mitigate this issue, it is still a work in progress for most security teams.

Security alert volumes create problems for security operations

  • 70% have more than doubled the volume of security alerts in the past five years
  • 99% report high volumes of alerts cause problems for IT security teams
  • 83% say their security staff experiences “alert fatigue”

Automation helps, but it is still a work in progress

  • 65% of teams with high levels of automation resolve most security alerts the same day compared to only 34% of those with low levels of automation
  • 92% agree automation is the best solution for dealing with large volumes of alerts
  • 75% report they would need three or more additional security analysts to address all alerts the same day

Better technology is needed to manage security alert volumes

  • 88% face challenges with their current SIEM
  • 84% see many advantages in a cloud-native SIEM for cloud or hybrid environments
  • 99% would benefit from additional SIEM automation capabilities

volume of security alerts

“Enterprises are arguably dealing with more data today than ever before, and the pain security operations teams are feeling is significant. There’s never been a more important time to ensure IT security operations are up to par,” said Greg Martin, general manager for the security business unit at Sumo Logic.

“Companies need to adopt solutions that let them quickly identify, prioritize and respond to only the most critical warning signals, so that they’re not left drowning in alert overload with no direction.”

SOC team members battle with burnout, overload and chaos

While some organizations have increased security operations center (SOC) funding, the overall gains have been meager, and the most significant issues have not only persisted, but worsened, according to Devo Technology.

SOC team burnout

SOC team overload and burnout

The report, based on a survey conducted by Ponemon Institute, examines many of the same issues as last year, and found 60% of SOC team members are still considering changing careers or leaving their jobs due to burnout. The survey, conducted in March and April 2020, queried IT and IT security practitioners in organizations that have a SOC.

On the positive side, the importance of investing in a SOC remains high, with 72% of respondents categorizing the SOC as “essential” or “very important” to their organization’s overall cybersecurity strategy, up 5% year-over-year.

Additionally, the average annual cybersecurity budget for organizations rose $6 million to $31 million, with the SOC representing more than one-third of that total.

For respondents whose organizations have invested in people, process, and technology, the performance differences are stark. Strong business alignment (73%) and extensive training (67%) help high-performing SOCs more than double the effectiveness of their lower-performing brethren.

SOC team members continue to face barriers

However, the pain and barriers facing SOC teams are universal and worsening, with higher performers citing 10% more pain at an extreme level (9-10 on a 10-point scale), and virtually no difference in the level below that (7-8).

The major areas of pain and resistance include:

  • 70% suffer a lack of visibility into the IT infrastructure (up from 65%)
  • 64% combat turf or silo issues between IT and the SOC (up from 57%)
  • 71% need greater automation (up from 67%), especially as they continue to spend substantial manual cycles on tasks such as alert management (47%), evidence gathering (50%), and malware protection and defense (50%)
  • Environmental factors are driving substantially higher pain, including information overload (67%, up from 62%), burnout from increased workloads (75%, up from 73%) and “complexity and chaos” in the SOC (53%, up from 49%)

The perennial issue of a skills shortage

Not surprisingly, the perennial issue of a skills shortage (seen by more than 50% of respondents) is close to the heart of the issue. But digging deeper, it’s quickly apparent that across the board people, process, and technology are misaligned and inefficient:

  • Organizations have too many tools (nearly 40%), and more than half don’t have all the data necessary, nor the ability to capture actionable intelligence
  • While 76% say training/retention is highly important, more than 50% have no formal programs in place, and more than 50% cite the lack of skilled personnel as a major factor in SOC inefficiency
  • Mean time to response (MTTR) remains unacceptably high, with 39% saying their average time to resolve an incident is “months or even years”

“At first blush, the data from the survey made it appear that SOCs are advancing, but it turns out the budget growth and successes hide substantial pain—and to achieve even these modest successes consumes considerable resources,” said Julian Waits, general manager, cybersecurity at Devo.

“While the focus and efforts of high-performing SOCs are driving them to be successful in spite of increasing barriers, that success comes at an unacceptable human cost. Seventy-eight percent of respondents say working in the SOC is very painful.

“Even more troubling, 69% say that experienced analysts would quit the SOC because of stress. It’s clear that significant reforms must be made to achieve greater SOC efficiency and engagement—with less analyst stress—especially in the face of a new economic normal that will likely constrain investments for some time to come.”

SOC team burnout

Alleviating SOC team pain

For all the friction and pain, high-performing teams are continuing to advance the benefits SOCs provide organizations and should be commended for their efforts. Most importantly, high-performing teams have driven strong business consensus, with 73% of SOC objectives aligned with business objectives, versus low performers for whom 63% have no alignment at all.

Among the lessons that can be learned from the findings, the top three actions cited to demonstrably alleviate SOC analyst pain are greater workflow automation (71%), implementing advanced analytics/machine learning (63%), and access to more out-of-the-box content (55%).

How to establish a threat intelligence program

Instituting an in-house cyber threat intelligence (CTI) program as part of the larger cybersecurity efforts can bring about many positive outcomes:

  • The organization may naturally switch from a reactive cybersecurity posture to a predictive, proactive one.
  • The security team may become more efficient and better prepared for detecting threats, preventing security incidents and data breaches, and reacting to active cyber intrusions.
  • The exchange of pertinent threat intelligence with other organizations may improve collaboration and preparedness.

