Security Operations Center (SOC) pain points leading to SOC team burnout is a big security challenge every organization faces. Ponemon Institute performed a survey of more than 500 IT and security practitioners, looking into the frustrations security analysts have in maintaining SOCs as well as the frustrations organizations have with their SOC’s lack of effectiveness.
The aforementioned Ponemon Institute survey, “Improving the Effectiveness of the Security Operations Center”, found that 70 percent of respondents rated working in a SOC a 10 (“very painful”) on the given 1–10 pain scale — the highest possible rating. This article will look at the top ten SOC pain points, why they occur, why they’re detrimental to SOC effectiveness, and, most importantly, how to alleviate each one — paint point-by-pain point.
SOC teams are bombarded with difficult challenges, including an ever-growing workload, alert fatigue, budget constraints, leadership issues, being on call 24/7/365, lacking full visibility into their network and IT infrastructure, a thin talent pipeline for future security analysts, and much, much more. In addition to being bombarded with this multitude of difficult challenges, SOCs also deal with resource and management constraints. (With only using a pen and paper, recite all 154 of Shakespeare’s sonnets in hexadecimal while standing in a phone booth surrounded by blood-thirsty wolves — not impossible, but extremely time-consuming and stressful.) This notion of high expectations with considerable and varied constraints can lead to a highly stressful (or painful) environment.
“High expectations” is putting it mildly. With the General Data Protection Regulation (GDPR) of the EU and the California Consumer Privacy Act (CCPA) in effect, organizations could be fined hundreds of millions of dollars for misuse of user data.
In July 2019, British Airways was fined €204,6 million (240.1 million USD) for violation of Article 31 of the GDPR. Back in September 2018, the British Airways website diverted users’ traffic to a hacker domain. This resulted in the personal data theft of more than 500K customers. British Airways had inadequate security to prevent such a cyberattack from happening.
SOC analysts are hired to prevent harm and minimize risk but are judged on their ability to successfully navigate through the worst of cybersecurity disasters — a data breach. Be their performance exemplary, lacking, or negligent, if the company messaging doesn’t land right in the eyes of the public (something beyond the SOC’s control), the entire SOC team could be out of a job. The effect of doing their job well is “nothing”, while the effect of messing up could be disastrous.
In the modern cyber landscape, SOC leadership the world over are debating the question behind closed doors: If we take the fall for security breaches, shouldn’t we be able to make all the security decisions? But the reality of the job is, they don’t. Each and every department, including security, deals with budget and resource constraints. And regardless of the budget or resources allotted, all SOCs, be they large or small or rich or poor, are expected to combat with the same caliber of enemy.
“On the high seas, a company can put a boat out there, but it’s not expected to be able to defend itself against the military. But on the internet, you can put up a website, and you’re held accountable for defending yourself against the military.”Joe Sullivan, former CSO at Uber and Facebook, now at Cloudflare, a16z podcast, episode 548
SOC teams often feel they are constantly juggling complex security tools with both hands tied behind their back. “High expectations” can mean maintaining resilience and security lest a severe data breach against a state-sponsored threat group occurs, costing the organization hundreds of millions of dollars, but doing so successfully while understaffed and under budget — in a word, painful.
It’s not hard to see why 70 percent rated working in a SOC as a 10 out of 10 — “very painful.”
SOC teams operate in a highly painful and stressful environment. Pain points can slow down and harm the effectiveness of the SOC team, potentially putting the entire organization at risk. Alleviating pain points is paramount for any organization. However, even removing budget and resource constraints aren’t enough to get a SOC where it needs to be.
“The first time I took the CISO role was at Facebook. I got great support from the executive leadership, almost unlimited budget, the ability to grow and hire great engineers, and buy technology. But the most surprising thing is that you realize you can’t buy your way to good security. You literally can’t write a blank check and have great security tomorrow. Security requires long term investment. It requires you to run alongside the development teams and the business teams, understand them, and help them reduce their risks.”
Joe Sullivan, former CSO at Uber and Facebook, now at Cloudflare, a16z podcast, episode 548
Good security is a cross-departmental process. More than anything else, it takes time to properly cultivate and educate a team to not only work well together but also work effectively given its constraints and work effectively with other departments. That isn’t to say that alleviating pain points is impossible — far from it. Below are the causes of and solutions to the top ten pain points from the Ponemon Institute’s Improving the Effectiveness of the Security Operations Center survey.
