SOC Analysts on Steroids

Back in 1998, I wrote a text book called . . . now get this: Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response. The book was approved at the time for external publication by my employer’s legal department, even though it had the word ‘surveillance’ in it. Go figure. Anyway, those 218 dense pages represented my best thinking - twenty years ago - on how to make network security operations work properly.

Since then, I’ve either observed, participated in, or criticized (nicely) literally thousands of proposals for how to enhance the security operations center experience. I’ve seen teams deploy GPU-based neural processing, advanced natural language translations, massively warehoused traffic capture, and on and on. Some of these methods work nicely, but many do not. So, forgive me if I don’t always get excited when presented with a new means for SecOps.

That said, I participated in a technical review last week with Tomer Saban, the impressive co-founder of WireX. We spent our time going through the design of his platform and how it significantly reduces cyber incident response time through intelligent, contextual pre-processing of ingested data. I’d met previously with Tomer’s team, and I liked what I saw, so Tomer agreed to give me a deeper look – and I’m glad he did. Here’s what I learned:

“Security operations teams have struggled in practice with two operational challenges,” Tomer explained. “First, there are the practical limitations of storage, where volumes of captured traffic can reach into the high terabyte, and even petabyte, ranges for durations as short as a week or so. And second, there is the skill-set problem, where the expertise required to perform basic packet-level analysis is high enough to complicate recruitment and training.”

I agreed that these challenges do, in fact, turn up over and over in the modern SOC, so I was keen to understand how the WireX platform provides support. Tomer’s explanation centered on the WireX methods for intelligently conditioning captured data: “By applying intelligence to how we ingest and store data, we can significantly reduce storage size,” Tomer said, “and we can add sufficient context to support greatly improved understanding of data by analysts.”

Adding intelligence to pre-condition ingested data is an exciting development in our industry. The method can be viewed, in a sense, as smart traffic compression before transmission to storage. For example, when captured data includes repetitive garbage, or an obvious pattern of meaningless data, then WireX pre-processing makes the intelligent decision to store only what is necessary. This can reduce data storage requirements by orders of magnitude.

But the intelligence can also provide context, which changes the equation for SOC analysts. It’s been my experience – and Tomer shared his own confirmation – that the central challenge in cyber security analysis involves correlation. That is, the human tries to compare observed data with layers of contextual information to determine if something is benign and non-actionable or malicious and requiring of immediate incident or indicator response.

“The result of our intelligent processing is that many teams can support their cyber security operations needs with much lower-cost servers,” Tomer said, “rather than having to make investments in high-performance computing. We’ve also observed that in SOC environments where a tiny percentage of the team can support data analysis, by introducing the WireX platform, more team members become capable of more aggressive analytic tasks.”

Tomer told me quite a bit about the company and how his heritage working with intelligence agencies around the world helped shape the DNA of the platform. He shared how the challenges of making sense of IP traffic – after years of dealing with conventional PSTN data – highlighted the need for intelligent processing. “The hundreds of IP-based apps and protocols are constantly changing,” he said, “and this introduces technical challenges.”

Founded in 2010, WireX is headquartered in Sunnyvale, and brags an expert management team that, in addition to Tomer, includes cyber security industry veterans Gilboa Davara and Vadim Lipovetsky. The company also has good financial backing from several super-heavyweights in our industry, including my friend Rakesh Loonkar, the iconic Mickey Boodaei, and several prominent venture capital firms. These are all good signs for WireX.

To sum: If you are like me, and have been staring for many years at a plethora of SOC (and surveillance, ahem) solutions to secure modern networks, then despite the likelihood of some fatigue, you must keep your chin up and continue to investigate the best means to turbo-charge your SOC analysts. And I’d suggest that spending some time with Tomer and his team at WireX will be well-spent.

As always, please share with us what you learn.