Enterprise networks are growing by every minute with a multitude of assets spreading across both cloud and on-prem environments, this rapid growth of assets and services provide numerous attack surface for cyber attackers to probe for vulnerabilities and exploit systems.
Security teams and most importantly SOC Analysts play a key role in upholding the security posture of modern enterprise networks. It’s the job of the SOC Analyst to go through every single alarm, evaluate the threat by drilling down on events to escalate or close it as false positive.
In most modern SOC deployments with industry-leading SIEM platforms, analysts are still bogged down with a humongous amount of false-positive alarms making it extremely hard for them to operate efficiently. As the saying in the info-sec community goes,
Attackers have to win only once, and Defenders have to win every single time
Story of SIEM and False Positive Alarms
Security operations is an art and a SIEM is as good as an Analyst monitoring it, every deployment is unique, and an analyst is expected to understand the root cause of every false positive alarm to fine-tune it from triggering again. This requires a deeper understanding of the security device or application from which the log originates, this is gained from years of security operations experience upon seeing different scenarios or by imparting rigorous training to SOC analysts.
Most SOC operations are being run with out-of-the-box alarms that came packed with SIEM, many of these use cases/alarms require fine-tuning. While Excess fine-tuning might kill the logic and render the alarm useless, An Improper fine-tuning will lead to a high number of false positives and a triage scenario. Additionally, new cutting-edge alarms have to be developed, tested, and deployed from time to time to stay protected.
Hunting Down Advanced Persistent Threats
Just like conventional defenses, cyber defense operators need to prioritize assets, set perimeters, stand guard( SOC monitoring), establish intelligence( Threat feeds) and counterintelligence practices (Honeypot, Honey-tokens) and draft incident response plans and test response plans with a drill (Red Team Assessments) from time to time to be successful.
But unlike conventional defense, cyber-defense perimeters are complex and vulnerable even with all the best practices in place. The best of the technology companies have been breached in recent years and each of these breaches teaches us the importance of cyber security hygiene and habits that enterprises should follow, this requires a combination of technology, discipline, and stringent SOC operational procedures with advanced use cases and a committed SOC team. Doing so will reduce the attack surface and greatly reduces the blast radius even in case of an unforeseen attack.
Importance of Imparting Adversarial Thinking in SOC Analysts
While Knowledge of SIEM tools and other network security devices is an absolute need, what sets best soc analysts apart is their adversarial thinking.
“Adversarial thinking is a security mindset where security analysts can visualize where, when and how cyber adversaries are going to stage an attack and what tactics they could be applying to avoid detection and to stay stealthy on the network to achieve their mission”
Being able to think like an attacker, helps SOC analysts to stay one step ahead in the game and be successful when combating advanced adversaries.
Secure Traces Managed SOC Services
Our SOC Analysts are handpicked, periodically trained, and mentored to be on top of their game. With Secure Traces MSSP services, organizations can rely upon our expertise to defend from advanced cyber adversaries at unmatched efficiency and cost.
Comentários