What is a SOC’s Workload?
A traditional SOC typically covers six main functions: monitoring the entire environment, setting the security baseline, threat triage, investigation, response, and continually improving across the security cycle.
Problems arise when one function’s progress becomes blocked or hindered, thus deteriorating the effectiveness of all proceeding functions. If there is a lack of visibility into an environment (monitoring), inaccurate policies (setting the security baseline) could create vulnerabilities that allow hackers access and persistence into the environment. If there are too many alerts to validate (threat triage), then investigation and response are both delayed — only then increasing your SOC’s mean-time-to-respond (MTTR). If your MTTR is quite high, you may no longer have enough time to improve and harden your security across the security cycle, leaving you prone to more recent attack trends and techniques.
When problems arise in any of the six main SOC functions that cause progress to be blocked or hindered, pain erupts. There is just too much work for too few SOC analysts on your team, and there’s only so much one human analyst can do in a single workday. Given enough workdays with sluggish progress and you get burnout.
Recent breakthroughs in machine learning, GANs, DeepRL, and explainability have made automated detection and response solutions viable, valuable, and trending. 50 percent of the respondents surveyed by Ponemon Institute stated that adding solutions that (one) automate the management of vulnerability scanning of networks, servers, databases, or applications, (two) detect malicious processes and activity, and (three) aid in threat hunting are all on the roadmap to be added within the next 12 months. This goes in line with the two strategic planning assumptions Gartner made in its 2019 Market Guide for Managed Detection and Response:
1. By 2024, 25% of organizations will be using MDR services, up from less than 5% today.
2. By 2024, 40% of midsize enterprises will use MDR as their only managed security service.
2019 Market Guide for Managed Detection and Response
Not all MDR solutions leverage intelligent automation; however, the market has been trending in that direction and more and more vendors are offering solutions powered through both open-source and proprietary machine learning algorithms.
CyCraft AIR performs the heavy lifting and automates monitoring, detection, threat triage, investigations, and response, providing SOC teams with a data-driven and more efficient workflow without guesswork. SOC teams will also have more time to allocate to the other two main SOC functions: setting the security baseline and continually improving across the entire security cycle.
Each detection-triggered alert is automatically triaged via a severity score, bypassing the threat triage responsibilities of a typical Tier 1 SOC analyst and allowing the Tier 2 SOC analysts to immediately respond to the more severe alerts. Within minutes of the first triaged alert sent, our customers receive a thorough step-by-step analysis of the attack, an in-depth analysis of the root cause of the entire attack (not just one particular endpoint), a pre-triaged checklist of actionable intelligence for both response and eradication, and a step-by-step remediation plan.
CyCraft AIR is also one of the few security solutions to have been validated by the MITRE ATT&CKⓇ Evaluations. CyCraft AIR went up against ATT&CK’s APT29 emulation and scored more real-world GTT detections (General, Tactic, and Technique) than any other vendor solution. When comparing detection and response solutions, it’s important for organizations to look for vendors that offer real-world (out-of-the-box) detections as they require zero configurations to the solution. While cyber threat intelligence prepares you for trending and relevant threats targeting your industry, SOCs never know whom they’re up against during an attack, let alone have time to configure their solutions to be able to detect them mid-attack.
Pain Point 2 (72%) Lack of Visibility into the Network and IT Infrastructure
The critical value of the monitoring function of SOCs cannot be overstated. Without accurate and thorough visibility into what is currently happening from the security perspective of your organization, it would be exceedingly difficult to make valid, meaningful security decisions and to ultimately know whether or not you are currently secure.
Of the respondents surveyed by Ponemon Institute, 69 percent stated the lack of visibility into network traffic as the number one cause for ineffective SOCs. With governments now sponsoring hacker groups and purchasing/developing zero-days, intrusions are an inevitability. Visibility and detection are paramount, but like every other part of the process, difficulties emerge.
Visibility into one’s environment, typically, is done via asset enumeration and retrieving select data from assets with a higher security value. Often, SOCs approach visibility via tools, such as Security Information and Event Management (SIEM) and cyber threat intelligence (CTI).
