We’re far removed from the halcyon era - which wasn’t so long ago - when money flowed freely into enterprise Security Operations Centers (SOCs). Today, SOCs, which are cost centers for the enterprise, are being forced to do more with less even as their workloads get heavier all the time.
That’s why this may be the time to ask how we can make SOCs both more efficient and better able to handle the myriad of threats they’re tasked with investigating.
Today, SOCs, which are cost centers for the enterprise, are being forced to do more with less even as their workloads get heavier all the time.
Symantec, a division of Broadcom (NASDAQ: AVGO), came up with ways to rethink the way enterprises should handle prevention and early detection of new threats. But first, let’s place this in historical context to understand the challenge.
Traditionally, SOCs were not staffed by security specialists. In the early days, SOCs depended on people who had previously held IT/SysAdmin roles. Over time, SOCs matured and attracted practitioners dedicated to the field. But as the SOC function became more independent, IT staffers had a hard time trusting detection and response recommendations from analysts who they felt lacked sufficient SysAdmin experience or empathy for the end users.
Why it Matters
None of that helped when it came to threat response. In a situation where speed matters, this disconnect slowed down the SOC's ability to respond to new threats.
Early detection of an incident results in easier remediation - especially if an organization can respond before attackers are able to move laterally. Historically, SOC managers have been limited by security tools that were designed to detect and not to prevent threats. This fueled the siloed organizational approach of keeping the SOC teams and operations teams separate. Siloed organizations and processes can lead to inefficiencies as teams may not be fully aware of each other’s’ capabilities to detect and prevent threats.
Prevention and Early Detection
Detection and response is really the most expensive part of the endpoint security process. The question is how to front-load the prevention as much as possible while minimizing the effort, time and money spent on investigating and responding to a potential breach.
When prevention products typically fail, it’s because edge cases create disruptive false positives, so the offending behavior doesn’t get blocked. Many organizations are further hampered because they don't have the necessary configurations or prevention products to know what can and can't be configured in their specific environments. That puts more burden on already stretched SOC teams.
It’s also why we’ve focused at Symantec on engineering systems that combine the best of prevention with early detection of threats when prevention fails.
The goal should be to stop certain types of behavior from happening on an endpoint in the first place. For example, you might implement security controls that block certain applications from running PowerShell scripts, creating executables or establishing network connections. It is these scripts that are often found in Office documents – some potentially malicious, which arrive on endpoints via phishing links or email.
Fighting SOC Fatigue
Symantec is making this task easier by mapping prevention controls back to the MITRE ATT&CK framework to block different attack techniques used by attackers. This goes beyond detection and provides a common language for analysts to use when they're comparing different attack techniques. With all these attack surface reduction controls mapped out, defenders can then connect these various techniques back into their own prevention policy.
By taking this approach, the traditional process of investigating suspicious activity and responding to attacks now becomes an opportunity to prevent them from happening in the future. This is done easily by directly linking suspicious behavior detections to policy-based prevention controls. Operationally, this is accomplished quickly by an analyst using a single console where all EDR detections and prevention policies coexist. The MITRE ATT&CK tactics and techniques glue the prevention world and the detection world together.
By taking this approach, the traditional process of investigating suspicious activity and responding to attacks now becomes an opportunity to prevent them from happening in the future.
Providing the right security controls is only half the battle. The other half is ensuring that they can be used effectively without disrupting end users. Symantec is able to provide the necessary information that helps determine whether a particular technique was previously used within a customer’s environment. If not, it’s probably safer to block upfront. This type of guidance has not been available in security tools until now because vendors haven’t been able to link techniques back to security incidents or historical usage.
The payoff of using the learnings from previous investigations is to reduce the number of incidents that SOCs ultimately need to investigate in the future. One cannot overstate the benefits of reducing the alert noise over time. On the one hand, you're less likely to let the truly important attacks slip through. On the other hand, you’ll have more time to investigate and address those attacks that truly need your attention.
I’ll be speaking about these and related issues in an upcoming webinar. Click here to register. I look forward to hearing your input.
Symantec's Complete Endpoint Security Solution: A Deep Dive Into New Features
In these challenging times, companies need a seamless endpoint solution to address expanding exposures such as the new, work-from-home environment.Register Now for Webinar
We encourage you to share your thoughts on your favorite social platform.