But these positive results are dependent of several things.

threat intelligence program

Some may think that, for example, cybersecurity is directly proportionate to the amount of threat intelligence they collect.

In reality, though, threat intelligence information can only serve their organization to the extent that they are able to digest the information and rapidly operationalize and deploy countermeasures.

“You may collect information on an ongoing or future threat to your organization to include who the threat actor is, what are they going after, what is the tactic they will utilize to get in your network, how are they going to move laterally, how are they going to exfil information and when will the activity take place. You can collect all the relevant threat information but without the infrastructure in place to analyze the large amount of data coming in, the organization will not succeed in successfully orienting themselves and acting upon the threat information,” Santiago Holley, Global Threat Intelligence Lead at Thermo Fisher Scientific, told Help Net Security.

Working towards a threat intelligence program

Holley has worked in multiple threat intelligence and cyber positions over the past ten years, including a stint as a Threat Intelligence Lead with the FBI, and this allows him to offer some advice to security leaders that have been tasked with setting up a robust threat intelligence program for their organization.

One of the first steps towards establishing a threat intelligence program is to know your risk tolerance and set your priorities early, he says. While doing that, it’s important to keep in mind that it’s not possible to prevent every potential threat.

“Understand what data is most important to you and prioritize your limited resources and staff to make workloads manageable and keep your company safe,” he advised.

“Once you know your risk tolerance you need to understand your environment and perform a comprehensive inventory of internal and external assets to include threat feeds that you have access to. Generally, nobody knows your organization better than your own operators, so do not go on a shopping spree for tools/services without an inventory of what you do/don’t have.

After all that’s out of the way, it’s time to automate security processes so that you can free your limited talented cybersecurity personnel and have them focus their efforts where they will be most effective.

“Always be on the lookout for passionate, qualified and knowledge-thirsty internal personnel that WANT to pivot to threat intelligence and develop them. Having someone that knows your organization, its culture, people and wants to grow goes a long way compared to the unknowns of bringing external talent,” he opined.

The importance of explaining risk

To those who are still fighting to get buy-in for a TI program from the organization’s executives and board members, he advises providing contextualized threat intelligence.

“You must put potential threats in terms that are meaningful to your audience such as how much risk a threat poses in terms of potential damage alongside which assets and data are at risk,” he explained.

“Many times business managers are focused on generating revenue and may see threat intelligence as an unnecessary expense. It is important for security leaders to communicate risk to their business managers and how those contribute to unnecessary cost and time delays if not addressed.”

He also advises getting to know the people they are working with and start building a professional working relationship. “The success of the program correlates to the strength of your team and how successful they are in collaborating and communicating with business managers.”

Avoiding burnout

Cyber threat intelligence is one of the key tools information security operation centers (SOCs) use to carry out their mission. While helpful, it’s also one of the many little things that add to the mounting pile of stress SOC teams often feel.

SOC analysts are tasked with keeping up with the organization’s security needs and getting end users to understand cybersecurity risks and change their behavior, but are often dealing with an overwhelming workload and constant emergencies and disruptions that take analysts away from their primary tasks.

Burnout is often lurking and ready to “grab” SOC team members, so Holley advises them to implement a number of techniques to manage stress:

  • Identify the problem. Understand what is specifically causing your stress in the first place, a good way of doing this is via root cause analysis. Peel the layers of the problem and understand the root
  • Control your time. Take control of your time by blocking your calendar and give yourself time to focus on your own tasks and avoid being oversaturated with meetings
  • Pick your battles. If you are going to go to war, make sure it is worth it. Avoid being dragged into confrontations that ultimately do not matter
  • Stay healthy. Working out has many benefits when it comes to stress reduction, it gives you the opportunity to focus on something for YOU.

“Today’s cyber security environment is challenging and requires analysts to react to changes quickly and effectively. It seems that there is a never-ending demand on flexible intellectual skills and the ability to analyze information and integrate different sources of knowledge to address challenges,” Holley noted.

His own preferred thinking process for making the most appropriate decisions as quickly as possible is the OODA loop (Observe, Orient, Decide, Act).

“Risk management and being able to sort through large amounts of information and prioritize what needs to be actioned right away helps with problem solving. Keeping a cool head during difficult situations aids critical thinking but also allows for professional interactions with coworkers and stakeholders,” he concluded.

Companies still struggle with SOC staff shortages, security skills gap

Exabeam’s 2020 State of the SOC Report reveals that 82% of SOCs are confident in the ability to detect cyberthreats, despite just 22% of frontline workers tracking mean time to detection (MTTD), which helps determine hacker dwell time.

SOC staff shortages

Compounding this unfounded confidence, 39% of organizations still struggle with SOC staff shortages and finding qualified people to fill the cybersecurity skills gap.

The survey, conducted among 295 respondents across the U.S., the U.K., Canada, Germany and Australia, was also fielded to determine how analysts and SOC management view key aspects of their operations, hiring and staffing, retention, technologies, training and funding.

“From 2018-2019, we learned that dwell time – or, the time between when a compromise first occurs and when it is first detected – has grown. Based on this, it is surprising for SOCs to report such inflated confidence in detecting cyberthreats,” said Steve Moore, chief security strategist at Exabeam. “We see great progress in the SOC with attention paid to employee well-being, measures for better communication and more. However, disparate perceptions of the SOCs’ effectiveness could be dangerously interpreted by the C-suite as assurances that the company is well-protected and secure, when it’s not.”