Some solutions do not have the capability to detect malicious behavior, only malicious processes and files. While detection of files and processes is critical, it is severely limiting and still leaves an environment vulnerable to bigger threats, such as state-sponsored or zero-day attacks. While some CTI comes from vulnerability scanning and testing, CTI typically comes from research of cyberattacks that have already occurred weeks or even months ago. In that attack window, threat groups could have already leveraged these new attack methods to infiltrate several thousand environments. Malicious behavior/activity detection is paramount in the 2020s and moving forward into the future.
However, solutions capable of detecting malicious behavior (such as SIEM) have shortcomings as well. While thorough and extensive logging and data collection are necessary for investigation and compliance purposes, trouble emerges as the number of logs and raw data needed to be collected rapidly (and inevitably) becomes overwhelming for manual investigation, and in complex situations where time is a crucial resource, such as a cyberattack, SOC analysts can just as rapidly experience, or rather drown in, pain. Lacking sufficient time to investigate, verify, and respond (a low MTTR) can be as detrimental as or even worse than having no visibility.
What SIEMs to be the trouble?
Both SIEM and preventive (e.g., firewall, antivirus) solutions only provide static information of one event. Think of each ticket as a “still image” of one tiny step event in the cyberattack as opposed to a “video” that correlates all these “images” into one coherent narrative showing the relationship between each ticket. As cyberattacks increase not only in frequency and speed but in severity, SOCs need a “video” linking each alert into a narrative clearly displaying the beginning of the attack (root cause analysis) to the end (the objective of the attack).
This is why SIEM and other related cybersecurity solutions have been moving towards providing interactive, query-based or graph-based dashboards (not necessarily both) and/or workbenches that allow SOC analysts to view scoped, aggregated, and correlated data that is often quantified and graded in some manner. SOC teams now have access to a quick-glance view of their cyber situation, leaving them more aware of threats and how to deal with them. That being said, most current tools fail to provide users with the necessary visibility, situational awareness, and correlated data necessary to maintain cyber resilience.
CyCraft AIR continuously monitors processes for malicious or suspicious behavior against continually updated global threat intelligence provided by CyberTotal, CyCraft’s proprietary global threat intelligence platform. CyCraft AIR not only actively hunts for malicious or suspicious behavior but also provides daily asset management reports giving SOC teams a thorough, complete view into their environment. The cyber situation graph view, complete with timeline, correlates each malicious event of an attack allowing SOC analysts to both quickly view and analyze the entirety of an attack from afar (not just from a single endpoint perspective) and at the same time drill down into specific events for further investigation in IoCs.
“…the near-constant rate of hacker attacks of computers with Internet access [is] every 39 seconds on average…”
2007 Clark School Study, University of Maryland
But that was 13 years ago. Before the first iPhone was even released. Before mobile security solutions were a serious concern. Before Bitcoin. Before the explosion of ransomware as a result of Bitcoin. Attacks are only getting more sophisticated, faster, and far more frequent. The modern SOC needs analysts ready to go at a moment’s notice, yet most organizations don’t even have the proper resources to keep their SOC properly armed and trained against known threats. And don’t forget, no matter the size of the organization or their SOC, they’re still held accountable for defending against government-sponsored hacker groups. This all leads to one undeniable truth: cybersecurity never sleeps, but people do.
Despite 53% of survey respondents classifying their SOC as having full-time (24/7/365) coverage, 71% of survey respondents identified being on call 24/7/365 as a major pain point, which suggests that there are a lot of SOC analysts working overtime (possibly unpaid) and rapidly burning out. In fact, in the same survey, the top two methods respondents suggest taking to alleviate SOC pain were both related to working hours: automate workflow (67%) and normalize work schedules (53%). While large organizations can afford large SOC teams consisting of hundreds of trained and experienced experts, SMEs and MSEs often lack the resources needed to maintain cyber resilience. Enter MDR.
What is MDR?
Managed Detection and Response (MDR) is a managed cybersecurity service that provides SOC teams with 24/7 intrusion detection of malware and malicious activity in their environment. MDR typically offer assistance with incident response to contain and eradicate threats; some offer remediation services, but most MDR solutions offer human security analysts that extend your technologies and team.
