By Diana Ion.

It is common knowledge in the security community that it is not a question of “IF a system fails” but more of “WHEN a system fails”. Having 100% coverage against attacks is impossible since your controls can never fail while an attacker needs only one lucky strike to succeed.

Always aiming for better security features and taking better mitigations steps is something each company needs to do. A crucial part of staying ahead is having a system for monitoring your network. The goal of security monitoring is to give you an actionable and comprehensive insight and alerts that indicate required actions to mitigate the potential impact on your company.

A Security Operations Center (SOC) is not only a room full of screens, but it is also a team of people with very specific tools, skills, and processes.

To better imagine how a SOC would fit into a company’s security landscape, we will discuss the case of a fictional financial company X with 50.000 employees. In order to stay in business and continue to earn billions, the company must update its traditional security perimeter and create a security awareness culture at the workplace. Because X is a financial institution and it is 2020, the biggest threats are the cyber ones. The company understands the danger and is willing to invest as much as it’s necessary to be one step ahead of the adversary. In addition, there are certain requirements and standards that a financial company needs to meet in terms of security. Until now, there were no serious security breaches or attempts to steal sensitive data.

The company aims for a permanent internal SOC with full-time employees. The SOC team should have around 80-100 members in accordance to the company size of 50.000 employees. Ideally, the company will have a huge room with walls full of large screens where only SOC employees have permission to enter. State of the art physical and cybersecurity has to be deployed for this room.

Initially, the company starts with a dedicated SOC and will shortly transition to a multifunctional SOC/NOC, hiring more specialists to perform both functions. The main features of the new SOC will be concentrated around the following areas:

-control and digital forensics

-monitoring and risk management

-network and system administration

In terms of what tools are needed in order to perform the aforementioned functions in an efficient manner, the best solution is to use a next-generation Security Information and Event Management (SIEM) system which gathers data from different sources across the company and uses Machine Learning combined with behavioral analytics to identify security incidents with 99,99% accuracy. It will then try to isolate and contain these threats using built-in capabilities.

Because the SIEM system will be so advanced and accurate in identifying threat events, the traditional SOC staff hierarchy will change. The role of Tier 1 Analyst whose responsibilities were to monitor and prioritize the alerts will slowly disappear. The new Tier 1 will be represented by the Incident Responder who will assist the system in containment, remediation, and recovery.

The most fun job will be of course the threat hunter whose duties are to conduct penetration tests and hunt for yet undiscovered threats. This is an individual who reads every day about new cyber emerging threats and makes sure the company is not a victim of one of them.

The first step is data gathering, this data consists of system logs and events from other security tools. The next-generation SIEM has pre-built connectors so that it can access logs and event data directly from the cloud. Data collection is enabled via an agent installed on devices across the company. This data is stored in an ElasticSearch data lake and is being normalized in a format that enables analysis. A huge advantage of harnessing the power of data lake technology is that it gives analysts fast and easy access to unlimited volumes of historic data. This is extraordinarily useful for threat hunting.

Complex Machine Learning algorithms and behavioural analytics are used to make correlations and discover suspicious activities like lateral movement, insider threats, and data exfiltration. An event is marked as suspicious when tested against established baselines. The “normal” behaviour for groups of users or devices is determined by the system using Data Science capabilities after monitoring the operations for a certain time. This increases the accuracy of threat detection.

Real-time alerts are sent immediately and the screens in the room light up red. The analysts will now try to dig deeper and understand how the threat is affecting the company systems. The SIEM system can provide context around the incident and help analysts. For remediation and mitigations, the analysts need to have a view of the status and activity of critical security and IT systems. Once again, the SIEM system can give analysts visibility and can even use Security Orchestration and Automation to automatically perform containment actions.

Because the management and other regulatory bodies need to check the performance of the company’s security, SIEM will produce reports and audits describing each incident or breach as well as providing a comprehensive overview showing the exact activity levels and how well the staff deals with the current workload. The most relevant metrics are the following:

·       Mean time to detection (MTTD) which represents the average time until SOC detects an incident. It shows the effectiveness in processing the alerts and identifying real incidents

·       Mean time to resolution (MTTR) which represents the average time until the threat is totally neutralized. It shows the effectiveness in response coordination and taking appropriate measured to isolate and neutralize the threat.

·       Total cases per month which represent the number of detected and processed incidents. It shows the workload level and the scale of action the SOC is managing. It could be an important metric in hiring decisions.

·       Types of cases which classify the incidents by type. It helps to focus on security measures towards the most dominant threats

The ultimate goal of the company regarding cybersecurity is to be mature. This will require continuous innovation and improvements. Of course, the proposed solution has some limitations: skilled employees are hard to find, high costs, and hard integrations with legacy systems.

The lack of skilled staff in cybersecurity is a real problem and the company can choose to create its own training programs for selected candidates.

We are constantly talking about reducing the attack surface and providing less opportunity for the bad guys to get in. IOT changes things…


What you don’t know can’t hurt right? Wrong!

The issue with most organisations is that they are waiting for that ‘Edgar (Hoover)’ moment.

We’ve never had anything happen for the last 5 years, so why should we be worried…”

What you spend on your security is based upon that balance of risk and reward and all of that ‘return on investment’ stuff.  But there comes a time when that fundamental human trait of common sense needs to be applied.

Situational awareness

Has the threat changed, what is happening in the rest of the world, or even your industry? Situational awareness anyone? Is there such a thing as being 100 percent secure?  No… the trick is to introduce sufficient challenge to would-be attackers in order to put them off or deter them.  If the principles we apply to our security investment relate to risk and reward, our attacking friends have a slightly different if not too dissimilar agenda with an additional attribute of effort (required to pwn).

Many organisations invest in monitoring controls, paying through the nose for Security Operations Centres (SOCs) which are supposed to monitor the network and alert on suspicious activity and assist in containing suspected attacks.  Sadly, organisations don’t spend enough time to understand and work out what constitutes suspicious or abnormal behaviour.  What is actually put in place is a ‘vanilla’ service that does not take account of unique business activity.

Nothing to report here.

A vicious circle ensues, of reporting a clean bill of health up the chain that all is well.   All the while becoming oblivious to the pwnage ensuing in the background. This presents a false sense of security and allows organisations to become complacent until…. Boom! the headlines point to a serious breach.

Know your business!

This might sound simplistic, but sometimes the most fundamental aspects of security are the most neglected.  Having a SOC is great, if well briefed and with the right level of integration into organisational incident management regimes.  But part of this integration involves an analysis, with the right people, business users, of what constitutes established, understood and good behaviour.  Any deviations from this (good behaviour) form the basis of what needs to be monitored and more importantly alerted.

The nub of the matter is that if you have an online presence, and your business matters, you need to have some form of logging, monitoring and alerting in place.  This may or may not involve a SOC, but organisations (not SOC providers) need to take the initiative and decide what is important enough to be included.

If an attempt has never been made to gain unauthorised access to your environment, you are one of three things…

Lucky, ignorant or insignificant.

How do u know that you are your mother’s child?

How can you be sure that the chef in that restaurant did not spit in your lasagne after you complained that the service was too slow?

Secrets Questions are often used for authentication purposes; but is there really any such thing as a secret..?

I was in a popular fast food outlet the other day and maybe had one too many fries. Needless to say I had to visit the rest room, hereafter referred to as the ‘throne room’, to take the weight of the day’s proceedings off my mind.

..s*it happens, and if someone has sufficient capability and motivation, they will get in; organisations need to start thinking about how they can reduce the impact of a breach and manage the spread of the brown stuff…