An alert is a warning that triggers when a specific event (or series of events) has occurred. The alert is usually forwarded to the responsible people or system to take action. A typical enterprise SOC (security operations center) sees thousands or millions of alerts a day, from which only a fraction of alerts are caused by real threats. Alerts that were not triggered by real threats are referred to as false positives.
Alert fatigue occurs when SOC analysts are vulnerable to a large number of frequent alerts. Therefore they become desensitized to them.
Alarm fatigue results in missed or ignored alerts or delayed responses to malicious activities. A large number of those alerts are not, in fact, real threats but false positives alerts. However, alert fatigue can be very dangerous to an organization or enterprise because it can lead to real threats not being adequately investigated. These threats are left to dwell in the system for a longer time, making it more likely that an attack causes long-lasting damage.
Anomalies are deviations from a normal pattern in one or more parameters that signal unexpected behavior. Anomalies are not, by definition, good or malicious. They are simply unexpected forms of behavior. An anomaly could be anything deviating from the normal, such as an abnormally high number of users logging into a system, a user moving an unexpectedly large amount of data to a pendrive, or a user logging into a system from an unexpected location.
In data mining, anomaly detection, also known as outlier detection, is the identification of unusual items, events, or observations that deviate from the datasets’ normal behavior. These rare occurrences are concerning due to their differing characteristics from the majority of the data. Detecting these anomalies allows organizations to identify and respond to security threats and incidents that leave behind data suggesting suspicious behavior. The three main types of anomaly detection techniques are supervised, semi-supervised, and unsupervised anomaly detection.
Automated alert triage
Automated alert prioritization, in other words, alert triage, is the automated process of going through a high number of alerts and investigating them to determine the severity of the threat. Alert triage ensures that the most significant threats are getting the highest level of attention. This is achieved by flagging high-level threats, so the incidents that matter the most are prioritized. Prioritizing the most critical alerts enables faster response, therefore, faster remediation.
Automated threat detection
Automated threat detection is the practice of automatically analyzing the entire security ecosystem to detect malicious activity that could compromise the IT infrastructure. Automated threat detection solutions often include sandboxing, behavioral analysis, automated monitoring, machine learning, and other detection mechanisms to detect these types of attacks.
Automation is critical in threat detection since algorithms can work 24/7, without human assistance, ensuring that the organizations’ systems are constantly being monitored. This means that every type of attack is identified, at all times, in a significantly shorter time, enabling a faster response.
Automated investigation is the automated process of gathering data related to an alert to determine the events that transpired and collect evidence. Automated investigation ensures that analysts have a complete and accurate set of data when they handle a threat. The alert can be validated, classified, and forwarded to incident response by automatically collecting and analyzing contextual data related to a possible threat. Automated investigation significantly reduces the dwell time of potential breaches and alert fatigue caused by legacy tools.
Automated response refers to the pre-configured, automated processes for a systematic response to security threats. This means that as soon as the detection system flags an alert, the system automatically categorizes the alert and responds to the threat with the appropriate actions. By eliminating human intervention, automated response drastically decreases response time to protect the organization better.
Autonomous investigation is a technology that provides advanced threat detection and automated incident response to achieve comprehensive threat remediation and prevent long-dwelling breaches. This technology instantly provides the full scope of all security incidents to augment the threat detection, investigation, and remediation process and creates a comprehensive view of each cyber incident by combining disparate alerts, events, and logs into one narrative. Autonomous investigation reduces the noise of false-positive alerts and provides automatic incident investigation, which dramatically shortens the response time of cybersecurity teams. This results in enhanced overall protection levels and costs savings. Autonomous investigation improves cyber defense by providing more comprehensive visibility into vulnerable IoT appliances’ breaches and malware detection that typically bypasses endpoint detection, especially file-less and BIOS-level attacks.
