Would you ever step into a Mixed Martial Arts (MMA) Octagon cage to compete against warriors who strive and train for one thing - to knock down their opponent? Not a decision to take lightly. Now, think about it from the cybersecurity front. Security analysts are expected to step into the [SOC] cage and fight tirelessly against a whole new level of attacks, evolving daily, while skilled attackers improve their BJJ and Muay-Thai TTPs. Often, these attackers are well-hidden behind off-the-shelf cheap exploit kits and script kiddies making the security analysts’ work – our SOC warriors – a lot harder. Especially when they’re not equipped with the right tools.
Looking back, the security industry’s biggest challenge was to detect and investigate threats in a timely fashion, always trying to reduce mean-time-to-detect and respond (MTTD & MTTR). Don’t get me wrong, that battle remains and will continue to do so for years to come. However, looking closely at recent mega data breaches, that teeny-tiny alert did fire, but the number of unattended alerts (as called out by recent Gartner SOAR research) and lack of cyber risk prioritization led many of those attacks to become data breaches. Coming back to the point of the detection challenge, the industry has made major strides evolving and harnessing the power of machine learning and behavioral analytics into common practice of our day to day job.
Still, attackers remain attackers as long as incentives exist – bitcoin gain (bitcoin ransomware is faster, cheaper, and scalable than mining don’t you think?!), fame, or intellectual property gain. Therefore, threats will continue to evolve and the number of unattended, conventional, alerts will continue to grow.
Let’s walk through the common “known” and “unknown” approach to describe a simplified security operation strategy. Have you thought how security analyst warriors can become fearless fighting those unrelenting attacks? Even in the cyber-octagon ring? How can they be enabled to face the hard challenges while not being blindsided by false alerts and smokescreens? How does an unattended, conventional (standalone) alert turn into a context-rich cross-product and cross-organization incident? The industry calls it – Automation. How can one leverage automatic playbooks, community shared and enriched, to automagically apply a response action with the tools you *already* have in the organization’s security stack? The industry calls that – Orchestration. Every good fighter knows to look 10 steps ahead (while getting beat up), and wait for that perfect combo over a single jab.
So, while the known is streamlined and properly managed, the SOC warriors now have time to focus on the real danger lurking in the unknown. Sounds good, but how do you actually make that happen? Looking at the attack lifecycle across all cyber kill chain steps, Security Operation Centers have four stages to follow religiously:
- Detection FIRST. Identifying your attackers’ tells (a.k.a TTPs) leveraging machine learning. Carefully investigate a consistent metadata taxonomy of machine, user, and network anomalies and inter-connections not visible at first sight. Threat intel IOCs are a nice addition, but NOT the end-goal. See that uppercut heading your way and…
- Play. FIRST. (yes I know…) Create a rigorous and detail-driven process around automation of “commodity” malware and known hacking exploits so you can apply the utmost attention on unknown targets to protect the organization’s crown jewels.
- Investigate. Automate to the extent possible BUT, make sure the SOC is empowered with a platform that provides visibility to perform full event analysis, regardless of the infrastructure of the attack, including virtual, cloud, on-premises, or your mobile environments.
- BUILD. Recreate manual steps performed. Tag the ATT&CK vector. Create an automatic context enriched playbook. Security analysts are then better informed with a better set of data sources and analytics.
Now rinse and repeat. Detect. Play. Investigate. Build. Remember “It ain’t about how hard you hit. It’s about how hard you can get hit and keep moving forward”! #Rocky
Let RSA NetWitness® Platform assist you with better management of the known, and faster, consistent transition of the unknown threats to the known bucket. But above all – keep your guard up at all time. AROO!
# # #
SIEM, Network-Analysis, Forensics, EDR, UEBA, Threat Intel, Orchestration and Automation. Validate that YOUR SIEM CAN DO THIS!
Author: Maor Franco
Category: RSA Fundamentals, Blog Post
Keywords: Automation, O & A, Orchestration, SOAR, SOC