IT Focus Area: security
June 4, 2018
5 Keys to Optimizing Security Operations
Editor’s Note: Sirius and Forsythe are now one company. Sirius acquired Forsythe in October 2017 and we are pleased to share their exceptional content with you.
The most critical component in responding to threats is the security operations center (SOC). But many SOC teams are understaffed, underskilled, and overworked. According to ESG research, 51 percent of surveyed organizations have a “problematic shortage” of cybersecurity skills. A study conducted with the Information Systems Security Association (ISSA) found that 70 percent of cybersecurity professionals reported ramifications including an increased workload on existing staff, the need to hire and train junior personnel, an inability to fully utilize security technologies, and not enough time available for planning, training, and strategy.
The global cybersecurity workforce is predicted to be short 1.8 million by 2022 —Frost & Sullivan Global Information Security Workforce Study
As organizations expand their digital footprints the attack surface grows, and more tools are needed to address evolving threats. As a result, security teams are overwhelmed by too many technologies, too many alerts, and not enough people. Many are forced to ignore alerts that should be investigated further, because they can’t keep up with the overall volume. This makes it very difficult—even for companies that do have skilled in-house security talent—to streamline operations and decrease the time it takes to detect and remediate security incidents.
So how can you run your security operations more efficiently?
The 5 Keys to Security Operations Success
Addressing these challenges requires organizations to rethink the tactics and strategies deployed in their SOCs. However, ensuring an effective SOC is no easy task. Many companies struggle first with implementation and then with figuring out how to take their security operations to the next level.
There are five keys to optimizing security operations:
1. Evaluate SOC Models
It is important to understand the differences between SOC models in order to determine the right approach for your organization.
Considerations such as your organization’s industry, size, budget, in-house skill set, past security incidents, and the types of data you handle on a daily basis should factor into your choice of models. A clear understanding of what your needs are, what you can do in-house, and what you should outsource is critical. Many organizations choose a hybrid approach, keeping a small in-house team and leveraging a managed security services provider (MSSP) to monitor and manage specific security controls. This reduces the cost and frustration involved with staffing and increases the productivity of analysts, allowing them to be more strategic.
2. Implement advanced analytics
Many companies rely heavily on security information and event management (SIEM) to support compliance and threat detection efforts. SIEM provides real-time collection and historical analysis of security events from a wide variety of sources, making it easier to see trends and patterns.
64% of global network security decision makers at enterprises have implemented or are expanding their implementation of SIEM —Forrester Wave: Security Analytics Platforms 2017
While SIEM is a critical tool, organizations are increasingly complementing their deployments with solutions that advance their analytics capabilities:
- User and entity behavior analytics (UEBA) solutions help to establish baselines of normal user behavior, and facilitate the detection of users with high-risk identity profiles as well as high-risk activity, access, and events associated with insider threats and compromised accounts. Through these tools, organizations can quickly identify threats based on actions that stray from normal patterns. SIEM vendors are increasingly adding UEBA as a feature, or partnering with UEBA vendors to deliver behavioral modeling, machine learning, and advanced analytics.
- Threat intelligence technology and services can help companies arm themselves with the strategic, tactical, and operational insights they need to understand how they are being targeted, and respond accordingly. It is important to note that threat data is not the same as threat intelligence. Simply dumping raw information into organizations that are already drowning in data can exacerbate staffing and false positive issues. The difference between threat intelligence and threat data is that intelligence incorporates the context that makes the information relevant to an organization or industry. Threat intelligence takes many forms:
Many security executives have concerns about threat intelligence related to data quality and redundancy, shelf life, public/private data sharing, and delivery standards. However, if processed and applied properly, it is invaluable to cybersecurity. Mature organizations with threat hunting programs can fuse threat intelligence with custom tools or threat hunting products to identify threats and automate searches for indicators of compromise (IOCs) on an ongoing basis.
