By Jon Murchison, Founder, and CEO, Blackpoint Cyber
Assessing the Current Threat Landscape
The only constant in the cyberthreat landscape is that it is ever evolving. Amid a global pandemic, cybercriminals have moved quickly to exploit vulnerabilities as organizations make the change to remote and flexible work environments. Cybersecurity is now a key concern for small and medium-sized businesses (SMBs) during this shift to a virtual world. More than ever, there is a high demand for efficient and affordable cybersecurity solutions to help ensure business continuity as much of the workforce adjusts.
While cyber defense solutions such as anti-virus and anti-malware are affordable and a common choice, they are no longer able to fight back increasingly sophisticated cybercriminals and attack methods. Rather than bulking up your security stack with various solutions, many businesses are now combining the expertise of a Security Operations Center (SOC) paired with the robust abilities of Managed Detection & Response (MDR) technology to build a pragmatic, streamlined approach to cybersecurity.
Combating Advanced Cyberattacks
For many organizations, the current pandemic has shown how security programs and tools such as fire walls, anti-virus, and anti-malware are not enough to fight back cyber adversaries. No doubt they are useful in providing protection against known viruses and malware, but they cannot thwart dedicated criminals leveraging newer attack methods such as ransomware and zero-day exploits.
The threat landscape continues to change, and it is evolving much faster than such tools can keep up with. Consider the following challenges:
- Traditional signature-based anti-virus technology is rooted in blacklisting known viruses, files, and malware. However, Advance Persistent Threats (APTs) can easily bypass this model by remaining undetected for lengthy periods of time within a victim’s networks. Further, anti-virus solutions are only as strong as their last update. The time in between updates is more than plenty for well-funded and experienced cybercriminals to launch an attack.
- Even next-generation anti-virus and anti-malware software are not able to fully eradicate cyberthreats. While they do address some weaknesses found in their traditional counterparts, their technology is centered around machine learning and analysis to catch specific suspicious behaviors. Next-gen anti-virus and anti-malware solutions are still unable to respond quickly enough to catch new trending patterns and methods.
- Cybercriminals are customizing their malware attacks. Unfortunately, cybercriminals can tailor their attacks to best infiltrate their victim’s networks and bypass the anti-virus’s methods of detection.
- Over 85% of major cyber incidents occur in organizations that have anti-virus software installed. In many of these cases, the software either missed detecting the attack completely, or managed to identify the malicious file but not a critical component of the attack such as a second payload or a process injection.
- Attack types are varied and advanced. While e-mails and bad links are still a top access vector into a victim’s networks, organizations also need to be prepared to defend their businesses against zero-day exploits, ransomware, fileless attacks, credential theft, infected devices,
vulnerable VPN services, and open remote desktop protocol (RDP). These are all ways that threat actors can infiltrate networks, spread laterally, and launch their attack.
In the current pandemic, many organizations are overwhelmed trying to keep their IT environments secure and it can seem that cyber adversaries are always a few moves ahead. To combat this, investing in a Security Operations Center (SOC) can significantly streamline how organizations meet evolving cyberthreats. Within optimized security operations, organizations develop both their offensive strategy, as well as their defense. Engaging with a SOC is an increasingly positive option for many businesses, especially those who want to build a robust security framework backed by security experts with experience in dealing with unrelenting waves of advanced threats.
SOC Key Functions
A Security Operations Center (SOC) is a centralized hub that combines dedicated security analysts, processes, and technology to continuously monitor an organization’s security posture. SOCs are focused on using telemetry measured from across an organization’s IT infrastructure and assets to prevent, detect, assess, and respond to cybersecurity incidents.
All SOCs are built differently, and many providers allow organizations to select the specific services that best serve their line of business. These are some of the common key functions that a majority of SOCs will offer:
- Asset Discovery and Management – SOCs are responsible for two general categories of assets: the devices, processes, and applications of the organization they are defending, and the specific tools and software in place to protect the former. Complete visibility and control are key in SOC operation. They take stock of all the available assets on their client’s networks to eliminate the chance of missing a blind spot. With a complete view of all the endpoints, software, servers, services, SOCs can stay on top of the nature of traffic flowing between these assets and monitor for anomalies.
- 24/7/365 Proactive Monitoring – Proactive behavior monitoring, and analysis requires the SOC to scan on a 24/7/365 basis. The SOC is notified anytime their technology flags an anomaly or there is evidence of suspicious activities within a network. Consistent monitoring allows SOCs to stay ahead of adversaries and be able to properly prevent or mitigate malicious actions. Further, it is a common strategy for cybercriminals to schedule their attacks intentionally during off hours and weekends to maximize the potential rate of success of their operation. Without a SOC monitoring all hours and days of the week, an in-house IT team may not be able to catch and apply any defensive efforts until the following business day.
