Incident Response, SIEM, Threat Management

Why operation-centric security returns the high ground to the defenders

Today’s columnist, Lior Div of Cybereason, theorizes that the attackers in the SolarWinds hack took advantage of the industry’s alert-centric approach. The attackers lurked for months, but disparate systems flooded organizations with logs they could not analyze. Div says we need an operation-centric approach that frees up resources via automation a...

In today’s threat landscape, targeted attacks are increasingly taking aim at multiple users and devices simultaneously as well as leveraging a wider range of tactics, techniques, and procedures. As defenders, we’re often forced to work in silos because of our dependence on an ever-growing array of tools that focus only on the assets they are designed to protect.

That means there’s often one solution for preventing attacks on the endpoint, another for ensuring cloud workloads are locked down, yet another for protecting mobile devices in the field, and yet another for identity and access control. This forces security teams to look at attacker operations as individual, isolated events because it’s impossible to track activity across multiple devices, platforms and users at the same time.

Case in point with the recent SolarWinds supply chain attacks: The threat actors appear to have been active for several months on multiple systems at numerous organizations, providing more than enough evidence to reveal their activity as they were carrying out detectable activity, but that activity was likely indiscernible amid the noise from the endless stream of uncorrelated alerts. The indicators required to detect the attacks were there, but the context necessary to connect the dots to reveal the full picture of the malicious operations was not.

The inefficiency of alert-centric security

To make the defender’s work even more difficult, the traditional security products we use are hopelessly alert-centric, generating huge volumes of seemingly unconnected event notifications that lack context and require a great deal of investigation to understand how they are related, even when they are all part of the same attack.

This inefficiency-by-design requires intense manual analyst intervention for nearly every individual event, which significantly increases the likelihood for human error and severely limits the ability for organizations to secure at scale. Analyzing multiple individual events makes it hard to see the forest for the trees. Without a complete remediation, responding to part of an attack only serves to slow the adversary down, it does not actually end the attack.

An alert-centric, siloed approach to securing complicated network infrastructures leaves attackers more than enough opportunity to remain hidden in a network’s seams, and it makes detecting, tracking and eliminating complex attacks all but impossible. That’s why companies keep spending more on security every year, yet nothing ever seems more secure.

The shift to an operation-centric approach

From a defender’s point of view, we can never win our daily battles by spending our time chasing uncorrelated alerts. To truly stay effective, we must quickly identify, and respond to malicious operations with surgical precision, finding a path forward by actually future-proofing tomorrow’s enterprise.

We need to detect earlier and remediate faster; think, adapt, and act more swiftly than attackers can adjust their tactics; and have the confidence as defenders that we can always identify, intercept and eliminate emerging threats in a matter of minutes rather than days or weeks.

An operation-centric approach to security lets defenders instantly visualize the whole of a malicious operation from root cause to every affected endpoint in real-time through multi-stage visualizations that deliver all of the details of an attack across all devices and all users immediately. This gives analysts the power to identify and understand attacks as they occur, in turn reducing dwell time and the risk an attack will become a breach.

Additionally, an operation-centric approach gives security teams the option to automate a good portion of the necessary response options to reduce the mean time to remediation. When security teams do this, organizations are not just more secure, they can also shift critical resources from alert response towards strategic, time-saving security initiatives.

The quality of the company’s security also depends not just on the quality of the intelligence, but whether the team has actionable intelligence. If the security tools filter out key indicators of an attack, the attackers will undoubtedly figure out how to exploit those gaps. Traditional products limit or remove valuable data because they simply can’t handle processing it, storing it, and then making it accessible on- the-fly during an investigation. An operation-centric approach requires that the team can collect and process all of the relevant attack data and remain accessible in real-time.

The path towards future-ready security

Organizations that take an operation-centric approach have much to gain. They can  reduce detection and remediation periods, free-up valuable resources they can apply to other security initiatives, and produce significant improvements in overall efficiency for the security program.

Operation-centric security also breaks down the threat intelligence silos, reverses the attacker advantage, and returns the high ground to the defenders by extending detection and response capabilities across the endpoint, the enterprise, to the entire network. This makes the task of understanding the full attack story behind any incident significantly easier, and it’s ultimately the path forward for organizations that want to ensure their security programs are future-ready.

Lior Div, chief executive officer, Cybereason

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.