Botnets can be described as an entire network of bots, meaning a set of Internet-connected programs that communicate with similar programs to perform tasks collaboratively. Botnets may be benign, but common usage ”botnet” refers to an illegal botnet assembled, used, and sold by cybercriminals to commit malicious exploits.
C&C (Command and Control)
A command-and-control [C&C] server is a computer-controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.
Many campaigns have been found using cloud-based services, such as webmail and file-sharing services, as C&C servers to blend in with normal traffic and avoid detection.
Cloud monitoring refers to the process of gathering and analyzing the data generated by operational workflows happening in cloud-based applications. Cloud monitoring makes it easier to identify patterns and discover potential security threats in the cloud infrastructure.
In the context of cybersecurity, cyber forensics is the process of examining digital material and computer software such as various devices for the motives and goals of gathering evidence in an investigation of an exploit or criminal act.
The steps involved in cyber forensics are acquisition, examination, analysis, and reporting. The techniques used include cross-drive analysis, live analysis, deleted files, stochastic forensics, and stenography.
A data breach is an incident where confidential data and information are stolen from an IT infrastructure. Data breaches usually result in damage to the organizations’ reputation or in financial damage in the form of ransom the attacker demands for the stolen data.
Due to the Europeans General Data Protection Regulation (GDPR), laws enforce high fines for organizations that fail to protect private information due to an attack. A data breach can also cost the organization current or future customers and investors, limiting their earnings for an extended period.
Data encryption is a security method where the data is encrypted and can only be decrypted by a user with the correct encryption key. Encrypted data is unreadable to people trying to access it without permission. Therefore, data encryption is often used to protect sensitive data from malicious parties.
Data exfiltration is a form of data theft that happens when malware or malicious actors perform unauthorized copying or transferring of data from either a server or an individual’s computer. The main targets of these attacks are primarily bigger organizations that possess a large amount of confidential, high-value data. Data exfiltration can be carried out by both external attackers or trusted insiders.
DGA can essentially be classified as an algorithm that originates a large volume of domain names. Domain-generation algorithms are usually used during a process known as domain fluxing. Domain generation algorithms (DGA) are algorithms seen in various grouped clusters of malware that are used to periodically create and disperse a large number of domain names that can be used as rendezvous points with their command and control servers.
A large number of potential rendezvous points can be a point of difficulty for law enforcement to effectively close down botnets since infected computers will try to contact a portion of these domain names every day to receive updates or commands continuously. The deployment of public-key cryptography in malware code makes it impossible for law enforcement and other actors to mimic commands from the malware controllers as some worms will automatically reject any updates not signed by the malware controllers.
Dridex is a species of banking malware that leverages macros in Microsoft Office to infect systems. After a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain entryway into the financial records of any user. Dridex operates by first materializing on a user’s computer as a malicious spam email with a Microsoft Word document attached to the message.
If the user opens the document, a macro embedded in the document surreptitiously prompts a download of the Dridex banking malware, enabling it first to steal banking credentials and then attempt to generate fraudulent financial transactions. The victims of this subset of this malware are always classified as Windows users who open an email attachment in Word or Excel, which releases macros that activate and download Dridex. The result is infecting the computer and opening the victim to banking theft, causing catastrophic results.
Endpoint security is the approach of securing endpoints or entry points of end-user devices such as laptops, desktops, and mobile devices from being attacked by malicious actors or malware. Endpoint security systems protect these endpoints on a network or in the cloud from cybersecurity threats.
EDR (Endpoint Detection & Response)
Endpoint detection and response (EDR) is a security solution that combines collecting and monitoring endpoint data with automated response capabilities. EDR technology fulfills the need for constant monitoring and response to advanced and complicated threats happening on endpoints. It is a subset of endpoint security technologies and an essential piece of an optimal security posture. Not all EDR solutions work in the same way. Some perform analysis on the agent, while others work more on the backend. This means all types of EDRs have different capabilities and meet different needs.