No. Managed Security Service Providers (MSSPs) monitor environments and may send alerts when anomalies are identified but typically do not offer incident response or eliminate false positives, leaving that to your SOC team.
“CyCraft strives for human-AI collaboration in cybersecurity. In two years, we developed and put into operation an innovative AI-powered SecOps platform, CyCraft AIR — effectively orchestrating endpoint telemetry, MITRE ATT&CK context, global threat intelligence for optimized situation awareness, and efficiently managing millions of endpoints from government and enterprise customers in the Asia-Pacific region.”
-Benson Wu, Founder & CEO
CyCraft AIR continually scans all endpoints, monitors all traffic entering, within, and leaving your environment 24/7/365, and auto-generates daily reports on your current cyber situation. CyCraft provides an MDR solution that goes beyond most MDR solutions and automates the investigations process. When an incident does occur, CyCraft AIR provides SOC teams with a data-driven and more efficient workflow without guesswork reducing both MTTD and MTTR by automating not only real-time monitoring, detection, threat triage, and response but also the investigation process. Within minutes of the first auto-triaged alert sent, our customers receive a thorough step-by-step analysis of the attack, an in-depth analysis of the root cause of the entire attack (not just one particular endpoint), a pre-triaged checklist of actionable intelligence for both response and eradication, and a step-by-step remediation plan. With 24/7 coverage, threat triage automation, automated IR investigations, and actionable reports, CyCraft AIR carries the burden of manual SOC tasks and creates a stable working environment that can lead to a normalized work schedule. SOC teams are more effective and efficient with CyCraft AIR. Your SOC team needs sleep; CyCraft AIR doesn’t.
CyCraft AIR’s auto-investigation functionality also provides customers aid with due diligence investigations.
In 2018, CyCraft AIR reduced a customer’s pre-acquisition due diligence investigation time from several months to just a few days — a reduction of over 99%. The efficiencies gained included cost and workforce reductions of over 95%, especially since the previously-planned team of technical experts was no longer required, and neither was the otherwise arduous and error-prone investigation process. CyCraft AIR further helped smoothen the transition of integrating the acquisition infrastructure into the customer’s pre-existing environment, allowing the process to successfully complete within a fraction of the originally estimated time. As testimony to CyCraft AIR’s proven benefits, the customer has continued using CyCraft AIR as their primary cybersecurity solution even after the successful completion of their acquisition.
SIEM solutions provide SOC Tier 1 Analysts with tickets that are typically static images of things wrong in your environment — often lacking context, leaving the Tier 1 analyst to manually add context through investigating each and every ticket before passing off the severe cases to your Tier 2 analyst. As SIEM and other security solutions typically do not provide any information about false positive mitigation, the solutions often miss malicious activity or classify it incorrectly. Leaving a tsunami of false alerts for your Tier 1 analysts to swim through, and before long, alert fatigue sets in.
Making matters worse, a survey conducted by Cloud Security Alliance found that 50 percent of enterprises don’t just have one solution but multiple solutions generating alerts. Among the security professionals surveyed, 31.9 percent ignore alerts due to the high frequency of false positives; 40.4 percent stated the alerts generated lacked actionable intelligence. Maintaining and monitoring the entirety of an attack surface has many challenges — alert fatigue has always been near the top of the list.
In the Ponemon Institute report, “Improving the Effectiveness of the Security of Operations Centers,” 49% of respondents complained that solutions yielding too many false positives made their SOCs ineffective.
For today, and in the coming decade, there is an undeniable need for security solutions to not only provide detailed context to each alert generated but to also do so automatically; this would have the added benefits of alleviating pain from both Tier 1 and Tier 2 analysts by reducing false positives thus saving both teams of analysts time as well as the added benefit of creating a more efficient SOC that now has a reduced MTTR.
CyCraft AIR uniquely mitigates false positives by integrating 6 contexts per event (isolated artifact, artifact context, full endpoint forensic context, cross endpoint full forensic context, network forensic context, and global threat intel context) combined with our breakthroughs in machine learning.
CyCraft AIR also performs automated triage on all alerts generated and ranks them in terms of severity, allowing SOC teams to immediately recognize the severity of each alert generated and to prioritize threats on their system accordingly.