Highlighting the imbalance is that SOC leaders and frontline analysts do not agree on the most common threats facing the organization. SOC leaders believe that phishing and supply chain vulnerabilities are more important issues, while analysts see DDoS attacks and ransomware as greater threats.

Technology trends

Small- and medium-sized teams especially are more concerned with downtime or business outage (50%) over threat hunting as an operational metric, yet threat hunting stands out as a must-have hard skill (61%). Other prominent findings include:

  • SOC outsourcing in the U.S. has declined YoY (36% to 28%).
  • U.K. outsourcing had a YoY increase (36% to 47%).
  • Germany reported 47% outsourcing, primarily of threat intelligence services.
  • Australian SOCs struggle in most categories and need improvement in technology updates, monitoring events and responding to/analyzing incidents.

In general, monitoring and analytics, access management and logging are higher priorities this year for all SOC roles.

  • More than half of SOCs were found to log at least 40% of events in a SIEM.
  • The U.K. utilizes logging the most, compared with geographic counterparts.
  • SOCs are least able (35%) to create content, the skill around the creation of detection logic, validation, tuning and reporting.

To support this, most SOCs expect to see security orchestration, automation and response (SOAR) tools take precedence over other technologies in upcoming years.

SOC staff shortages

SOC staff shortages

The U.S. and the U.K. SOCs have shown YoY improvements in recruiting costs and identifying candidates with the right expertise. Workplace benefits, high wages and a positive culture were this year’s top drivers for retention in nearly 60% of SOCs. Notably, there remain challenges:

  • 23% of SOC personnel across the U.S. and 35% across Canada report being understaffed by more than 10 employees.
  • 64% of frontline employees in the SOC reported a lack of career path as a reason for leaving jobs.
  • Less effective SOCs reported feeling they lacked the necessary investment in technology, training and staffing to do their jobs well.

When SOCs never stop: How to fill the intelligence gaps in security

Demand for security analysts and security operations centre experts is high – so high that Frost and Sullivan found only two percent unemployment in the sector and that demand continues outstrip the supply of newly skilled professionals. (ISC)² suggests that the number of skilled professionals will have to grow from 2.8 million worldwide to 4.07 million to close the skills gap. All these roles will require the right skills and the right data. Alongside filling … More

The post When SOCs never stop: How to fill the intelligence gaps in security appeared first on Help Net Security.

Creating an emergency ready cybersecurity program

A large part of the world’s workforce has transitioned to working remotely, but as plans are being drawn up to reopen economies, the security industry is being challenged to develop stronger screening practices, emergency operations planning, and to deploy tools to detect and minimize the impact that future pandemics, natural disasters and cyberattacks can have on a company.

emergency ready cybersecurity program

Things like global security operation centers (SOCs), managed security services, thermal imaging and temperature screening for on-site visitors and employees and enhanced employee tracking capabilities are new areas of increased focus.

As security professionals are forced to reassess how the systems they monitor are working in this new environment, companies and organizations must still deal with day-to-day operations that are now more likely to occur on unsecured wireless networks. From data loss prevention and email spam protection to denial of service and data breach or leakage, there’s a large number of challenges to address as more and more workers work from home. So, what should businesses focus on to ensure security and safety?

The greatest vulnerabilities

One major cybersecurity shortcoming of companies is just how much of their network is accessible, both within an office and externally. As technology has advanced, the need for a secure network infrastructure is of the utmost importance to protect all company assets. That need is even more acute now, with many workers currently working from home on personal devices and unsecure wireless networks.

With the likely shift towards a more remote workforce in the coming years, across industries, wireless networks will need to be designed and revamped with security in mind.

Beyond the COVID-19 impact, IT teams still face non-standard deployments of technology in regard to security devices, as well as “bring your own device” options that are currently being used in every aspect of the IT world. IT groups also currently deal with a great deal of infrastructure that is aging without a replacement and/or a life-cycle management plan.

Additionally, “flat networks”, which were originally designed just to make sure everything could communicate, are still common. These networks were designed with very little regard for the security of edge devices and all other endpoints. Many enterprise customers are now retrofitting these networks to meet current cybersecurity requirements and recommendations. It is clear that security issues extend beyond our current, unforeseen circumstances and must still be dealt with promptly.

A strong incident response program

The success of security policies and systems depends on their proper implementation and a continuous improvement process to sustain the security program on a day-to-day basis. The program must meet business needs and appropriately mitigate security risks. By implementing an effective incident response program, a company will be able to use information generated from things like access control and video systems and ensure that a company’s security events are “real” and not falsely positives due to technological problems. Any strong IR program should be quick and accurate and with workers spread out around the globe.

Technology plays a growing role in almost all security programs but cannot be the ultimate factor when it comes to deciding which incidents require a response. As information becomes more integrated and easier to reach, successful IR programs ensure that the information delivered is accurate, relevant and actionable to security personnel. Technology may be providing the information avalanche, but it can also be used to effectively cull through the information and make sure the human operators only see what they are supposed to see.

The automation of security

How much of the world’s security can really be automated? Many simple tasks with access control and video systems are becoming more and more automated by the day. For example, video analytics are becoming more common on even the most basic security cameras and are less dependent on high-end servers than in the past.