An email gateway is a device or software used to monitor emails that are being sent and received from an organization. A secure email gateway is designed to prevent emails from containing malicious communication. Messages that are deemed ’unsafe’ that secure email gateways typically block include spam, phishing attacks, malware, or fraudulent content. If the email gateway misses or fails to identify a cybersecurity threat, the organization can fall victim to a cyber attack.
False positives are mislabeled security alerts, meaning that the system indicated a threat when there actually is not. False-positive alerts increase the noise for the security team, who are already overwhelmed by the number of alerts and incidents. Most enterprise SOC teams receive thousands, if not more, false-positive alerts daily. The overwhelming number of false positives leads to alert fatigue, so a detection system that can minimize the number of false positives is valuable to every SOC.
A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been the first line of defense in network security for many years, creating a barrier of traffic between secured and controlled internal networks that can be trusted and untrusted external networks.
Incident response is an action plan developed by an organization or individual to counteract intrusions, cyber-theft, denial of service, fire, flood, and any other security-related issue. It includes multiple steps in order to complete the response process. The main goal of incident response is to minimize the attack-related costs and recovery time, in general, limit the damage the incident can cause.
Infostealer is a detection name used by Symantec to identify malicious software programs that gathers confidential information from the compromised computer. It is a type of Trojan horse program that has a particular payload goal. This Trojan gathers confidential information from the computer and sends it to a predetermined location. This information can be financial, related to the compromised computer or user credentials for various websites. Often the Trojan may steal a combination of all three types of sensitive information.
Insider threats are potential threats posed by an individual who might use his or her authorized access, wittingly or unwittingly, to disclose, modify, or delete sensitive information from the organizations’ database. In the case of insider threats, the traditional preventative security measures are often ineffective as they are primarily targeting external threats. Behavior analytics using machine learning can be an effective tool in detecting this type of threat.
Intrusion Detection (ID) is a security organization system for networks and computers. An ID management platform collects and analyses large quantities of data on a computer or a network to identify potential security breaches, including misuse and invasions.
This system utilizes vulnerability assessment which is categorized as a technology developed to assess the quality of security of a computer system/network. The range of intrusion detection systems is anywhere from monitoring one computer to an entire network.
Intrusion Detection System
An intrusion detection system is an appliance or software application that monitors a network or systems for malicious and potentially dangerous activity and policy abuses. Any malicious activity or infringement is usually reported either to an administrator or collected centrally by way of security information and an event management system.
Some intrusion detection systems are augmented with tools such as a honeypot to attract and categorize malicious traffic.
A logic bomb is a piece of code intentionally inserted into a software system to set off a malicious function when specified conditions are met. For example, a programmer may hide a code that starts deleting files, should they ever be terminated from the company.
Often, software and other threats that are intentionally malicious contain logic bombs that are triggered when a certain payload or another predefined condition is met but to be considered a logic bomb, the payload needs to be unwanted and unknown to the user.
Machine learning is a subset of Artificial Intelligence (AI) that enables software applications to become more accurate at predicting certain outcomes without being explicitly programmed to do so. Machine learning algorithms use historical data as input to predict new output values. In cybersecurity, machine learning is used to be more proactive in preventing and be more accurate in detecting threats.
Machine learning-based threat detection
Machine learning-based threat detection uses mathematical algorithms and statistical models to find and identify patterns in an organizations’ network security that could indicate a threat. The two main types of machine learning are supervised and unsupervised machine learning. Supervised machine learning detection is based on human feedback, whereas unsupervised machine learning detection groups together all related evidence and then investigates them to find out whether they are indicative of an attack or not. Both types of machine learning detection have their pros and cons. Due to this reason, it can be beneficial to use both of them to complement each other.
