The cyber warrior community is filled with many innovative tools to combat the bad guys. I’m sure they would admit that they have some problems. What’s your problem? I hear a lot from customers that the biggest concern is the cross-comparing threats across different tools.
In most Security Operations Centers (SOCs), if one risk management tool identifies a potential breach, a cyber warrior must cross reference that possibility against at least two or three other tools’ data to try to identify it. For instance, if a virtual sandbox test of a download identifies suspicious activity, it must then bring up three other security systems to compare the data to — the Intrusion Protection Systems (IPSs) logs; Security Information and Event Management (SIEM) logs; and the End-Point console. After cross-referencing to find out which breaches have occurred, the cyber warrior can then determine the best way to clean up the mess.
This is time intensive and wrought with potential human error. The problem isn’t poor training, negligence, or lack of desire — it’s sheer volume.
When you have to go through so many instances of alarms and false alarms, it’s hard to be right every time. The bad guy only needs to be right one out of a thousand times, and the cyber warrior has to be right a thousand out of a thousand times.
APT Hide and Seek
Many times, a single tool will not raise a flag at all. But together, all four tools would throw up a huge red flag. When does a cyber warrior have time to do that when they are already overworked cross-comparing the many threats that aren’t truly problems every day? So, what’s the concoction? You can:
- Get more cyber warriors. Easier said than done. Two more problems emerge: cost and reality of available talent. It’s just not feasible.
- Integrate, so your tools can share data with more automation. The two possible ways to achieve this are through either a homogenous set of tools or a tool designed to integrate and manage multiple vendors’ activities (this should be a huge priority for CISOs).
- Use automated forensics and analytics – it’s new, and exciting for sure. Some simply pre-compare alarms from multiple vendors to try to find similar threats and save time on the first steps of that labor intensive SOC duty. Others are more advanced, offering behavioral forensics and analytics, not looking for alarms, but going beyond and identifying threats that might not have otherwise set off alarms. This not only advances the war against outside threats, but can identify inside activities that would have been impossible to catch so quickly before.
Front Line Relief.
If both an integration tool and a behavioral forensics tool are brought into an SOC, the effectiveness of the team should increase exponentially more than it would by bringing in two new individual tools on the cutting edge. That would certainly relieve the pressure and time crunch on those cyber warriors in the trenches.