How to Tackle the Data Challenge to Improve and Accelerate Detection and Response
I’ve discussed before how Security Operations Centers (SOCs) are now becoming detection and response organizations. But like most transitions, that shift doesn’t happen overnight. Three different areas need to be addressed – data, systems and people.
Many organizations today deal with data that is noisy and unstructured, decentralized without prioritization, and managed with spreadsheets. Their systems are disconnected and disparate, workflows are not orchestrated nor automated, and each system uses its own specific language which makes it difficult, if not impossible, to get them to interoperate. Finally, there’s a significant lack of skilled resources to get things done. And the security professionals they do have can’t keep pace because they’re bogged down by repetitive, manual tasks and operate in siloes. Each of these areas needs to be addressed to improve detection, gain a better understanding of threats, enable teams to collaborate and, ultimately, take the right actions faster.
Here, I’m going to address how to tackle the data challenge to improve and accelerate detection and response.
To gain a comprehensive understanding of the threats you are facing and what you must defend, you need to start by aggregating internal data from across the entire ecosystem – the telemetry, content and data created by each layer in your security architecture, on-premises and in the cloud. In addition to the SIEM, this includes data from modern security tools and technologies, like Endpoint Detection and Response (EDR), Network Detection and Response (NDR) and Cloud Detection and Response (CDR). Not only is this data high fidelity, it’s also free!
With the right internal threat and event data aggregated in a platform that serves as a central repository, the next step is to augment and enrich it with external threat data from the multiple sources you subscribe to – commercial, open source, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. Analysts are bombarded by millions of threat datapoints every day, which makes it impossible to fully appreciate or realize the full value of third-party data. Compounding the problem, new research presented at the 29th USENIX Security Symposium found that there is little overlap between these sources. Bringing this data into a central repository helps stop the assault, normalizing it automatically, so that it is in a uniform format for analysis and prioritization.
Additional complexity springs from the need to keep pace with an ever-changing threat landscape. As we saw with COVID-19 and the SolarWinds Orion security breach, crises and outbreaks generate a strong uptick in new, disparate sources of threat information. Many of the sources have no ready-made connectors to allow them to plug into existing security infrastructure. So, another requirement are custom connectors to any type of threat intelligence feed that can be written and deployed within hours. This allows the SOC to ingest threat data from new sources quickly into the same repository.
You now have a central repository combining the right internal data with external data – in effect, a single source of truth. However, due to the volume of data, you also have a great bit of noise. To reduce the noise, data can be prioritized according to what is relevant for your organization, instead of relying on the global risk scores some vendors provide. Changing risk scores based on parameters you set around indicator source, type, attributes and context, as well as adversary attributes, allows you to filter out what’s noise for you. Instead of wasting time and resources chasing ghosts, you can focus on what really matters to your organization. This central repository also serves as organizational memory for learning and improvement. As new data and learnings are added to the platform, intelligence is automatically reevaluated and reprioritized.
SOC modernization doesn’t happen overnight. But starting with the data challenge to create a single source of truth, continuously updated with new data and observations, and curated to ensure relevance, helps you fast-track the process. With the ability to focus monitoring and detection on high-risk threats, you’ll gain real and meaningful benefits quickly, and have a solid foundation for more efficient and effective response.