Today, identification of people and vehicles can be accomplished through automation, rather than through human interaction. With remote workers, this is crucial. Many companies are now facing unexpected financial pressures and security budgets are being tightened. As such, automated processes for sending alerts and warnings have also taken on a larger role.

It is now expected, at the enterprise level, that every system should be able to auto-generate reports. Future deployment of all security-related technologies will further shrink the possibility of human error and the risk associated with those events, while providing a greater view for all stakeholders.

It goes without saying that we are in uncharted territory. As security experts work to shift security systems to accommodate the new reality we are living in, companies must find new ways to ensure the safety of their employees and their work – not just from COVID-19, but from additional challenges that come along with it.

As businesses across the world start to reopen, executives should be thinking about their cybersecurity protocols, and the best ways to utilize technology to their advantage. The most successful businesses will have strong, uniform IT standards and will be able to conduct their security work from any location, with a quick response.

Maintaining the SOC in the age of limited resources

With COVID-19, a variety of new cyber risks have made their way into organizations as a result of remote working and increasingly sophisticated, opportunistic threats. As such, efficiency in the security operations center (SOC) is more critical than ever, as organizations have to deal with limited SOC resources.

limited SOC resources

Limited SOC resources

The SOC is a centralized team of analysts, engineers, and incident managers who are responsible for detecting, analyzing, and responding to incidents and keeping security operations tight and resilient – even when security strategy fails. During the first 100 days of COVID-19, there was a 33.5 percent rise in malicious activity, putting increased pressure on these teams. Rapidly changing attack methods make keeping up an immense challenge.

With all of this in mind, it’s easy for the SOC to become overwhelmed and overworked. To avoid this and protect the business, it’s important to keep morale high, production efficient and automation reliance balanced on need. Read on to explore the do’s and don’ts of maintaining SOC operations throughout the pandemic.

Do: Prevent burnout before it’s too late

The SOC requires a high level of technical expertise and, because of that, the number of suitable and competent analysts holding positions in the field are scarce.

Beyond the skills shortage, the job of a SOC is made even more difficult and overwhelming by the lack of employee awareness and cybersecurity training. Untrained employees – those who don’t know how to appropriately identify a live threat – can lead to a high noise-to-signal ratio by reporting things that may not be malicious or have high click-through rates. This means organizations are not putting enough emphasis on building what could be the strongest defense for their business – the human firewall. Ninety-five percent of cyberattacks begin with human error, causing more issues than the SOC can handle.

For those that are implementing training, it’s likely they’re not seeing their desired results, meaning an uptick in employee mistakes. For one, cyber hygiene across organizations saw large deterioration by late March, with blocked URL clicks increasing by almost 56 percent. The organizations experiencing this downgrade in employee cyber resiliency should take the time to re-think their methods and find alternatives that keep their staff engaged rather than implementing irregular, intensive training with boring content just to check a box.

Coupling this with rapidly changing threat activity, the SOC is under immense pressure, which could lead to a vicious cycle where analysts leave their roles, creating open vacancies that are difficult to fill.

Don’t: Jump headfirst into automation

With limited SOC resources, one may think automated alerts and post-breach threat intelligence are the answer to ensuring proper attention is kept on an enterprise’s security.

On one hand, automation can help alleviate time spent on administrative action. For example, it can help detect threats more quickly, giving teams more time to focus on threat analysis.

However, post breach threat intelligence and automated alerts can also lead to fatigue and a lot of time spent investigating, which could be at a higher cost than the administration burden. Not to mention, machine learning can also learn bad behaviors and, in itself, be a vulnerability –threat actors can learn machine patterns to target systems at just the right time.

The SOC should therefore adopt automation and intelligence only where it makes the most sense, layering in preventive measures to reduce that fatigue. Organizations should be critical of the technologies they take on, because ultimately, a quick response can create an added burden. Instead, they should focus on improving the metrics that have a positive impact on the SOC and employees, such as a reduction in reported cases and dwell time, as well as the ratio of good-to-bad things reported. With the right training, technology, and policies, the SOC – and the business – can get the most out of its investment.

Do: Improve virtual collaboration practices

A recent (ISC)2 survey found that 90 percent of cybersecurity executives are working remotely. Like every other employee in a digitally-connected company, an organization’s SOC is also likely not in the office right now. This is a challenge, as some have become accustomed to putting their SOC, other IT teams, and the technology that they use in close proximity to one another to create a stronger, more resilient approach. This extends the SOC’s operational knowledge and creates a faster response in time of crisis.

Given the current pandemic, most teams are unable to have this physical proximity, stretching the bounds of how they operate, which could put a strain on larger business operations. This can inhibit communication and ticketing, which is seamless when seated together. For instance, folks may be working on different schedules while remote, making it hard to communicate in real-time. Remote scenarios can also deepen data silos amongst teams who aren’t in communication. These challenges increase the amount of time it takes the SOC to find and address a potential threat, widening the attack surface.