Supervised machine learning is commonly implemented in cyber for phishing prevention, fraud detection, network traffic analysis, and file scanning. The algorithm can be trained to detect known incidents similar to the ones previously seen automatically based on known malicious behavior. Unsupervised machine learning algorithms can associate and cluster together different communications based on similarities in their individual and collective behavior between users and destination hosts. By learning baselines and deviations, the algorithm can distinguish any abnormal behavior and conglomerate similar activities to organize all alerts and reduce noise. Machine learning detection is becoming increasingly popular in the cybersecurity community as hackers use more artificial intelligence (AI) in their attacks.
Malware is the nickname given to the term malicious software. Malware is defined as any software used to interrupt or disrupt computer operations, gather sensitive information, or gain access to certain files or programs and is used for hostile intent. The malware can enter the system through infected software, drives, webpages, or emails and exfiltrate or lock access to data. The best-known types of malware include viruses (such as ILOVEYOU), worms (such as Conficker), backdoor (such as Emotet ), spyware (such as CoolWebSearch), ransomware (such as CryptoLocker, and WannaCry), and trojan horses (such as Zbot/Zeus).
Malware detection refers to detecting the presence of malware on a host system or determining whether a specific program is malicious or benign.
Malware remediation is the process of removing all traces of malicious code from a network while leaving legitimate files untouched and unharmed. It is the process by which the malware is identified, assessed, flagged, prioritized, and resolved. Failing to remove the code from the network fully is partial remediation and is harmful to network security and can allow the malware to continue to affect the system.
Malware response refers to how an organization deals with malware that has entered its network. The response action should include all procedures and policies that the security team will follow in case of a breach and the process of detection, investigation, and response to find the malware and fully remediate the breach.
The response must be quick, accurate, and complete to entirely remove the malware from the systems’ network with minimal damage to the organizations’ data and reputation. One of the most common and dangerous types of malware is ransomware, in which case the hacker blocks the organization from their data until the demanded ransom is paid.
Network Traffic Analysis (NTA)
Network Traffic Analysis, or NTA, which Gartner originally coined, is the process of intercepting, recording, and analyzing network traffic communication patterns in order to detect and respond to security threats.
Noisy detection is the term used in cybersecurity and surrounding technical fields to refer to the occurrences of when Security Information and Event Management (SIEM) sends many false-positive alerts to the security operations team. A typical enterprise has the responsibility to pay attention to hundreds or thousands of false-positive alerts daily, which creates noise in the system and prevents the security team from focusing on real malicious threats by forcing them to investigate benign alerts. Noisy detection can distract cybersecurity teams from the threats that matter and allow real threats to infiltrate the organization’s system.
The number of false-positive alerts, or noise, an organization faces each day can be overwhelming and highlight the lack of resources many security operation centers face, such as lack of personnel. By having a detection system that can reduce the noise, the security team can function more efficiently and effectively.
Orchestration refers to a SOAR platform’s ability to manage or control other technologies through defined connectors to enable executing playbooks. Most commercial SOAR platforms offer a variety of methods to establish the connection needed for orchestration. The most common method is through REST APIs exposed by other technologies.
Packet capture is a unit of data that is routed between an origin and a destination on the web or any other packet-switched network. When any file (such as email message, HTML file, Graphics Interchange Format file, Uniform Resource Locator request) is sent from one place to a new destination, the Transmission Control Protocol (TCP) layer of TCP/IP splices the file into smaller chunks which make it more optimized and ideal for routing.
Traditional (or what we will call legacy network traffic analysis) NTA solutions based on packet capture require significant investments of time and money to get up and running with their required installations of special sensors.
Packet Capture Analysis
”Packet capture is cybersecurity and digital networking term for intercepting a data packet that is migrating or crossing over a specific computer network. Once a packet is already captured, it is stored so that it can be analyzed. The packet is observed and investigated to aid in a diagnosis to solve network-related issues then and determine whether network security policies are being obeyed. Hackers can also use packet capturing techniques to take data that is being transmitted through a network.