In the case of the above image, attackers targeting Taiwan government agencies discovered and leveraged a weak point in trusted and commonly used data loss prevention (DLP) software in order to trigger malware and maintain persistence. We were brought in to perform a post-breach investigation. Once our agents were installed across their environment, CyCraft AIR completed an auto-investigation of the entire environment within minutes and was able to auto-generate both eradication and remediation reports.
Unfortunately, the government agencies targeted for attack in April 2020 had already been compromised prior to the April attacks; CyCraft AIR discovered that not all the malware from the previous attack was eradicated during the previous attack investigation, allowing the attackers to use the previously compromised endpoints yet again many months later. The majority of the malware used in the attack was water bear malware, which, in the past, has been associated with the cyber espionage China-linked threat group BlackTech that is known for focusing on targets in Southeast Asia, primarily in Taiwan but has also been observed going after targets in Hong Kong and Japan.
Waterbear malware presented a major threat to the environment and was given a 10/10 severity score. Thankfully, due to the auto-generated eradication plan, our customer was able to respond, contain, eradicate, and immediately begin remediation.
SOC analysts (and those few applying to be SOC analysts) are keenly aware of the reputation and expectation of pain brought about by their work environment. So far, we’ve explored the big four pain points: burnout induced by heavy workloads, lack of visibility into the network and IT infrastructure, being on call 24/7/365, and being bombarded with too many alerts to chase.
As a result of this painful environment, 66% of survey respondents say the top ten pain factors would cause them to consider quitting their job or changing careers entirely; many of the survey respondents also added that their organizations are already losing experienced security analysts to other organizations or careers.
By 2021, 3.5 million cybersecurity jobs will go unfilled globally, reported CSOonline. The only thing worse than being overloaded with work is knowing there is no relief on its way. For almost a decade, the demand for cybersecurity professionals has continued to rise. With the General Data Protection Regulation (GDPR) of the EU and the California Consumer Privacy Act (CCPA) now in full effect coupled with the threat of fines for any misuse of user data have left organizations scrambling to employ security experts and, at times, battling with each other. Matt Comyns specializes in recruiting and placing senior-level information security executives had this to say to the L.A. Times.
“It’s a full-on war for cybertalent…CEOs know that, so they play hardball. Everyone’s throwing money at this.”
Matt Comyns, Managing Partner at Caldwell Partners
It took Matt Comyns to offer a 650,000 USD salary to finally entice a seasoned cybersecurity specialist to take a CISO position at one large American enterprise.
“We’re seeing boards and CEOs held accountable, and so there is a personal sense of anxiety that those board members and senior executives have, and they want to have a senior leader who can help them navigate the security issues that they face.”Joe Sullivan, former CSO at Uber and Facebook, now at Cloudflare, a16z podcast, episode 548
MSEs, and especially SMEs, both suffer from the overall lack of qualified people in the market as well as the inability to recruit and retain expert personnel. With large enterprises snatching up experienced security experts and offering large salaries for leadership positions, SMEs and MSEs have both had difficulty keeping up and just maintaining.
Hear it straight from the horse’s mouth; respondents from the Ponemon Institute survey went further in their responses to this particular topic and stated that to reduce pain, both intelligent automation and a normalized work schedule would be extremely helpful.
Managed detection and response solutions, with friendly integrations, can be of great benefit to enterprises with limited SOC capabilities as they typically require low FTE to run. While MDR solutions typically carry the heavy load for monitoring, detection, response, and investigations, another strong benefit for SMEs and MSEs is the access to seasoned cybersecurity experts typically provided through the MDR service, as recruiting cybersecurity experts can prove difficult and costly due to both the lack of experts in the industry and competing with large-scale organizations over salary.
“Organizations that have already made investments in people, process and technologies for threat detection and response, or plan to make those investments, say, as part of building their own internal SOC, and are looking to MDR providers for support. These buyers, depending on their starting point, want to use MDR services to jump-start their SOC journey or fill in gaps in their capabilities and offer them bandwidth to focus on other security activities (or, at a minimum, just incident response). These buyers may leverage a managed EDR offering as they establish their internal expertise around EDR or as a “second set of eyes” for their SOC analysts. Some organizations may want to outsource their threat-hunting capability to an MDR provider. Additionally, an organization of this profile also benefits from 24/7 coverage, which, even for bigger organizations, is an expensive investment many are unwilling to invest in.”Gartner, 2019 Market Guide for Managed Detection and Response
CyCraft AIR is a light-weight MDR solution that provides free professional support. CyCraft Support consists of experienced security analysts ready to answer any questions you have about our platform, products, or any of your security needs. CyCraft AIR combines AI-driven detection and response technology with the expertise of seasoned cybersecurity analysts.
