SOC

Fill security ops gaps with context-driven threat analysis

Today’s columnist, Chris Hoff of ReversingLabs, says the SolarWinds attack has caused us to forget that most breaches are more like the Target hack, where a little-noticed HVAC system was exploited. Hoff says organizations have to start by improving visibility. JeepersMedia CreativeCommons Credit: CC BY 2.0

The acceleration of digital business and work-from-home policies has unleashed a new level of alert volume on security operations center (SOC) staff. As security teams strive to keep up with the changes, they face ongoing challenges in managing the business risks while facing significant technology, process, and staffing gaps. This continued growth in complexity presents an opportunity for sophisticated threat actors to engineer malware around existing gaps within enterprise infrastructure and apply deception and evasion tactics to ensure their attacks succeed.

Given these circumstances, organizations need to investigate potential gaps across the security ecosystem to determine where the high-priority risks are before establishing a defensive strategy. Only then can they visualize the entire attack and respond effectively. Here’s how they can identify those risks:

  • Develop better risk visibility.

The sophistication of an attack does not always revolve around a new technique or exploiting an undisclosed vulnerability. In many cases, it’s using existing tools and techniques in novel ways to bypass detection solutions. Yes, companies could be targeted by a nation-state and have an undisclosed vulnerability exploited, and the security team needs to factor in the threat from compromised third-party software and patches. However, it’s still just as likely that Janice from accounting clicked on a cat video that’s part of a ransomware campaign.

With the recent attacks at SolarWinds, it’s easy to lose focus of the existing risks within the business. Many high-profile attacks started by accessing unimportant systems on the network such as HVAC or other ad-hoc internal applications. Because of the pandemic home networks are now part of the larger corporate infrastructure, making an attractive target for attackers. It’s only a matter of time before an Xbox or lighting controller causes a data breach. With malware able to spread laterally and adapt to changing conditions, it’s important to understand the entire scope of an attack focusing on faster containment. This means having context-driven threat analysis that can do more than detect a limited number of file types and shares both global and local intelligence across the entire security stack. 

  • Reduce tool sprawl.

Many organizations have heavily invested in products that have overlapping capabilities or only fit into a specific niche. Security tool sprawl usually happens when a business unit desires a particular feature or a report format and has little to do with improving the organization’s overall security posture. Cisco’s 2020 CISO Benchmark survey found that the average company uses more than 20 security technologies. While vendor consolidation has steadily increased, with 86 percent of organizations using under 20 vendors, more than 20 percent say that managing a multi-vendor environment has become challenging. The move to the cloud has further complicated matters as well as Software-as-a-Service (SaaS) models where the tools traditionally used inside the network don’t function effectively when applied in these new mediums. Attempting to shoehorn security devices that are not purpose-built for a cloud-based infrastructure directly impacts the visibility into threats and reduces the security stack’s overall effectiveness.

Security teams find addressing this issue incredibly hard, especially for large, distributed networks because it requires re-evaluating the entire environment. Companies can opt to create a security services layer that they can access by the whole business through APIs. Commonly leveraged for services such as email, it’s time to begin offering flexible security options that remove the burden of security from the line-of-business. For example, consider malware analysis. It makes more sense to implement a capability that has visibility into all the file types and file sizes the organization uses versus having overlapping AV and sandbox solutions that are often not effective for the use case. Having a cloud-based malware analysis service allows consistent coverage for all data transfer points and storage areas. Moreover, having a services layer offers context-driven threat analysis to the SOC team, which better equips them to prioritize and enact event response decisions. Context and transparency around indicators of compromise (IoCs) and file similarity let teams more quickly identify, verify, and classify results. Further, having a consistent source of truth reduces overall risk by providing visibility across the entire organization, allowing analysts to focus on a common lexicon for information and a single process for response. Security teams wind up with better context around threats, while reducing tool sprawl and at the same time give teams the ability to fill gaps in their operations.

  • Integrate with purpose.

As the complexity of modern threats grows, security teams have realized     automation’s value as a critical part of the security maturity journey, closing the gap in the speed of response actions and streamlining workflows across security teams. There has been a measurable improvement in reducing alert fatigue, and speeding mean time to resolution, which should raise integration and automation projects to the top of any SOC’s project list. However, pushing ahead with an integration plan without a clearly defined end may impede progress rather than accelerate it. 

Effective integration requires an understanding of how threats work as well as the company’s process for responding to them. Security teams should avoid any integration that cannot get mapped directly to an existing procedure. Skip any ideas that “sound” cool but are not well-founded. Like any well-run project, developing requirements and communicating the desired end goals will ensure that any automation efforts will help rather than hinder. Low-risk repetitive operations such as alert verification against threat intelligence sources are significant first steps. Correlating alerts from siloed systems to gain a better understanding of how multiple alerts intersect to form an attack delivers real value when measured against metrics like time-to-respond. While this dovetails nicely into the consolidation of tools, the time savings also lets the SOC focus on higher value and more challenging projects that benefit the organization and the staff’s overall job satisfaction.

Staying ahead of cybercriminals requires a sound understanding of the most likely targets and taking steps to reinforce the security posture. Every organization should have a plan to investigate potential gaps and support their security maturity journey. As part of this, context-driven threat analysis can help SOC teams gain better visibility into the risks associated with new paradigms, such as cloud applications and remote workers. With greater transparency into threats and confidence in their actions, SOC teams can improve triage and incident response processes, while threat hunters can improve advanced hunting and threat modeling. Business isn’t going to stop, so building services to get ahead of the tool sprawl will let SOC teams streamline processes and reduce distractions to ensure advanced malware threats aren’t slipping through the cracks. Finally, focusing on reducing complexity and creating meaningful automation will help SOC teams deny threat actors the ability to exploit gaps within the enterprise infrastructure and establish an effective defensive strategy.

Chris Hoff, product marketing manager, ReversingLabs

prestitial ad