You are here

You are here

How a modern SOC can make your threat hunting smarter

Kate Scarcella Chief Cybersecurity Architect, CyberRes

Security operations centers are being overwhelmed by data. Information from numerous sources—data from usage directories, asset inventory tools, geolocation tools, third-party threat intelligence databases, just to name a few—pour into the SOCs, where it's expected to be crunched for possible threats that can be remedied by security analysts.

There are some problems with that approach. For one, when using the data to perform threat detection, threat hunting, and incident response—data that usually ends up in a security information and event management (SIEM) system—rules and thresholds need to be set up by people. Not only can that be a labor-intensive task, but those rules and thresholds can also lack the flexibility to deal with an ever-changing operations and threat landscape.

For example, an unusual number of remote logins might set off alarms from the SIEM, and in ordinary circumstances that could be a very good rule. But if a pandemic comes along and suddenly everyone is working from home, the rule can become an obstructive fossil.

The funnel-and-crunch approach can also produce a boatload of alerts for analysts to investigate. According to one Fortinet estimate (PDF), an analyst can expect to clear 20 to 25 alerts in a day. Yet the average SOC receives 10,000 alerts a day. For larger organizations, it's even worse—upwards of 150,000 alerts a day.

When you consider how many of those alerts are false positives—around 50%—and how many lack severity, it's easy to understand why there can be a lot of analyst churn in SOCs—anywhere from 10% to 50%, according to vendor Help Net Security—and why there's little time for threat hunting.

That's another rub with the funnel-and-crunch method. It's reactive. By the time the method uncovers a threat, an attack can be well underway. According to a 2019 survey by the SANS Institute, 14% of organizations pegged the time between compromise and detection at from one to six months.

Here's why you should consider another approach to resolving these problems: upgrading your SOC and using data to your advantage. Threat hunters need high-quality information that allows them to act on critical threats in real or near real time. 

Look at IoT as an ally instead of another enemy

Adding to a SOC's data woes is the Internet of Things. There can be thousands of those devices feeding data into the SOC, turning a data pool into a data swamp. If any of those devices are compromised, it is nearly impossible for a security team to discover it in time to make a difference by using the common approaches of data collection and analysis.

However, an army of IoT devices need not be another source of noise in the data hose aimed at a SOC. They can be a valuable ally to security teams and threat hunters with the use of an endpoint detection and response system.

A system with intelligent agents on the IoT devices can also thwart threats in the bud through application whitelisting, preventing unauthorized data modification on the device, and controlling data flow integrity, making sure executables run correctly.

What's more, machine learning and analytics can profile devices; they essentially create a unique fingerprint for each one. That allows billions of events to be analyzed and whittled down to the most significantly risky events. The profile can be used to understand what the device is doing, as well as its behavior relative to its peers. That allows anomalous behavior to be identified quickly, which isn't being done now.

Data from the devices can be enriched in real time and given context, which can make a SOC and threat hunters more effective. Threat intelligence context can be used to enhance detection analytics, improving a SIEM's ability to identify threats. It can also be used to boost a threat's risk score, prioritizing higher-risk threats for investigation.

By using endpoint detection and response (EDR) as a primary source of data, threat hunters can receive a handful of quality leads about potential malicious activity in their environment. Getting better information to a SOC not only makes threat hunting more efficient, but it can be a morale booster, too, because it can reduce the drudgery of resolving false positives and insignificant alerts.

Thwarting threats at the edge

EDR can improve reaction time to threats because it provides uninterrupted protection of an organization's digital assets. These systems continuously adapt its machine-learning models automatically, without human intervention. This allows the EDR system to keep relevant the unique profiles it develops for the IoT devices it's bird-dogging, making it easier for threat hunters to find compromised devices and to get better quality leads by aggregating risk.

That can have a significant impact on the problem of how long it takes to detect hacks. According to one study by Kaspersky, more than a quarter of companies using EDR have been able to detect cyberattacks in hours or even almost immediately.

Not only can EDR protect an organization's endpoints and blunt attacks on a device's memory, but it can also flag common threats in real or near real time.

The system can provide runtime protection of endpoints, guarding against new or modified executables, shared objects, or scripts. EDR may also include automatic policy generation and robust policy configuration, with the ability to add policies that support over-the-air updates and controls to restrict or enable tools on demand. Other protections might include key-signing support and page-based whitelisting.

File protections at the endpoint can also be extensive. Simplified access control policies can protect file names, block modification or deletion of files, and restrict which applications can modify files. In addition, permissions can be controlled through signed policies so they can't be modified locally, including by a root user.

A device's memory can also be protected by an EDR system, ensuring software integrity in real time. It can prevent buffer overflow exploits and maintain original program flow over the life of the device, as well as forward- and backward-edge validation.

An array of threats posed by a device can be flagged by an EDR system. These include rare command executions and overheated use of CPU memory. EDR can also flag unusual event spikes, peculiar authentication activity, activity at a different time of day than normal, connection to an unusual destination, and a device making an unwarranted number of network connections.

Make your SOC better with more data

As organizations face more aggressive and sophisticated attacks on their digital assets, they need to make their SOC operations more responsive to their threat environment. Through the use of endpoint devices and the data enriched by those devices, security teams and threat hunters can achieve both those goals.

Keep learning

Read more articles about: SecurityInformation Security