CyCraft AIR combines automated investigations with the expertise of seasoned cybersecurity professionals. Within minutes of the first triaged alert sent to our customer’s SOC, our customers receive a thorough step-by-step analysis of the attack, an in-depth analysis of the root cause of the entire attack (not just one particular endpoint), a pre-triaged checklist of actionable intelligence for both response and eradication, and a step-by-step remediation plan. These reports and plans are created by both our proprietary AI-driven technology and our team of seasoned cybersecurity experts.
CyCraft Taiwan offers continuing cybersecurity education among its customers, ensuring our customers stay resilient and ready for threat actors targeting them as well as the latest in observed attacker TTP.
CyCraft Taiwan also offers an Intern Program with attendees ranging from professionals in adjacent industries, graduate and undergraduate students, and high school students as well. One of our high school interns is now collaborating with PyCon Taiwan in the development of a PyCon Taiwan speaker track specifically designed and geared for high school students.
Remember that when asked what factors make a SOC ineffective, 49% of survey respondents blamed solutions yielding too many false positives; yet, in order to be completely secure, SOC analysts have to comb through each ticket and alert, or do they?
With so many alerts generated from so many solutions, an average SME or MSE SOC team can only handle a fraction of alerts per day, leaving many alerts ignored. According to a Dark Reading article, security analysts, in some cases, triage less than 10 percent of incoming alerts. Not every SOC is capable of hiring more analysts. In an attempt to alleviate information overload, 38 percent of security analysts even turn off high-volume alerting features.
Neither of these approaches is ideal. While some intrusions are indeed impossible to prevent, most are containable given the SOC has deep visibility into their entire system and effective response solutions.
Information overload doesn’t just stem from false positives but also from having too many IOCs to track, too much internal traffic to compare against said IOCs, a lack of internal resources and expertise, and a lack of visibility and proper security tools are all contributing factors.
The above graph clearly demonstrates how information overload can lead to ineffective threat hunting as well as factors we have unfortunately become familiar with, such as lack of visibility and false positives.
SOC teams on the market for detection and response solutions should look for security tools that mitigate information overload. Typically this is done through a combination of proprietary and open-source machine learning algorithms driving the technology and integrating a combination of proprietary and open-source cyber threat intelligence (CTI) as well. When comparing cybersecurity solution vendors, SOC teams should focus on where the CTI comes from, how it is integrated into the solution, how it is updated, how often it is updated, and how the solution mitigates information overload.
CyCraft AIR uniquely mitigates false positives by integrating 6 contexts per event: isolated artifact, artifact context, full endpoint forensic context, cross endpoint full forensic context, network forensic context, and global threat intelligence context. CyCraft AIR’s global threat intelligence is powered by CyberTotal.
CyberTotal is a cloud-based threat intelligence service that is uniquely suited to aid SIEM SOC analysts by seamlessly integrating multiple diverse CTI sources, open-source intel, CyCraft’s proprietary threat intelligence, international threat actor information and behavior profiles, and one-click threat investigations.
CyberTotal is continually updated with the latest IOCs and threats and provides users with an intuitive UI that allows them to easily drill down and investigate IOCs through multiple contexts and includes automated severity, confidence, and threat rankings.
“CyCraft AIR and CyberTotal actively use machine MITRE ATT&CKⓇ Evaluations.learning to automate all stages of intrusion detection, response, and analysis. We were impressed with their innovative technology, such as their intuitive dashboard that made it easy for analysts to analyze and re-analyze intrusion attack data. CyCraft Technology should be commended for its deep understanding of international cyber threats but, most importantly, cyber threat intel actively threatening the current cyber landscape in Asia. As much of the international information security dialog focuses on Europe and the United States, we hope to see more cybersecurity products and services focused on the Asian market’s needs.”
