Why having the right toys matters?
By Diana Ion.
It is common knowledge in the security community that it is not a question of “IF a system fails” but more of “WHEN a system fails”. Having 100% coverage against attacks is impossible since your controls can never fail while an attacker needs only one lucky strike to succeed.
Always aiming for better security features and taking better mitigations steps is something each company needs to do. A crucial part of staying ahead is having a system for monitoring your network. The goal of security monitoring is to give you an actionable and comprehensive insight and alerts that indicate required actions to mitigate the potential impact on your company.
A Security Operations Center (SOC) is not only a room full of screens, but it is also a team of people with very specific tools, skills, and processes.
To better imagine how a SOC would fit into a company’s security landscape, we will discuss the case of a fictional financial company X with 50.000 employees. In order to stay in business and continue to earn billions, the company must update its traditional security perimeter and create a security awareness culture at the workplace. Because X is a financial institution and it is 2020, the biggest threats are the cyber ones. The company understands the danger and is willing to invest as much as it’s necessary to be one step ahead of the adversary. In addition, there are certain requirements and standards that a financial company needs to meet in terms of security. Until now, there were no serious security breaches or attempts to steal sensitive data.
The company aims for a permanent internal SOC with full-time employees. The SOC team should have around 80-100 members in accordance to the company size of 50.000 employees. Ideally, the company will have a huge room with walls full of large screens where only SOC employees have permission to enter. State of the art physical and cybersecurity has to be deployed for this room.
Initially, the company starts with a dedicated SOC and will shortly transition to a multifunctional SOC/NOC, hiring more specialists to perform both functions. The main features of the new SOC will be concentrated around the following areas:
-control and digital forensics
-monitoring and risk management
-network and system administration
In terms of what tools are needed in order to perform the aforementioned functions in an efficient manner, the best solution is to use a next-generation Security Information and Event Management (SIEM) system which gathers data from different sources across the company and uses Machine Learning combined with behavioral analytics to identify security incidents with 99,99% accuracy. It will then try to isolate and contain these threats using built-in capabilities.
Because the SIEM system will be so advanced and accurate in identifying threat events, the traditional SOC staff hierarchy will change. The role of Tier 1 Analyst whose responsibilities were to monitor and prioritize the alerts will slowly disappear. The new Tier 1 will be represented by the Incident Responder who will assist the system in containment, remediation, and recovery.
The most fun job will be of course the threat hunter whose duties are to conduct penetration tests and hunt for yet undiscovered threats. This is an individual who reads every day about new cyber emerging threats and makes sure the company is not a victim of one of them.
The first step is data gathering, this data consists of system logs and events from other security tools. The next-generation SIEM has pre-built connectors so that it can access logs and event data directly from the cloud. Data collection is enabled via an agent installed on devices across the company. This data is stored in an ElasticSearch data lake and is being normalized in a format that enables analysis. A huge advantage of harnessing the power of data lake technology is that it gives analysts fast and easy access to unlimited volumes of historic data. This is extraordinarily useful for threat hunting.
Complex Machine Learning algorithms and behavioural analytics are used to make correlations and discover suspicious activities like lateral movement, insider threats, and data exfiltration. An event is marked as suspicious when tested against established baselines. The “normal” behaviour for groups of users or devices is determined by the system using Data Science capabilities after monitoring the operations for a certain time. This increases the accuracy of threat detection.
Real-time alerts are sent immediately and the screens in the room light up red. The analysts will now try to dig deeper and understand how the threat is affecting the company systems. The SIEM system can provide context around the incident and help analysts. For remediation and mitigations, the analysts need to have a view of the status and activity of critical security and IT systems. Once again, the SIEM system can give analysts visibility and can even use Security Orchestration and Automation to automatically perform containment actions.
Because the management and other regulatory bodies need to check the performance of the company’s security, SIEM will produce reports and audits describing each incident or breach as well as providing a comprehensive overview showing the exact activity levels and how well the staff deals with the current workload. The most relevant metrics are the following:
· Mean time to detection (MTTD) which represents the average time until SOC detects an incident. It shows the effectiveness in processing the alerts and identifying real incidents
· Mean time to resolution (MTTR) which represents the average time until the threat is totally neutralized. It shows the effectiveness in response coordination and taking appropriate measured to isolate and neutralize the threat.
· Total cases per month which represent the number of detected and processed incidents. It shows the workload level and the scale of action the SOC is managing. It could be an important metric in hiring decisions.
· Types of cases which classify the incidents by type. It helps to focus on security measures towards the most dominant threats
The ultimate goal of the company regarding cybersecurity is to be mature. This will require continuous innovation and improvements. Of course, the proposed solution has some limitations: skilled employees are hard to find, high costs, and hard integrations with legacy systems.
The lack of skilled staff in cybersecurity is a real problem and the company can choose to create its own training programs for selected candidates.