A security team relies on people’s talent and tools to efficiently respond to threats. Ideally, the interaction between those two assets is underpinned by discrete processes for effectiveness as much as consistency. If either of these components is removed, the likelihood of combating an attack is greatly reduced. As it stands, many security teams do not have enough resources to deal with alerting effectively.
One of the challenges with the cybersecurity tools is that security teams become inundated with a multitude of alerts that hinders the visibility of the true threats. Tickets generated from the front-line are routed to the more seasoned operators who hold the deeper expertise and know-how to be able to look into a variety of different alerts. It is no surprise that a huge burden is placed on very few analysts, thus resulting in bottlenecks, burnout and a high turnover.
According to Help Net Security, security teams receive up to 1,000 alerts daily and have to switch between 12 systems, on average, to address the alerts. This current model takes up no less than 20% of the analyst’s day in non-value-added activities. Another significant percentage of time is used for redundant activities (redundant true positives – such a when a security tool is alerting on every packet (out of thousands) of a communication with a command and the control server is p alert generated – not to mention working on the false positives). This keeps the analyst from addressing the actual attacks that threaten the organization.
Adding insult to injury, on average, three out of four newly hired security team members will be replaced or will resign within just one year. The reason for the high turnover is a large amount of pressure, increasing workload caused by chasing too many alerts, tedious tasks of “gluing back” pieces of the puzzle, and an overall frustration of not being in a position to actually protect the organization.
Clearly, security teams today need a more efficient way to deal with alerts that is conducive to identifying the attack and effectively responding to it.
The beginnings of a solution
As all industries move towards automation to cut costs and operate more efficiently, the cybersecurity world is no exception. While we are starting to see a shift into automation in more and more tools, most of them fall short in providing the holistic and actionable view that is needed for responding to alerts.
SOAR (security orchestration, automation and response) provides predefined playbooks that run when an alert is generated. The purpose of these playbooks is to gain effectiveness and consistency, as much as to automate activities as appropriate. So, in general, it is a good starting point, BUT this still requires organizations to have the actual information to turn alerts into identified attacks. For the alerts that the playbook confirms as being problematic – we would still need to execute the investigation that identifies the threat. So, the value of the SOAR is that it can help focus on the more important alerts and it will support the automation of repetitive activities, but it doesn’t replace the need for a deeper investigation – and this is where WireX comes into play.
Also, SOAR is still far from being broadly adopted by most security teams, which makes the problem even worse. The value of predefined playbooks is limited if the organization doesn’t have the visibility to truly identify attacks (not alerts) and respond to them.
The missing piece
WireX Systems takes this approach of orchestration and automation a few steps further and delivers simplified and actionable context into these alerts to reduce the workload placed on the responding team members. Currently, most of an analyst’s time is spent on reviewing logs and alerts that can turn out to be false positives (or simply redundant true positives), which takes their focus off the actual attacks that impose a risk to the organization.
To fully monitor and understand the environment, WireX Systems leverages network detection and response (NDR) to see all communications taking place within the network. We also utilize our intelligent Contextual Capture™ technology to reconstruct the raw data into a human-readable format that the security personnel can act upon. This enables even entry-level operators to be as effective as the tier three analysts while also enabling the experienced analysts to focus only on the most pressing threats. With the ability to understand what an alert means, security teams require less expertise, fewer senior analysts and less time to effectively respond to a threat.
It is worth mentioning that NDR not only monitors all traffic across the network, but it also has the ability to decrypt the data for packet inspection and re-encrypt the data in a transparent manner. Even in cases where decryption is not enabled, it will point to the servers being used, the certificates, who signed them and their validity in order to provide the bigger picture.
According to Dark Reading, it takes new security team members about a year to become active contributors, and, on average, the security staff leaves after just two years. With WireX, a security manager can train new employees fairly quickly to be effective when responding to reliable alerts. WireX also provides an Incident Management framework to guide teams when performing incident response, whether they have a SOAR tool in place or not. Teams can then automate various steps of the detection, identification or response process for further efficiencies and output.
The old way of focusing only on stopping an attack at the gate or being reactive in nature is ineffective. Relying on logs from next-generation firewalls, IDS or SIEM devices simply does not provide the visibility and context needed to do the deeper dive to identify the attack in its entirety and with the required evidence, as logs are, by design, missing the details that contain the exact specifications of what happened.
Security teams today need to adopt a solution that takes the guesswork out of the process. Instead of investing precious time in trying to correlate high-level metadata, they need a solution that automatically visualizes all the relevant data for them and enables them to move with one click from a thousand miles out birds-eye view into the exact details that the analysts need.
During an attack, the security team needs to answer many questions. They need to determine how a user accessed a file server, what he uploaded or downloaded from there, who else accessed it after him and what this other user did. Did he access your database? What transactions was he trying to execute? Was he successful? How many records did he get access to?
These are critical questions that must be answered in minutes – using a platform that visualizes all these insights from multiple dimensions (users, protocols, files, servers, user-agents, etc.) makes all the difference in the world. And again, this is foundational to nail down the effective process and look for automation where possible.
To learn more about how WireX Systems can help your security program, contact us today.