-Judges for Interop Tokyo 2020 Best of Show Awards
CyCraft AIR leverages global CTI through one-click automated IR investigations, supplying SOC teams with a more efficient means of triaging and investigating alerts. Once activated, CyCraft’s IR forensic scanner immediately collects vital forensic endpoint and network data across the user’s organization. The data is then thoroughly analyzed by CyCraft’s team of highly-experienced security analysts and CyCraft AI. The generated IR reports breakdown the chaos of information overload by providing a thorough analysis of the entire cyberattack as well as a clear and concise actionable checklist of triaged threats, each ranked for severity, enabling SOC teams to keep up with the deluge of security data and maintain resilience.
Organizations struggle to staff their SOC teams. This is only exacerbated by the lack of experienced cyber talent in the industry. Some 80 percent of organizations don’t have enough skilled security analysts or FTE to effectively run their SOC. Although some organizations have made the shift to relying more on security orchestration and automated response (SOAR) tools, many still rely on manual alert triage and remediation, even while leveraging SIEM tools.
Security Information and Event Management (SIEM) tools typically output massive alert logs in order to detect all malicious and suspicious behavior that deviates from normal network or endpoint behavior. Manual incident response or just keeping pace with the alerts rapidly becomes impractical for SOC analysts who have to genuinely investigate each and every alert to verify whether immediate remedial action is necessary, and, as we discussed earlier, some analysts just don’t.
Alert triage automation is part of the trend in security technologies to increase SOC efficiency and effectiveness through the automation of manual tasks and the centralizing of information into a single platform.
When comparing vendors, SOC teams need to research how each vendor mitigates false positives, quantifies and contextualizes their alerts, correlates these alerts into one attack narrative, and how the vendor aids in the investigation process.
CyCraft AIR mitigates false positives by evaluating each event through 6 specific contexts: isolated artifact, artifact context, full endpoint forensic context, cross endpoint full forensic context, network forensic context, and global threat intelligence context.
Not only is each generated alert ranked for severity and enriched with actionable threat intelligence through CyberTotal, but CyCraft AIR also automates the investigation process. After performing an automated IR investigation, CyCraft AIR generates a system-wide threat analysis report complete with a detailed attack storyline and an attack root cause analysis (not just one particular endpoint).
On average, organizations take about 197 days to detect an intrusion and 69 additional days to contain it, reported Forbes. After spending 6 months on detection and 2 months on containment, two-thirds of the year has passed. This workload is on top of regular SOC maintenance and is one cyberattack of the average 2,200 that occur daily. SOCs need fast, accurate, and actionable intelligence to contain intrusions efficiently and effectively. It’s not enough that SIEM solutions provide tickets to malicious activity; alerts need to be correlated into an attack narrative for a broader security perspective on your current cyber situation.
Actionability can be an easily overlooked step in the data collection for SOC functionality. All the security-vital logging and raw data aggregated by the tool can easily be wasted if it isn’t presented in an orderly and actionable manner. What use is the data if you can’t act on it?
The Road to Actionability
The ideal intelligent automated detection and response solution automates numerous manual tasks. It should be able to detect malicious activity, identify it, classify it, quantify its threat, rank it, and then provide all of this data quickly and intuitively to the SOC analysts so they might immediately determine the next course of action. None of this is possible without accurate, up-to-date threat intelligence — not just on static blacklists of malware and tools but also on known adversaries and their observed tactics, techniques, and procedures (TTP).
Cyber threat intelligence (CTI) is a business-critical investment for SOC teams, especially for SMEs and MSEs who need to efficiently use their resources and should prioritize their defense on known threats targeting their industry. In addition to providing the intelligence needed to make well-informed security decisions, CTI also provides the following benefits: lower costs by allowing SOCs to use resources more efficiently; lower risk by focusing on immediate and active threats in your industry; enhance threat hunting capabilities by hunting for the latest threats; maximize staff efficiency; fill in gaps in defense; enrich visibility; receive up-to-date global threat intelligence; and ultimately, reduce the risk of data exfiltration.