- Endpoint detection and response (EDR) solutions include all of the components of traditional endpoint defenses such as anti-virus, host IPS, and heuristics to prevent exploits and malware propagation, but also enable SOCs and IR teams to leverage additional capabilities such as ransomware detection, continuous endpoint recording, live endpoint investigation, remediation, and rapid attack blocking. They are generally broken down into the following categories:
Threat detection and response
Endpoint monitoring and management
- Network security analytics tools enable the analysis of traffic flow and packets. Analysts can collect, process, correlate, and analyze metadata throughout the Open Systems Interconnection (OSI) stack, which is critical in the effort to recreate events and determine what happened, and when. Targeted attacks often follow the “cyber kill chain,” and these controls can be used to block or detect malicious activity within each of its seven phases. While network security analytics tend to focus on internal data, they can be integrated with threat intelligence to provide an outside-in perspective as well.
Organizations looking to enable sophisticated analytics first need to ensure they have the right fundamentals in place. Consider the following questions:
- What security controls do you have in your environment? When was the last time your technology was evaluated?
- Do you have the visibility you need into your business activities, and the assets that are most likely to be targeted by cyber adversaries?
- Can your security controls ingest and display threat intelligence delivered in a variety of formats (XML, CSV, and JSON) in the form of indicators, tags, labels, text, and reports?
The NIST Cybersecurity Framework and special publications on security and privacy controls, as well as the CIS Critical Security Controls (often referred to as the SANS Top 20) can assist you in establishing a strong foundation.
3. Integrate controls & automate processes
A lot of Tier 1 SOC analysts’ data collection and analysis efforts are done via error-prone manual methods, requiring them to evaluate and correlate hundreds of events every day. Sifting through alerts using a scripted process, and then forwarding potential threats to a Tier 2 analyst for further investigation isn't a sustainable model. Security orchestration, automation, and response (SOAR) platforms facilitate the integration of SIEM with advanced analytics tools, applying machine learning to enable analysts to make better decisions from better data. This accelerates the ability to disposition alerts and start remediation, raising productivity and minimizing the mean time to resolution (MTTR) of security incidents.
It is important to note that automation is a journey that needs to be taken in steps. Start with use cases that are easy to implement and low-regret, rather than devising complex playbooks and processes. One popular initial use case is around the “abuse mailbox.” Many companies have a mailbox dedicated to customers and users who think they’re getting suspicious emails with either URLs or attachments and aren’t sure if they should open them. Companies have to analyze the URLs and attachments in order to determine whether or not they’re malicious. This is easy for automation tools to take care of, as it only involves determining “yes” it’s bad, or “no” it’s not bad. It doesn’t require turning services off or remediating anything. Map out the processes that you want to automate over the first 12-24 months, focusing on use cases that require a low level of effort and have a high return on time savings.
4. Boost incident response capabilities
Having a well-established plan of action that can be immediately executed following a breach enables SOC teams to triage detected threats and avoid bottlenecks in the incident response process that carries incidents from Tier 1 to Tier 2 to Tier 3, ensuring a repeatable workflow. Additionally, data protection and privacy mandates such as the GDPR and NY Cybersecurity Requirements contain 72-hour data-breach notification rules that are driving dramatic changes to the plans of organizations not accustomed to responding to incidents within strict timelines. Comprehensive incident response will help your organization stay compliant, minimize damage, and align defenses to mitigate future intrusions.
Many organizations rely on incident response frameworks to help them develop internal processes:
In addition to the guidance provided by these frameworks, it is important to put the right team in place, identify outside experts, create a checklist of prioritized actions, leverage automation for the most repetitive and time-sensitive tasks, and consistently review and update your plan.
5. Measure your performance
Ensure your ability to measure, report, and track key elements that have an impact on security. Set clear goals, and define what success looks like as you’re building out use cases. Formal, documented SOC key performance indicators (KPIs) are important; they can help your team stay focused on its responsibilities, ensure that security operations processes remain aligned with overall business objectives, and identify SOC maturity and areas that need to be improved.
Optimize Your SOC
Every organization’s cybersecurity posture, risk tolerance, level of expertise, and budget is different, but we all want to counteract threats. A well-run SOC is at the heart of cyber defense, but what it takes to establish and operate one has changed along with the evolving threat landscape, putting a tremendous burden on security analysts and the technologies they rely on. By choosing a SOC model that aligns with business objectives, incorporating advanced analytics and automation tools, and boosting incident response capabilities, you can lighten the security operations load and arm yourself with the people, processes, and technologies needed to overcome today’s cybersecurity challenges.
View more presentations from Forsythe Technology