As such, organizations should be mindful and strategic about their new cross-functional operation and create new ways for teams to collaborate in this new virtual frontier. For instance, businesses should:

  • Ensure access to their enterprise: Start thinking about disaster recovery and business continuity as the tools needed to ensure security or even access to the “castle” that was once considered their enterprise.
  • Consider their tools: Adjust communication styles and interactions by adopting tools, like Microsoft Teams, Slack, or Skype, to help everyone stay in constant communication or keep the channel open during traditional working hours.
  • Focus on training: Develop training and documentation that can be used by operations teams in a consistent fashion. This could include a wiki and other tools that help with consistent analysis and response.
  • Keep operations running globally: Establish formal standups and handovers for global teams.
  • Maintain visibility through technology: Adopt SaaS technologies that enable the workforce and offer visibility to do their jobs.
  • Change the hiring approach: When hiring, realize that this is a “new” world where proximity is no longer a challenge. With the right tools and processes, business can take the chains off when hiring smart people.
  • Recognize and reward success: Morale is the most important thing when it comes to SOC success. Take breaks where needed, reward those that are helping the business succeed and drive success based on goals and metrics.

The cyber threats posed by COVID-19 and impacting the SOC are rapidly evolving. Despite current circumstances, malicious actors are not letting up and organizations continue to be challenged. Due to the limited number of SOC analysts equipped with the skills to keep organizations protected, the risk of burnout risks is high and the industry does not have the staff to fill vacant roles. With all of this in mind, SOC analysts must be supported in their roles as they work to keep businesses safe, by adopting the right technologies, processes and collaboration techniques.

The missing link in your SOC: Secure the mainframe

How confident are you that your security visibility covers every critical corner of your infrastructure? A good SIEM solution will pull data across firewalls, servers, routers, and endpoint devices. But what if there is even one gap—one piece of equipment that can’t be monitored but contains business critical data? That sounds like a glaring hole in the vision of your SOC, doesn’t it? Especially if it can be exploited by hackers, malicious insiders, or simply by accident.

secure the mainframe

I know, I know. I’m preaching to the choir here. You already know your SOC needs to have immediate access to all of your key infrastructure to ensure a fast and effective response to any incident. But I’ll bet that I’m right in saying there is a gap in many of your enterprises that comes down to a single question—is your mainframe protected by the same level of best practices and automation as your servers? I’d wager the answer is either no, or that you simply don’t know.

Consider the mainframe

Let’s discuss the mainframe for a minute. You know, that computer that accounts for 68 percent of IT production workloads and is the backbone of your entire enterprise?

For ages, the mainframe was like macOS – considered natively secure and not at risk of attack or compromise. Because of that, it was ignored by most security engineers who either subscribed to this belief or simply didn’t understand it and couldn’t challenge that notion.

The reality is that the mainframe is securable, but it is definitely not guaranteed to be secure. An attacker inside your network can access it from the same Windows or Linux platform as your administrators, gain elevated privileges, and gather sensitive data. Once they gain initial access, there are several common methods they can use to initiate privilege escalation. Using those elevated privileges, they are able to run a number of harmful scripts to take control over it and hide their tracks.


It’s time to start treating the mainframe as just another computer on your network. This means that it’s time to synchronize the mainframe’s information and event logging into your SIEM in real-time. And if you are one of the few who already have real-time mainframe visibility, you may still lack the knowledge and expertise to successfully leverage and respond to it. For example, if acronyms like RACF and ACF2 are foreign to your security team, how will they distinguish between a false positive and a devastating incident? The data must be both visible and actionable.

So, what is the answer? Most security analysts need more training to put the security knowledge they already possess into practice to better understand and secure the mainframe. But it won’t take long for the mainframe and its alerts to become part of their battle rhythm. To jumpstart this process, successful companies have generally taken a few key actions:

  • Hired individuals with a mainframe background and interest in security
  • Leveraged training programs to learn penetration testing and secure the mainframe
  • Consulted with a mainframe-managed services provider

Hiring the right person

Simply hiring the right person may seem obvious but hiring talent with either mainframe or cybersecurity skills is getting harder as job openings far outpace the number of knowledgeable and available people. And even if your company is able to compete with top dollar salaries, finding the unique individual with both of these skills may still prove to be infeasible. This is where successful organizations are investing in their current resources to defend their critical systems.

This often takes the form of on-the-job training through in-house education from senior technicians or technical courses from industry experts. A good example of this is taking a security analyst with a strong foundation in cybersecurity and teaching the fundamentals of the mainframe.

The same security principles will apply, and a talented analyst will quickly be able to understand the nuances of the new operating system which in turn will provide your SOC with the necessary skills to defend the entire enterprise, not just the Windows and Linux systems that are most prevalent. Training and investing in your staff will pay off dividends not only in the caliber of your security operations but in the loyalty of the employees who execute it.

If your current staff is unable to broaden their skills expertise due to a shortage of time and bandwidth, you may want to consider a mainframe-managed security service. Offloading the security and responsibility to experts who specialize in defending the mainframe will ensure that you are adequately protected from losing your critical mainframe server. Security is the application of business risk reduction and this will often be the fastest way to meet that goal. Fortunately, this can be done on a temporary, on-demand basis while you ramp up your own staff to integrate the security function back into your SOC.

As part of a wider autonomous digital enterprise framework, securing the mainframe isn’t exclusively a security or operations need, it’s a business need for adaptive security. A successful and adaptive cybersecurity program necessitates having well-trained domain experts that can establish the proactive security functions to automatically sense, detect, and respond to security incidents. When you consider how essential the mainframe is to the critical functions of the organization, you simply can’t afford to make security assumptions about it.