- Alert Severity Ranking – Alert fatigue is a common challenge faced by in-house IT teams, especially if they are relying on a complex platform such as a Security Information and Event Management (SIEM) tool to log events across their organization’s networks. A team may quickly become overwhelmed if their technology is triggering alerts constantly. While some may be valid early warnings of a cyberattack, there are also false positives and alerts triggered due to lack of configuration settings. Alert fatigue is the main reason why some legitimate notifications are missed or not placed at a higher priority. MDR teams are able to better sift through the complexities of incoming alerts and efficiently determine if they are plausible warnings of a breach needing immediate action.
- Threat Response – A SOC is a first responder. With 24/7/365 coverage, the SOC team closes the gap between the identification of an event and the actual response and remediation. By immediately shutting down or isolating endpoints, they can terminate malicious processes, delete bad files, and stop the threat from moving deeper into other systems.
Take Your Cybersecurity Strategy to the Next Level
Ultimately, a SOC allows its organizations to operate knowing that cyberthreats can be identified and prevented in real-time. Regardless of how many endpoints, networks, assets, or locations an organization spans, SOCs provide a centralized view to ensure that they are monitored and performing as needed.
From a security strategy standpoint, having a SOC means responding faster, minimizing damages and costs, and safeguarding data and business continuity. However, is there a way to further maximize cybersecurity to the next level?
Pairing SOC & Managed Detection Response (MDR) Services
An optimized security strategy is one that streamlines the right methods of threat management into an effective security solution. All functions should work in tandem so that the solution is easy to integrate and operate day-to-day. Having the right stack of services in place is a significant measure of how mature an organization’s security posture is. What a managed SOC cannot do alone is combine network visualization, insider threat monitoring, anti-malware, traffic analysis, and endpoint security into a 24/7/365 managed service focused solely on detecting and detaining threats in real-time. This is where MDR comes into play.
To develop the most comprehensive solution, SOCs may augment their services by operating a Managed Detection Response (MDR) platform. As the SOC collects and monitors various data sources within the organization, it is the MDR that adds context and makes the information more valuable and actionable within the overall threat management process.
Take the Offense by Threat Hunting
Threat hunting is the practice of being proactive in the search for cyberthreats within an organization’s network. It is performed deep within the network to deliberately search for hidden actors and malware that may have found a way to exist undetected otherwise. Many organizations invest in various managed services and tools to develop their defensive strategy, but MDR threat hunting is a crucial element to ensuring the offensive strategy is just as robust. The art of threat hunting relies on three important elements:
- Investigation through threat intelligence and hypothesis
- Analysis of Indicators of Compromise (IoC) / Indicators of Attack (IoA)
- Machine learning and advanced telemetry
Experienced MDR analysts are highly specialized and trained specifically in hacking tradecraft. They always take an ‘assume breach’ stance and investigate thoroughly to find evidence of suspicious behavior or changes that may indicate the existence of threat. They rely on experience and the analysis of current threat tactics, techniques, and procedures (TTP) to instigate hypothesis-driven hunts. The human-powered element is a critical element and the link that synchronizes collected threat
intelligence, data logs, and advanced security technology towards an offensive method for safeguarding businesses.
The hard reality is that cybercriminals and the market for their work have become more advanced than ever before. Despite the constant challenge to fend them off, cybercriminals continue to evolve swiftly in their tactics. Within the past year alone, some of the largest players in the cybersecurity arena have
fallen victim to breaches. Though the adversary moves fast, there are ways to get ahead of them. By combining the centralized functionality of a SOC with an MDR’s capability for advanced threat hunting and network analysis, organizations can build a robust and pragmatic security strategy to protect themselves against cyberthreats today.
About the Author
Jon Murchison, founder and CEO of Blackpoint Cyber, started his career in network engineering and IT operations but quickly made the switch over to the covert world of the intelligence community. He has since spent more than 12 years planning, conducting, and executing high-priority national security missions. As a former NSA computer operations expert and IT professional, he brings a unique perspective to the mission of developing cyber defense software that effectively detects and detains purposeful cyber intrusions and insider threats. Jon has also helmed multiple cybersecurity assessments, including Fortune 500 enterprises and critical port infrastructures. Currently, Jon holds multiple patents in methods of network analysis, network defense, pattern analytics, and mobile platforms.