Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
7/21/2016
10:00 AM
Brett Kelsey
Brett Kelsey
Partner Perspectives
50%
50%

Five Ingredients Of An Intelligence-Driven Security Operations Center: Part 3 In A Series

As enterprises adopt new ways of thinking about security, they also must make changes in their operations centers to support the new mindset. Here's what's needed.

The second blog post of our series dealt with the shifts in mindset that are necessary for the adoption of an adaptive approach to security, as Gartner puts forth in the report, Designing an Adaptive Security Architecture for Protection From Advanced Attacks. In the third and final post of this series, we’ll talk about transformations that are required in your security operations center (SOC) in order to support this shift.

Continuous Detection And Response

I’m a bit of a car guy, and I enjoy driving as much as getting to the destination, particularly when it comes to the ski resorts in the Lake Tahoe area of California. When I’m behind the wheel there, I’m continually on high alert, scanning the road for potential issues — especially in the winter. It could be something as simple as merging traffic or something hidden, like black ice, or something completely unexpected like a bear lumbering across the road. Similar to a driver on a long journey, an intelligence-driven SOC needs to move away from the traditional incident response model to what Gartner calls “continuous, pervasive monitoring and visibility that are constantly analyzed for indications of compromise.” And this ongoing cycle of monitoring and analytics must be implemented across all technology layers—the network, endpoints, the application front-end and backend, information/data, and yes, even users.

How can you enable continuous detection and response? The key elements include ingesting both internal and external threat intelligence and deriving contextual information from the data that’s relevant for your business. Next, you must correlate that information so that your solution sets can share the data and act in concert in order to respond more quickly and effectively. By incorporating technologies that unify and facilitate the protection, detection, and correction processes of the threat defense life cycle across your security infrastructure, a best-of-breed approach can be made to work.

Pervasive Visibility

Getting back behind the wheel for a moment, did you ever consider that manufacturers put brakes on a car so that you can go faster? Because of the improvements in safety features in cars, speed limits have actually increased over the years on some roads. Airbags, blind spot and lane detection, and other collision mitigation technologies all work together as a single, coordinated system so that we can drive safely at higher speeds and under challenging conditions. In the same way, pervasive visibility, where all your security components are collaborating, allows a business to operate at a faster pace. Now you can catch things that are coming at you more quickly and efficiently.

In a traditional multivendor, siloed SOC, individual security technologies are controlled by unintegrated, incompatible management consoles that can’t communicate with one another and don’t easily share intelligence. At the heart and center of an adaptive SOC is the ability to see everything — across systems, users, and networks that work together. Once you have end-to-end visibility, you can start mining all that rich internal threat intelligence for indicators of attack or indicators of compromise. If you want to take it up a notch, add external threat intelligence from third-party feeds or other trusted organizations. This type of data can provide you with valuable insights about threat characteristics and behaviors that enable you to look for similar patterns in your own environment.

Churning Through Massive Amounts Of Threat Data With Analytics

A consequence of pervasive visibility and threat intelligence is copious amounts of data. It’s much like driving through a blizzard in the mountains. You take in a great deal of data as you navigate this hazardous situation — snow, ice, wind, skidding cars, and pile-ups. Ultimately, you have to ingest this information, analyze it, and determine what matters most. This is where automation comes in — things like the information from apps such as Waze that alert you to traffic conditions ahead, built-in infrared night vision that helps you see farther, and adaptive braking systems that stop the car in an emergency.

In security, a similar issue arises. How do you corral and make use of this resource? The more data you have coming at you, the more you have to rely on machine automation to help you move swiftly and accurately when security incidents come up. Strong analytics technology, for example, helps identify characteristics associated with suspicious incidents and make correlations. You’ll need to establish baselines so that you know how to separate what may look normal for a particular user at a particular time of day in a particular area of the world and what deviates from that pattern. Analytics can help determine whether anomalous activity is real or not. It looks at contextual data and reduces noise and false positives so that you can apply your resources to events that appear to be real and then achieve the greatest impact.

Automation Of Routine Processes

One of the hallmarks of an intelligence-driven SOC is thoughtfully implemented automation, similar to the automation in today’s automobiles. As I’ve mentioned in a previous blog post, there’s a growing scarcity of qualified security professionals. We need to automate routine processes so that these talented individuals can be freed up to do the critical work of analysis. But we need to proceed with caution. For example, it would be counterproductive for automated response systems to completely shut down a CEO’s computer because they see a suspicious file.

So, rather than get too attached to the concept of “automation,” I prefer to think in terms of “automatability,” which both makes use of machine automation and introduces human analysis into the process before you take drastic measures, like shutting down an executive’s computer. Above all, you want to make certain that you create a process and workflow that suits your operation and that you can trust and continually improve.

Analyzing Patterns And Root Causes

With automation for mundane tasks in place, your security professionals’ time is best spent on proactively hunting and mining threat data, and then digging deeper to unravel patterns and root causes. When an attack occurs, they need to look at how bad actors infiltrated the infrastructure, identify patient zero, determine which systems or networks were affected, and find out what type of data was exfiltrated. Whenever malware shows up, your analysts need to investigate the trajectory of the threat and learn as much as possible about how it got in. By gathering this type of data, your organization will get better at spotting and responding to threats with similar characteristics and behaviors that may emerge in the future.

You’re On Your Way

We hope that you have derived some benefit from our blog series and that it will help you formulate a workable and successful adaptive security strategy for your organization. To learn more about Gartner’s research in this space and approaches for implementing adaptive security, view this webinar featuring Gartner’s Neil Macdonald and me as we talk about the Adaptive Security Architecture concept. And remember — drive safely!


Brett Kelsey is the VP and Chief Technology Officer for the Americas for Intel Security. In this role, he has leveraged his business and practice development, technical expertise, and innovative thought leadership to evangelize Intel Security's go-to-market strategy across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-15139
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...