Five contingency best practices for SOCs to handle uncertainty

With a crush of new teleworkers and a significant increase in endpoints coming online, we’ve entered into a new reality. COVID-19 has disrupted our lives and the business world – possibly for longer than we’d planned. Once the pandemic ends, companies may take six months to get up and running normally, according to a CNBC Global CFO Council survey.

best practices SOCs

The “new reality” extends to security operations centers (SOCs). SOCs are familiar with natural disasters and other inclement weather that includes floods, tornadoes and even ice storms, and it’s critical to keep a SOC operational in the event that there is reduced local staff or access to physical infrastructure.

SOCs operate as busy, open-office environments with team members working closely together to monitor and mitigate threats. Even with so many employees working remotely, you want to find a way to continue to facilitate those impromptu exchanges, during which newly discovered problems are discussed and often resolved.

The loss of available personnel (due to illness or communications outages) and solutions/resources (due to disruptions) is something you want to plan for if you haven’t already. If you’re a CISO or other manager who oversees SOCs, you need to adjust to these times and others you’ll face in the future with a risk-based assessment of your people and resources.

You need to determine what would change should some percentage of them become unavailable, how this would impact operations/business obligations, and how to respond to reduce negative outcomes. In pursuing such an assessment and other proactive contingency planning, here are five best practices to consider.

Implement a follow-the-sun strategy

Establishing SOC operations and personnel in dispersed geographic regions reduces the pressures that would come with operating with a skeleton staff and lessens the chance of major impact. When one location experiences pressure due to disaster, weather or another circumstance, the other locations can step up to ensure SOC functions are not interrupted.

Prioritize your resources

It’s important to identify the top resources for the SOC: the VPN, ticketing systems, cloud infrastructure assets, etc. Then, you want to determine which capabilities you would lose if those assets went down, and how this would impact service-level agreements (SLAs) and additional business-critical functions.

Your risk-reduction strategy should ensure that “minimum acceptable” business disruption is the worst-case possibility, no matter which technologies are affected and how severely they are damaged. From there, you build up scenarios to depict what business operations will look like in going from “minimum acceptable” with a significant number of resources down, to increasingly productive cases in which you have more resources up and running.

Then, you should think about your connectivity back-up plan. What would happen if your chat functionality went down? What if your phone system was no longer available? How does your SOC team react in these situations to enable business to continue?

A sound game plan begins with multiple fallback options for every form of communications that your team relies upon. If you’re only using a single VoIP solution for phone and video conferencing, for example, then make sure your employees can quickly switch to a secondary messaging solution if phone/video conferencing services go down.

Having multiple licenses for multiple communications forms increases the likelihood that “impact” doesn’t shut everything down. Take a look at the breadth of tools available to you today, more often than not you will find additional solutions to support you in your BCP.

Don’t neglect the “people” part of the picture

It’s not all about tech – employees are a crucial resource as well. As indicated, you will face the realities of sicknesses, a distributed workforce and potential internet/communications outages during a pandemic or other natural disaster or inclement weather.

As part of your risk assessment, ask yourself: “What is the least amount of staffing I need to still deliver meaningful support for business units, and reduced incident response time?”

Again, while you may still see decreases in business functionality and response capabilities, you can determine what the minimum acceptable levels of these are. You can then map out what your team performance and priorities will look like with varying count of absent staff, and estimate whether you’ll meet (and ideally exceed) the minimum acceptable levels in either scenario.

Keep a watchful eye

Once you have mapped your tech resources and people, you should invest in monitoring tools which will track your staffers and solutions while knowing where all of your single points of failure are, and how these failures could affect business-critical functions.

Organizations should re-evaluate their managed detection and response (MDR) capabilities and assess new providers if there are obvious gaps that need to be addressed quickly. Again, as part of a risk-based assessment, you are monitoring to get a better sense of what you are obligated to do; track the personnel and tools you require to do it; and effectively respond if you no longer have certain employees and/or tools in place (either temporarily or for an extended period).

Take it to the cloud

The more you invest in cloud-based tools for your SOC, the better prepared you’ll be for COVID-19 and any other health or disaster-related event which threatens to disrupt your operations. That’s because the cloud is obviously not confined to a specific, physical location.

Fortunately, organizations are universally looking to make these investments, as 97 percent plan to either move “some or all” of their existing SOC analytics infrastructure to the cloud, replace on-premises security analytics solutions with native cloud-based alternatives, or supplement on-premise analytics tech with additional cloud-based capabilities, according to research from the Enterprise Strategy Group.

We have never been through anything like COVID-19 and, hopefully, we never will again. But there will always be hurricanes, tornadoes, ice storms, earthquakes and wildfires. Cyber attackers won’t “stand down” during these times. In fact, they’ll likely seek to exploit the opportunity.

That’s why CISOs and SOC managers must incorporate risk assessment and “what if?” planning into their entire business-supporting ecosystem – both people and “parts” – to keep everything running. With this, they’ll prepare themselves for anything that comes their way, regardless of the nature of the disaster.

Know your enemy: Mapping adversary infrastructure quickly and accurately

Group-IB is a known quantity in the information security arena: in the sixteen years since its inception, the company – now headquartered in Singapore – has detected and detailed many high-profile threats, performed over a thousand successful investigations across the globe and gained widespread recognition for helping private and public entities and law enforcement worldwide track down and prosecute cybercriminals.

