Security operation centers (SOCs) are encountering threats that quickly swivel from a hands-on keyboard attack to a wide-scale and destructive ransomware attack, or even a complex nation-state attack. Current triage and remediation by alert will likely fail in such situations.
While alerts are a good starting point for investigation, they don't help defenders to efficiently remediate the severity, effects, and spread of an attack. Security teams need to shift away from queues of isolated alerts and toward incidents that enable handling of entire end-to-end attacks.
Moving from an alert-based triage and remediation system to one built around comprehensive incident remediation can have huge advantages, from time and resource savings, a hugely lifted burden from security teams, and overall strengthening of your security posture built on a zero-trust, defense-in-depth approach:
- An incident view lets analysts immediately see the bigger picture and understand the attack's severity and extent, which helps SOCs prioritize critical incidents and devise an informed course of action. It also greatly reduces the work items in the analyst queue.
- Correlations provide confidence that the activity is malicious, so incidents get triaged more quickly and easily. Determining that one activity in the incident is malicious incriminates the entire incident, which helps eliminate false positives.
- Incidents enable analysts to spot "blanks" in the kill-chain and fill them based on context by mapping alerts in the incident to techniques and tactics in the MITRE ATT&CK knowledge base. For example, if we see initial access and lateral movement activities in an incident, we can use this to find persistence, command and control, and credential theft tactics that weren't obvious enough to trigger alerts. We can automatically roll back through the execution path to find the initial entry point and roll forward to reveal the full extent of the attack — critical to deciding how to contain the threat, evict the attacker, and remediate the damage to assets.
- Because we are acting on incidents rather than individual alerts, SOC playbooks can be targeted at entire incidents, too. This eliminates the need to "chase" individual alerts for instructions and enables durable higher-level guidance that doesn't change with every new alert type. With the incident's impact figured out, playbooks can now clearly identify, prioritize, and orchestrate containment steps to fully evict the attacker in one go.
- And finally, the incident model collects all impacted assets in a common bucket so remediation can be executed fully.
The SOC needs to adapt and scale its processes as threat protection evolves. Take four immediate actions to start this journey.
1. Switch Triage From Alerts to Incidents
Whether your SOC uses a SIEM or an XDR security product for initial triage, ensure it can present meaningful correlated incidents on top of alerts. Prioritize your incident queue based on parameters important to you, such as potential risk from this threat, the scope of the techniques and kill-chain progress, and the criticality of affected assets.
Map your SOC playbooks to incident categories like phishing, ransomware, and adware. Define, per incident category, what the SOC analyst should do to quickly understand if the incident is a true threat or a false alarm, and to immediately stop it from progressing.
Provide guidance for investigation of individual incident alerts, based on stage or technique. Ensure all attacker activities and affected assets in the incident are discovered and captured — this forms the basis for the incident remediation plan.
Finally, after considering the full incident, including all affected assets and evidence, invoke remediation actions across affected assets to return them to a clean operational state.
Mapping SOC playbooks to incidents in a structured and durable manner enables coordinated process automation. Some incident categories can be handled fully automatically and resolved end to end without SOC attention. For others, some parts may be automated (e.g., initial triage, remediation in bulk), while others requiring expertise remain manual (e.g., investigation). Automation should leverage the incident graph to determine where and how to assist analysts, saving repetitive manual work and enabling the SOC to focus on the more complex and high-risk incidents.
3. Bring the Team Along
Take time to explain the benefits of working with correlated incidents and how this approach changes the game for defenders. Explore the MITRE ATT&CK framework and use it to structure your SOC playbook guidance for incidents such that it scales and is durable. When a new alert detects exfiltration and it's mapped to the appropriate tactic or technique, existing guidance applies and there's no need for special alert onboarding or new guidance.
Record actions taken on prior cases — integrated into your security tools — and use this data to help analysts understand how to better deal with new incidents and tune processes over time. Extending these learnings into industrywide collaboration can have tremendous benefits for the organization and the entire security community.
4. Try Before You Buy
Look for a security product that enables your organization to shift to incidents and supports this SOC process evolution. It should implement automatic correlation of alerts into incidents, prioritization, incident categorization, and the ability to map your SOC playbooks at the incident and alert level to MITRE ATT&CK tactics and techniques.
Don't forget customization — each organization has preferences and special processes. Find products that integrate recommendations for action based on incident history within the organization and across the industry.