Network directors or SOC managers analyze and are tasked with commanding overall network traffic and performance. To examine and apprehend running packets in real-time over a network, there is a ride-array of packet capture techniques utilized such as forensics, identifying packet loss, troubleshooting, and, last but not least, security. Packet capture can be used in one of two ways: legitimately or illegitimately. Sniffing seizes the data through legitimate channels and then transmissions the errors to safeguard effective network communication.
Cyber mitigation refers to policies and processes that a company enforces to prevent security incidents and data breaches and limit the extent of damage when security attacks occur. The goal of mitigation is to prevent security breaches and limit the damage after a breach. Partial mitigation is when this process is not fully completed after a security breach, typically due to a lack of information, which leaves the company vulnerable to the same threat in the future. The three main aspects of cyber mitigation are prevention, identification, and remedy/response. When any of those steps are not fully completed, it is referred to as partial mitigation.
In cybersecurity, remediation refers to organizations’ process to identify and resolve existing threats in their systems. In other words, it is the process by which risk is identified, assessed, flagged, prioritized, and resolved. Partial remediation is when a threat is only partially removed from the system, leaving some part of it in the network.
This typically occurs from poor network visibility and a lack of available information. This means that the threat can continue to infect the organization’s network and pursue its malicious goal, stealing information, hurting operations, or damaging software and hardware. Providing the context of a threat can help prevent partial remediation as it can guide the security team while they prioritize threats and alerts. Without proper context, emphasis could easily be placed in the wrong place and leave a threat dwelling in the system’s network, causing partial remediation.
Phishing is an attempt to acquire sensitive information such as usernames, passwords, and credit card details by impersonating a trustworthy entity. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look is almost identical to the legitimate one.
Playbooks are a series of actions that happen when certain conditions are met to enable the automation of procedures. For instance, a playbook can be triggered from a certain security alert and automatically respond to the threat. The main benefits of playbooks are accelerating response time and allowing to remediate known threats without human intervention to maximize SOC effectiveness.
Ransomware is a strain of malware from cryptovirology that threatens to publish the victims’ information, secrets, and data or perpetually block access unless a ransom is paid. Ransomware is illegal and is used today in a wide range of crimes to extort and threaten individuals or organizations in order to obtain money and information.
The security analyst plays an essential role in keeping an organizations’ proprietary and sensitive information protected and secure. They often work inter-departmentally to identify and correct flaws in the company’s security programs, solutions, and systems while giving recommendations for specific measures that can improve the overall security posture. Security analysts are responsible for ensuring that the company’s digital assets are protected from unauthorized access. This includes securing both online and on-premise infrastructures, digging through metrics and data to filter out possibly malicious activity, and detecting and mitigating risks before breaches occur and cause damage. SOC analysts are on the front line if a breach does occur, leading the efforts to respond to the attack. Security analysts can be responsible for many tasks, including the monitoring of security access, performing security tests through vulnerability testing and risk analysis, conducting security breaches to identify the root cause, also known as ethical hacking, analyzing interior and exterior security audits, or updating the company’s incident response processes.
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM) is a solution that provides system monitoring, threat detection, and alerting of security events or incidents within an IT environment. SIEM provides a comprehensive and centralized view of the security posture by collecting log data generated throughout the entire IT infrastructure, from cloud systems and applications to network and security devices, such as firewalls and anti-virus software. SIEM identifies, categorizes, and analyzes incidents and events; SIEM analytics delivers real-time alerts, dashboards, and reports to several business and management units. Modern SIEMs also apply unsupervised machine learning to enable advanced threat detection and response.
Security operations center (SOC)
A security operations center is a centralized unit within an organization that monitors, analyzes, and protects the organization from cyberattacks. SOCs are an essential part of minimizing the costs of a potential cyberattack by responding to incidents and improving detection and prevention processes.