To be able to do that, it has been steadily building an international infrastructure for threat detection, hunting and investigating cybercrime around the world. This infrastructure includes, among other things:

  • The largest computer forensics laboratory in Eastern Europe
  • An early warning system for proactive cyber defense based on their own threat intelligence, attribution and incident response practices
  • A certified emergency response service (CERT-GIB), which is member of the Forum of Incident Response and Security Teams (FIRST) and Trusted Introducer
  • Databases containing extensive threat and threat actor information

The company was, at the beginning, mostly a provider of digital forensics and cyber investigation services. In time, though, they realized that the solutions available to organizations were not keeping pace with the ever-morphing threat landscape, so they decided to work on and offer their own.

It all started with the creation of Group-IB Threat Intelligence (TI), an attack attribution and prediction system and service that’s based on data collected from a wide variety of sources (investigations, network sensors, honeypots, OSINT, card shops, and much more), automated information extraction and correlation technologies, and is supported by expert analysts, incident responders and investigators around the world.

It was followed by:

  • Group-IB Threat Detection System (TDS) – A threat-actor-centric (instead of malware-centric) detection and proactive threat hunting solution
  • Secure Bank – A fraud and attack prevention solution for the financial services industry, which detects threats like account takeovers, credit fraud, malicious web injections, banking trojans, remote access software, social engineering, etc. (keeps more than 100 million banking customers secure by monitoring 16 million online banking sessions every day)
  • Secure Portal – A fraud and attack prevention solution for ecommerce websites and online services (prevents account takeovers, identifies fake accounts and blocks bots, fraudulent activities, fraudulent ticket sales, and so on)
  • Brand Protection – A service designed to detect and eliminate threats to one’s brand on the Internet (brand abuse, Internet fraud, copyright infringement, counterfeiting)
  • Anti-Piracy – intelligence-driven protection of content online

Most of these solutions are powered by Group-IB TI. More recently, though, they gained another thing in common: an integrated Graph Network Analysis system for cybercrime investigations, threat attribution, and detection of phishing and fraud.

Graph Network Analysis

Many threat intelligence solutions have graph-making capabilities and the company has considered a number of graph network analysis providers before finally deciding to develop their own tool for mapping adversary infrastructure, Group-IB CTO and Head of Threat Intelligence Dmitry Volkov told Help Net Security.

None of the considered solutions gathered and used the wide variety of data and historic data Group-IB experts deem crucial for creating a complete picture for better visibility. None of them had the automated graph creation option and were able to reliably identify and exclude irrelevant results. Finally, none allowed operators to specify the ownership timeframe of the entered suspicious domain, IP address, email or SSL certificate fingerprint.

“Domain name and IP addresses change ownership – today they are used by a threat actor, tomorrow by a legitimate company or a random individual, so the timeframe within which the threat actor owned the suspicious domain name or IP address is very important information for the creation of a relevant and accurate graph,” Volkov explained.

mapping adversary infrastructure

mapping adversary infrastructure

The interface of the graph network analysis tool

The user decides how wide they want to cast the net by specifying the number of steps the tool should take when identifying direct links between elements, but the tool’s automated mode builds the graph of the links to the searched element. And, if they switch on the “refine” option, it will automatically remove from the resulting graph all the elements it deems irrelevant.

mapping adversary infrastructure

The graph network analysis tool attributing the search element to a specific threat actor

Analysts and investigators who don’t trust the tool to create a graph that contains all the crucial elements can always turn “refine” off and specify one step to build the graph themselves and then remove irrelevant elements from it.

Though, Volkov pointed out, after performing numerous manual checks and consistently seeing that the tool did a great job when allowed to do it automatically, their own experts have come to trust and prefer that option.

Improving graph accuracy

“The initial goal was just to create a useful tool for our internal analysts, and we didn’t plan to incorporate it in our products. But some of our clients saw how we were using it to do our research in-house and wanted to be able to do the same, so we decided to share it,” Volkov shared.

The company’s developers and experts have been working on the Graph Network Analysis tool for the past few years. The first version was good, but very slow. In time, they managed to improve both the speed and the effectiveness by experimenting with different types of data and different approaches to data enrichment, processing and correlation.

There are still two versions of the tool: a standalone one that’s used by Group-IB’s experts and one that’s incorporated in the company’s products. New features are first added and tested on the former, then incorporated in the latter if they prove useful.

Group-IB is constantly working on enriching the tool with data and designing new algorithms using machine learning to improve the graph’s accuracy.

“All of Group-IB’s products are being constantly fine-tuned thanks to the permanent monitoring of the cyberspace for new threats and our incident response operations and cyber investigations,” Volkov pointed out. “And we’re always analyzing existing solutions on the market, pinpointing their weak spots and shortcomings, thinking of ways to eliminate them and striving to provide the best technologies to our customers.”

The tool’s capabilities

Mapping adversary infrastructure and (hopefully) identifying the threat actor has many advantages for the targeted organization and its customers, but also for other organizations, their customers and, in general, the wider populace.

“The main goal of network graph analysis is to track down projects that cybercriminals carried out in the past — legal and illegal projects that bear similarities, links in their infrastructure, and connections to the infrastructure involved in the incident being investigated,” Volkov explained.

