Where is incident response headed over the next few years? Well, we clearly live in a world in which the number of incidents will continue to grow exponentially due to IoT, business demanding more data for analytics, and the use of technology to compete in a world economy.
But how do we handle this explosion when the security and IT talent is in such short supply? This shortage is only exacerbated by the need to grow expertise quickly to deal with increasingly more sophisticated threat actors. How will organizations handle this very real gap between incident volume and incident response?
At WireX Systems, we believe the only answer is by combining in-depth visibility with automation and human insights.
This means providing visibility into all user and server interactions (including those not marked as malicious by a detection tool) and stepping up automation in the incident response process so that humans are focused only on what they do best – decision-making.
The biggest bottleneck today in the SOC is the investigation of all the alerts provided by the variety of security tools. How do we understand what treats are real? How long does it take to do root cause analysis and understand the impact of each threat?
After talking with dozens of SOC teams this year, it is clear that the majority of the time is being spent on collecting evidence to support the investigation process. This means collecting deeper information from email servers, DNS servers, Proxies, DB monitoring tools, business applications and more. Then, all this data needs to be compiled into a coherent list that will enable understanding of these events and the timeline in which they occurred.
Needless to say that this could only be performed by very experienced personnel – and that even for them this would be a very tedious and time consuming task that could take days.
SIEM technologies are a great first step when doing alert validation and triage and the collection of logs and net-flow metadata helps determine when to trigger a deeper investigation process. However SIEM is inherently not an investigation tool as being based on log collection and metadata provides very limited visibility into actual interactions.
They say the “truth is in the packets” but we all know the limitations of storing these huge amounts of packets (not to mention the skillset needed in order to understand packet level information and the time consumed to complete a single investigation).
But what if we could combine benefits from both worlds? Have months of visibility (as if we were collecting logs) coupled with the actual network conversations (including file downloads, emails, browsing, DB etc.)?
Understanding the context of the alerts and having visibility into all the activities taking place before and after a specific alert was triggered are at the heart of the investigation process.
There are automation tools that provide cookbooks for response and are mainly focusing on matching IP’s and file names against black lists and sandbox’s, but this is actually just the beginning of the story because if the match was positive, you now need to launch a much deeper investigation to understand the scope and impact.
Automation is indeed a very important part of the response but without having deep visibility and context the automation process will not offer much value.
Combining in depth visibility into any user interaction with automation workflows will also lower the bar on expertise required by SOC analysts to be effective and respond in minutes.
These workflows can also serve as a knowledge sharing platform turning all your SOC team members into valuable data analysts.
Whether you have a very small team or multiple large teams spread globally – sharing information and up-leveling everyone’s game is a very smart use of your resources.
Furthermore, this will allow to move downstream some of the forensics steps in the investigation process, and empower entry level personnel to take much of the workloads currently executed by the experienced (and rarer) data scientists.
Humans will continue, however, to be vital for effective incident response for years to come. Until machine learning and artificial intelligence are far more advanced, humans are still best suited to understand the context and make a decision on the impact and scope of these threats.