Three Wishes to Revitalize SIEM and Your SOC
How many times have you hoped that a magic genie would somehow appear and grant three wishes? If the wishes were for your SIEM or security operations team, what would that be (and what kind of security certifications would you require of your genie)?
The most common wish I encounter is for a security team that delivers a new level of effectiveness. The other two wishes are usually greater efficiency—the idea of being able to do more with less—and being able to hire qualified and experienced candidates for positions that have remained unfilled for long periods of time. (Enterprising and budget-savvy CISOs may substitute one of these for wishing for an additional three wishes, if that is permissible.)
Efficiency for the Security Operations Team
While most organizations pride themselves on the overall quality of the security team and the excellence of their work, most would admit that this team is not really efficient. Too many factors work against it. The odds often seem to be in favor of attackers, and security professionals are left with a difficult, if not impossible, task. Most teams describe being inundated with alerts and incidents that may or may not prove valuable. Choosing the right place(s) to focus their attention is often based on hunches and educated guesses.
Besides a wish-granting genie, what would significantly change efficiency levels of the security team for the better? More alerts? Less alerts? More data? More intelligent data? Most security operations teams believe they have plenty of data—generally, too much. Investigations after a successful data breach usually show that the data and signs of the progressing attack were there all along; the problem was finding them in time and being able to respond quickly to mitigate or curtail theft or damage.
Despite these “20/20 hindsight” accounts, there still is a lack of appropriate data for many security teams. The siloed nature of security tools often impairs this capability. Attack campaigns – both automated and human-run – are multifaceted, and involve an expanse of both attack surface and infrastructure. Quickly and accurately finding signs of an in-progress attack requires data from many sources, including security tools, logs and strategically deployed sensors. Data from multiple tools needs to be combined. Small and otherwise inconsequential data points can be combined to show activity that might otherwise be undetectable. Other data points could be better identified as anomalous, but not indicative of an attack, eliminating false-positive alerts that greatly undermine overall security team or SIEM efficiency and effectiveness.
Reducing or eliminating false positives and false negatives would be an ultimate goal, and the closer teams can come to attaining it, the more efficient and effective they will become.
Data: A Blessing and a Curse for Security Teams
So, a full 360-degree view must come from data. At the same time, data must come quickly, ideally in real-time. Batch transmission or loading may create incomplete analysis and lead to faulty conclusions. The data set should be as complete as possible. For instance, endpoint data should provide details of who, what, how and when rather than merely detail an event by itself. Lack of clarity and context is a major contributor to inefficiency and ineffectiveness.
Top security professionals are good at correlating data to find actionable results. It takes a fair amount of work and expertise, and manually-performed correlation and analysis can only be performed on a relatively small amount of data. In this way, data can be a blessing and a curse. It’s a curse when there is far too much for the security operations team to handle. It can be a blessing when good automation is in place that can produce good correlations and perform accurate analysis. This kind of capability vastly increases the efficiency and effectiveness of the security team, because it acts as a multiplier of their efforts—far more with less—and enables all relevant data to be reviewed. It also enables professionals to do what they do best. Rather than sifting through massive amounts of data, teams can pinpoint issues quickly and further investigate them. Real security threats can be met with quick and decisive action.
While a magic genie would be nice, new technologies and procedures are helping security teams reinvent their efforts and achieve far greater levels of effectiveness and efficiency. Gartner and other analyst firms review these extended detection solutions and practices and understand their game-changing potential. Organizations that are trying to evolve their security operations teams and gain an edge against attackers should consider some of these recent technological developments. This new level of effectiveness is no longer a fairy tale or something from a faraway kingdom.