If the users are very lucky and a cybercriminal’s legal project is detected, discovering their real identity becomes simple. If only illegal projects are detected, that goal becomes more difficult to achieve.

But even if the identity of the attacker remains elusive, discovering details about their previous attacks can help pinpoint their preferred tactics, techniques, procedures, tools and malware, and that information can be handy for disrupting ongoing attacks or even preventing those that are yet to be launched (e.g., by identifying attacker infrastructure at the preparation stage).

The tool can be leveraged by SOC/CERT analysts, threat hunters, threat intelligence analysts and digital forensic specialists, and it’s great for improving the speed of incident response, fast cybercrime investigations, proactive phishing and global threat hunting, and pinpointing malicious servers hidden behind proxy services.

It’s also used for IoC enrichment and event correlation (i.e., discovering when certain attacks are linked and are likely different stages of a single multiphase attack).

Group-IB Graph Network Analysis was designed based on indicators of compromise discovered and collected by the company’s cybercrime investigators, incident responders and malware analysts in the last 16 years.

To this have been added or made available through data-sharing agreements and subscriptions many other data sets containing:

  • Domain registration data
  • DNS records (domain records, files, profiles, tags)
  • Service banners (domains, redirections, error codes)
  • Service fingerprints on IP addresses (which services are running and which ports are open)
  • Hidden registration data (IDs, hosting providers)
  • Historic registration data and that related to hosting transfers
  • SSL certificate registration data.

They have also made an effort to come up with new methods of extracting data that is not available using ordinary means. “We cannot reveal details for obvious reasons, but in some cases, mistakes made by hackers during domain registration or server configuration help us discover their emails, pseudonyms, or backend addresses,” Volkov said.

An advantage for all threat hunters

The tool queries both the company’s internal databases and external sources of information (e.g., WHOIS, public sandboxes, etc.) and the whole network graph creation happens in mere seconds.

And everybody wins in the scenario where the tool is used by Group-IB’s clients.

“By giving visibility to our clients, we reduce our analysts’ load and get interesting feedback from our clients. When they do the analyses themselves, they may achieve results that are more interesting and relevant to them, and when they share those results with us, we have a better understanding about the threats that target organizations in their industry, sector or geographic region,” Volkov concluded.

“This allows us to tune our research capabilities and detection engines to improve our whole ecosystem and, on a global scale, it improves our detection, prevention and hunting processes for every client.”

What is the actual role of a threat hunter?

The role and tasks of a threat hunter are confusing, according to a ThreatQuotient and SANS study based on data collected from 575 participating companies that either work with or operate their own threat hunting teams.

threat hunter role

Threat hunter role: How threat hunting teams are tasked in an environment

Unlike the Security Operations Centre (SOC) and Incident Response (IR) teams, threat hunters not only respond to network threats, they proactively search for them. This involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data.

“However, the reality within corporate IT is often different,” says Markus Auer, Regional Sales Manager CE at ThreatQuotient. “In many teams, the distinction between SOC, IR and threat hunting is too blurred, and threat hunters are used for reactive processes contrary to their actual role.”

The study confirms that most threat hunters react to alerts (40%) or data such as indicators of compromise from the SIEM (57%). Only 35% of participants say that they work with hypotheses during threat hunting – a process that should be part of the arsenal of every threat hunter.

“Responding to threats is important for security, but it is not the main task of the threat hunter. They should be looking for threats that bypass defenses and never trigger an alert,” Auer emphasises.

Targeted threat discovery is important

The fact that threat hunting is still in its infancy is evident based on suboptimal prioritization of resources. “Many companies are still in the implementation phase and are more willing to spend money on tools than on qualified experts or training existing employees to be threat hunters,” says Mathias Fuchs, Certified Instructor at SANS and co-author of the study.

“When threat hunting is carried out, it is more of an ad hoc approach than a planned program with budget and resources.” In fact, 71% of participating companies consider technology to be first or second in terms of resource allocation for threat hunting. Only 47% of respondents focus on hiring new personnel and 41% on training employees.

threat hunter role

Due to the proactive nature of threat hunting, companies often find it difficult to accurately measure the economic benefits of these security measures. Ideally, the experts prevent threats from becoming a critical problem in the first place. However, 61% of respondents said their overall IT security status has improved by at least 11% due to threat hunting.

These figures show that targeted threat discovery is important and that investing in dedicated threat hunting teams delivers measurable improvement in IT security for organizations.

Cyber threats continue to evolve, but security teams remain confident

Coming off of a year of major data breaches making headline news, it’s easy to draw the conclusion that security teams are losing the cybersecurity battle, a DomainTools survey reveals. Security teams remain confident Security pros are reporting real progress being made as confidence in their programs continues to grow: Thirty percent of respondents gave their program an “A” grade this year, doubling over two years from 15 percent in 2017. Less than four percent … More

The post Cyber threats continue to evolve, but security teams remain confident appeared first on Help Net Security.

Want to build a successful SOC? Here’s what you need to know

There is no arguing the fact that networks are continually growing in complexity and the cyberattack surface is constantly expanding. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats. When the inevitable attack happens, timely identification, reaction and collaboration is everything, and a business with a successful SOC will be far quicker and coordinated … More

The post Want to build a successful SOC? Here’s what you need to know appeared first on Help Net Security.