CyCraft ThreatWall Threat Intelligence Gateway (TIG) unifies automated network detection and response with the latest in global threat intelligence (from CyberTotal) in one multi-functional box. With its flexible and fast deployment, ThreatWall, within only minutes, can begin not only blocking potential inbound threats from entering and compromising your environment but also block outbound traffic when sensitive internal data would be transferred to an unauthorized or malicious C2 server. Additionally, ThreatWall also provides both flexible architectures for inline-block and mirror mode — greatly reducing the processing burden on back-end security solutions — and API interface and CSV export functionality to facilitate integration with other information security platforms.
ThreatWall and CyCraft AIR both receive routinely updated global threat intelligence from CyberTotal — our cloud-based threat intelligence service that is uniquely suited to aid SIEM SOC analysts by seamlessly integrating multiple diverse CTI sources, open-source intel, CyCraft’s proprietary threat intelligence, international threat actor information and behavior profiles, and one-click threat investigations. CyberTotal also integrates with both ArcSight and Cortex XSOAR.
Not being aligned, or only partially aligned, with business demands or goals makes it difficult for SOCs to gain support from senior leadership to provide adequate funding for necessary resources, such as technologies or staff, which could ultimately lead to either an immature and painful SOC or the outsourcing of the SOC to an MSSP or MDR service.
The lack of internal resources coupled with the inability to recruit and retain personnel with the skills necessary to build and maintain a SOC drive many organizations to opt for outsourcing SOC functions over managing an immature SOC. When asked why their organization does not deploy an in-house SOC, 59% of the Ponemon Institute survey respondents stated it was due to a lack of internal funds; 56% stated it was due to being unable to recruit and retain the proper staff.
CyCraft AIR powers organizations with full, limited, and outsourced SOCs with managed detection and response protection. CyberTotal and CyCraft Support both enhance SOC operations with threat actor playbooks, behavior profiles, international blacklists of malicious IPs, and experienced professional security analysts to walk you through your incident response reports, root cause analyses, or site-wide health checks.
A traditional SOC typically covers six main functions: monitoring the entire environment, setting the security baseline, threat triage, investigation, response, and continually improving across the security cycle. Intelligent automation not only reduces the amount of resources allocated to these functions without sacrificing cyber resilience but also enhances the efficiency and effectiveness of a SOC team performing those functions.
Automated detection and response tools free up SOC teams to allow for rotational work schedules, red teaming exercises, setting the security baseline through policies, educating internal staff on modern cyber hygiene, internal threat hunting, and more.
No solution can prevent 100% of system intrusions — not when state-sponsored threat groups with hundreds of millions of dollars in resources are capable of infiltrating international financial institutions and government agencies and discovering and/or purchasing zero-day exploits.
However, it is possible to improve system-wide visibility to prevent massive data exfiltrations capable of crippling organizations through automated detection and response solutions capable of detecting, identifying, containing, and eradicating every stop of an attack.
CyCraft AIR is one of the hndful of security solutions to have been validated by the MITRE ATT&CKⓇ Evaluations. CyCraft AIR went up against ATT&CK’s APT29 emulation and scored more real-world GTT detections (General, Tactic, and Technique) than any other vendor solution. When comparing detection and response solutions, it’s important for organizations to look for vendors that offer real-world (out-of-the-box) detections as they require zero configurations to the solution. While cyber threat intelligence prepares you for trending and relevant threats targeting your industry, SOCs never know whom they’re up against during an attack, let alone have time to configure their solutions to be able to detect them mid-attack.
“CyCraft AIR and CyberTotal actively use machine learning to automate all stages of intrusion detection, response, and analysis. We were impressed with their innovative technology, such as their intuitive dashboard that made it easy for analysts to analyze and re-analyze intrusion attack data. CyCraft Technology should be commended for its deep understanding of international cyber threats but, most importantly, cyber threat intel actively threatening the current cyber landscape in Asia. As much of the international information security dialog focuses on Europe and the United States, we hope to see more cybersecurity products and services focused on the Asian market’s needs.”
-Judges for Interop Tokyo 2020 Best of Show Awards
Writer: CyCraft
CyCraft is a cybersecurity company founded in 2017, focusing on autonomous AI technology. Headquartered in Taiwan, it has subsidiaries in Japan and Singapore. CyCraft provides professional cybersecurity services to government agencies, police and defense forces, banks, and high-tech manufacturers throughout the Asia-Pacific region. It has received strong backing from the CID Group and Pavilion Capital, a Temasek Holdings Private Limited subsidiary.