This is a contributed George Michael - research analyst from Countercept by MWR InfoSecurity
A Google image search for “Security Operations Centre (SOC)” returns the classic perception of intrusion detection – a mission control style room, with clusters of big screens showing fancy imagery. However, in a modern world of contemporary cyber threats, has this “old era” approach of intrusion detection had its day?
All show and no substance
Projects, such as Threat Butt will often focus on the threat maps that SOCs display on screen – showing “live attack data” shooting across the map in all directions. While impressive to the untrained eye, what does all this actually mean? The truth is not a lot.
From a marketing perspective, the mission control style SOC has everything going for it. It looks extremely impressive, delivering the ‘wow-factor’ potential clients and senior management expect. The issue is that this approach has long been criticised by security professionals, who argue that the “show piece” effect is nothing more than smoke and mirrors – a visual pretence that obfuscates its lack of ability to actually detect attacks and deliver actionable intelligence in real time.
Intrusion detection has built up a bad reputation for itself over the last ten years or more that it has existed. Why? Because attacks have been on the rise, and the intrusion detection industry simply hasn’t developed quickly enough to keep up with modern attackers.
If we equate this with our own experience having conducted countless targeted attack simulations against organisations across the globe, and despite organisations having various forms of security measures and defences, these attacks achieve a 100% success rate. The truth is that very few (if any) simulated attacks are even detected.
Whilst it is true that centralised log collection can be a beneficial component of an effective attack detection system, the situation SOCs end up in is that they have a mountain of data that is very difficult to process, and a huge number of daily alerts with the overwhelming majority being false positives. Even when a legitimate attack or compromise is identified, it can be very difficult to investigate or respond to the issue without additional capabilities.
This is also often a very threat intelligence/signature focused approach (which ultimately is one and the same) and so at best it ends up being a system that can only detect compromises that have been seen before – it won’t pick up any advanced, new, targeted attacks.
Detection is moving away from a room full of analysts on standby, waiting for automated tools to do most of the work by pushing alerts to them before they jump into action, while other threats continue to loom beneath the surface.
The dawn of the ‘threat hunter’
The new era of detection is driven by diverse teams of security professionals, actively combing through networks looking for signs of compromise. This model is more akin to that of a team of penetration testers, scanning networks in search of vulnerabilities. However, in this case it is a team of analysts, hunting in search of breached systems – with not a ‘threat-map’ in sight.
In order to thoroughly investigate modern attacks, these security teams require a wide range of skills and expertise across their members. This includes knowledge of the suspect threat actor, understanding of the compromised technology, and the ability to identify the capabilities and potentially the origin of the malware. These diverse areas of knowledge rarely exist across a handful of minds but across a wider team, each with specialist skills, they can work together with the owner of the network that is under investigation who is naturally going to be looking for the answers to a number of critical questions.
With demand for security professionals significantly outweighing availability, it is increasingly essential to have a good geographic spread for bringing together a truly skilled and diverse team. Having this varied skillset across a range of team members requires an efficient, remote collaboration environment to be truly effective. The ideal condition is a secure room that can be used to quickly assemble all the minds – perhaps not physically but virtually, required to investigate and handle an incident.
The increasing emphasis on detection capability, as opposed to prevention capability, is driving the industry forward, and it is vital that modern organisations take this approach – with the assumption that a breach has or will occur, will by-pass preventative controls, and needs detecting quickly.
With security professionals looking to subtly differentiate themselves from the older, ineffective and already tainted era of “intrusion detection”, it’s time for the ‘missioncontrolasaurus’ to assume it’s place in history and step aside for the new kid – the ‘threat hunter’, to take up the chase.
PREVIOUS ARTICLE«What will Linux and open source look like in 2041?