SOAR (Security orchestration automation and response)
Security orchestration, automation, and response (SOAR) is a solution that combines incident response, orchestration and automation, and threat intelligence management into a single platform. It helps security teams respond to the increasing number of security alerts more efficiently by collecting security threats data and alerts from multiple sources. SOARs can automatically prioritize and respond to security threats and incidents, reducing the manual operations in the security team.
SOC automation is when a security operations center automates its cybersecurity defense such as detection, investigation, and response. The most common type of SOC automation is via SOAR (security orchestration automation and response).
SOC automation aims to augment the SOC team to speed up the time from detection to remediation. Most SOCs face a lack of workforce which makes it overwhelming, if not impossible, to handle the number of alerts they receive. By automating aspects of the SOC, the team can focus on complex threats and not waste time on benign alerts or known threats.
Threat detection is classified as a type of security that goes beyond basic security analysis. It is built into appliances or integrates into existing security infrastructures such as web gateways to ingest the gateway’s logs for analysis. Threat detection uses big data analytics to find malware or other remote access threats that attempt to enter an organization’s network with malicious intentions, such as to lock files or exfiltrate data. Threat detection solutions often include capabilities such as clustering, behavioral analysis, and automated investigation. Threat detection is the foundation of cybersecurity because it identifies threats and malicious communications and provides critical information to update preventive appliances such as firewalls and anti-viruses.
Threat hunting is a dynamic and proactive cyber defense task. It refers to the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. This cybersecurity method is a stark contrast to traditional methods of threat management that investigate a threat after there has been an alert. The three main categories of threat hunting are analytics-driven, situational-awareness-driven, and intelligence-driven.
Threat intelligence (TI)
Threat intelligence (TI) is the information an organization uses to understand the threats that can target the organization. This information is used to prevent and identify possible threats. TI provides evidence-based knowledge, such as information about malware’s characteristics or any specific technique a threat actor uses to steal valuable data. TI collects and analyzes data on the latest threats from a wide range of trusted sources. The information includes context, mechanisms, and indicators, which help SOCs to prevent and alleviate cyberattacks on the IT infrastructure. Preparing for every threat is impossible, the more information about potential threats, the more comprehensive the defense.
User and entity behavior analytics (UEBA)
User and entity behavior analytics (UEBA) is a security tool that monitors and analyzes the behavior of users and entities to discover abnormal and risky behavior. UEBA can detect incidents that traditional tools miss, as they do not use predefined correlation rules or attack patterns. Instead, UEBA uses machine learning to create baselines for every user and entity to spot any suspicious behavior that deviates from the normal, referred to as anomalous behavior.
Undetected threats are malicious communications and activities that the SOC team fails to identify in the network. That failure is also called a false negative. Undetected threats can lead to long-dwell breaches in a network and cause damage to the organization. Undetected threats can lead to data exfiltration and force the company to pay high fines in the wake of reputational damage.
A secure web gateway offers protection against online security threats by enforcing company security policies and filtering malicious internet traffic in real-time. A web gateway aims to prevent unsecured, and potentially malicious, traffic from entering an organization’s network. Organizations use web gateways to protect their employees from accessing and being infected by malicious web traffic, websites, and viruses/malware. If the web gateway misses or fails to identify a cybersecurity threat, the organization can fall victim to a cyber attack.
Workflow Automation is the process of automating the design, execution, and automation of processes based on workflow rules between human tasks, data, or files that need to be routed between people or systems. It works based on predefined business rules to time and makes processes more efficient. Workflow automation can be used in automating playbooks in SOCs or MSSPs in addition to automating daily tasks.
XDR (Extended detection and response)
Extended detection and response (XDR) is a unified security incident detection and response platform. XDR offerings are a natural evolution of endpoint detection and response tools. It automatically collects and correlates data from multiple proprietary security components. XDR tools are similar in function to SIEM and SOAR tools, but they are differentiated by the level of integration of their products at deployment and their focus on threat detection and incident response use cases.