By Peter Glatz, Product Marketing Assistant, LogPoint
In the fight against cyber threats, the SOC (Security Operations Center) is the battlefield with security analysts as the soldiers. In 2020 an order issued by the state of California demonstrated that cybersecurity staff was exempted from the coronavirus stay-home order.
However, even in times of relative tranquility, being in a SOC can sometimes feel like war. An average enterprise SOC encounters anything between ten thousand and a million alerts per day, and they are usually understaffed and have little margin for errors. Security analysts, like soldiers, need to stay alert and prepared for battle. As said in the military, “know your enemy,” which may not be the hacker but the barrage of alerts and false positives. Another helpful practice from military paradigms is that people cannot handle much in times of stress, so there is no point in teaching complicated concepts. While “under fire,” people (and security analysts are humans, not machines) return to basics. With this in mind, we would like to highlight the top five challenges that every analyst encounters when dealing with cyber threat detection and response.
- Alert floods make it hard to evaluate the incident alerts for their urgency and relevancy.
The number one challenge of SOCs today is the high volume of alerts, often leading to “Alert Fatigue.” Another phrase from military jargon, alert fatigue, describes the degradation in performance by those who must respond to a multitude of alerts (initially used to describe the degraded performance of radar operators in WWII). In a modern SOC context, the main challenge is to prioritize the alerts by evaluating the urgency and relevancy of the incident to know which one to prioritize.
- The “cry wolf effect” or understanding the incident before triage and escalation
It is not only the multitude of alerts but the fact that many of these alerts are false positives that create stress and reduce the effectiveness of analysts’ responses. One survey found that more than half of the respondents reported a rate of 50% or higher of false-positive alerts, leading to spending most of the analysts’ time managing the high volume of alerts. So instead of chasing wild geese, analysts should acknowledge this tendency and quickly determine if an alert is true or false and if it is severe enough to handle immediately (triage and escalate) or at a later stage.
- Using threat intelligence (TI) to identify infected/affected systems and the scope of the attack
Once an alert has been deemed necessary enough to investigate further, analysts must use threat intelligence (TI) to enrich the associated data and assess the full scope of the breach to include all infected systems. Applying relevant and timely TI can help identify which other systems have been impacted by the breach and what could be the source of the breach/attack.
- Collecting data for further investigation
Some cyber threat actors are masters in disguising their trails and could potentially delete or erase some of their “digital footprints,” which will make the investigation impossible to complete. Therefore, before moving further with the investigation, analysts must quickly collect all the relevant information, such as network log files, endpoint logs, etc.
- Making the correct modifications and configuring security tools
Once the “battle” is over and the security investigation has ended, it is only natural that the weary “soldiers” (analysts) need to rest. However, unlike the physical battleground, the cyber battlefield offers no rest. One breach attempt could be detected and remediated perfectly, followed by another until the attacker succeeds. Therefore, it is crucial to end the investigation by determining the source, impact, and necessary changes required to prevent this breach from happening again. Firewall rules should be updated, security policies modified as needed, and the next shift of analysts briefed so they can identify the next wave of cyber attackers quickly.
SOC analysts are not putting their lives at risk on the battlefield, but they are your organization’s first line of defense. With proper training, methodology, and tools, they will secure the organization. By using LogPoint SIEM, UEBA, and SOAR, SOC analysts can leverage SIEM correlation rules to detect known threats, advanced machine learning with LogPoint UEBA to detect the unknown threats, and automated incident response capabilities to mitigate the threat in minutes, rather than hours or days, by eliminating long and cumbersome manual processes.