By Chris Calvert, co-founder, Respond Software
Security analysts are a breed apart. They work long hours, using their intelligence and attention to detail to sort false alarms from real threats. However quick their reaction time, though, and however experienced they may be, they cannot possibly monitor every security alert or even a tiny subset of them. The consequences are missed incidents and long attacker dwell times.
This obviously lowers an organization’s security posture. It takes most organizations 197 days to identify that their IT environment has been compromised, according to the findings of the Ponemon Institute in its 2018 “Cost of a Data Breach” study. The total cost of containing, investigating, and repairing the breach averages $3.86 million, or $148 per lost or stolen record.
Typically, the amount of time that a breach goes undetected determines the cost of the breach. Incidents that are fully resolved within 30 days cost an average of $1 million less to remediate than those taking more time. Unfortunately, the trend is moving in the wrong direction, as it’s taking companies longer to identify and contain the data breaches they’re being confronted with than it did last year.
Lack of Visibility
Here is an all-too-common occurrence: Security Operations Center (SOC) analysts receive multiple alerts about the activity in their environment, only to have failed to register these alerts’ true significance – resulting in a breach. Very likely, the analyst(s) never even saw the alerts, since they didn’t match any of their simple rules. Most network security monitoring programs collect plenty of sensor telemetry data, but only a fraction of that data is currently being analyzed or reviewed and even then, it’s not being considered in depth.
A SOC analyst may console themselves with the notion that all this data that has been collected will be available for forensic analysis in case of a breach. However, the sad truth is that using endpoint or network monitoring this way does little or nothing to thwart attackers. From the perspective of prevention, detection or even deterrence, it’s totally ineffective and surprisingly expensive. And as long as organizations continue in this current approach to this problem, they are not going to see better results.
Security Operations: Barriers and Best Practices
What keeps security analysts from being able to make instant decisions as data is streamed in real-time? There are three primary barriers. They include insufficient memory – of the humankind. Most people can’t recall details from two hours ago, let alone days, weeks or months earlier. There’s also the issue of volume; there’s just too much information and data to process. The third barrier concerns a lack of context or meaning. Analysts don’t always understand what the data is telling them, and the log files often don’t contain useful information.
To overcome these barriers, here are seven best practices organizations can use to
maximize their security operations:
- Ask better questions.
Irrespective of how large an organization is or how much money and resources it has invested in security technologies, some attacks will always succeed. Information security leaders often produce metrics that demonstrate how hard they’re trying to prevent breaches—which is not really relevant anymore. And chief information security officers (CISOs) often use threat metrics to justify their (traditionally underfunded) budgets. Instead, leaders need to ask more penetrating questions about the value they derive from their investments in security operations.
- Make use of autonomous analysis.
If you’re not using data to inform decision-making logic, it’s not doing you any good. With today’s security operations software, autonomous analysis is possible, and this can give you the opportunity to make a revolutionary change in how you use log and sensor data. What’s important is how well you monitor, employ, and analyze it to recognize malicious activity in your environment.
- Become a data minimalist.
Just because you can collect lots of data doesn’t mean you must or even should. Some SecOps teams collect more than a hundred data sources—monitoring everything from endpoint operating system events to router status logs. But more than 99.99% of this data is never put to any use. This dramatically increases your costs without appreciably improving your security posture. A better method is to collect only what you need and then actually use it, rather than being buried under it all.
- Enable honesty and success.
Failing to disclose known vulnerabilities, concealing operational failures or creating a dishonest organizational culture only makes a hard job harder. Instead, make your SOC a place where employees can be honest about what they find without worrying about getting fired or ignored. And incorporating automation and security analysis software into places in your SOC where human failures commonly occur can greatly improve its overall operational efficiency and effectiveness.
- Remember the real threat.
It’s time to rethink the words you use for cyberattacks. For instance, it’s not actually a “virus”—a rapidly multiplying microscopic organism—that’s on your network. And it’s not just “malware”—something inanimate—that’s in your environment. There are human criminals taking deliberate action, via malicious code, with the intent to do you harm. Recognize the seriousness, gravity, and human origin of the threat.
- Adopt an active and anticipatory approach.
By and large, the workflows and procedures you are using to safeguard your business are simply not working. Much of the thinking—and benchmarking—that your fellow business leaders do centers around the concept of having reasonable protections in place. This is seen as a tool to justify the inevitable failure that results in a breach. Instead, you must reimagine what it means to defend yourself in a digital world. A successful defense requires you to take an active and anticipatory approach to the attacks you will experience.
- Learn to anticipate the unknown.
What is your mega-breach response plan? Attackers will often exploit vulnerabilities that they know are considered low-priority risks. These are so numerous, and so often unexpected, that it’s nearly impossible to anticipate all the attacks that can be launched against them. Tabletop exercises and red teaming can be tremendously valuable in this area, so your leadership is prepared for the unexpected.
Proactive Improvement
As long as there is data, there will be cyber criminals trying to get at it. In this never-ending battle, organizations can empower their SOC analysts with modern security analysis capabilities. This will help them overcome the barriers of too much information, not enough memory, and lack of context. Implement the best practices detailed above to improve the lives of your SOC analysts so that they won’t be overwhelmed by irrelevant data and can focus their intelligence and skill on the alerts that matter.
About the Author
Chris Calvert, vice president of product strategy and co-founder of Respond Software, has over 30 years of experience in defensive information security, 14 years in the defense and intelligence community, and 17 years in the commercial industry. He has worked on the Defense Department Joint Staff and held leadership positions in both large and small companies, including IBM and HPE. He’s designed, built, and managed global security operations centers and incident response teams for six of the global Fortune 50. As he often says, if you have complaints about today’s security operations model, you can partially blame him. It’s from his firsthand experience in learning the limitations of the man vs. data SecOps model that Chris leads product decisions and strategy for Respond Software.