Remember when we used to believe we could prevent every attack? We focused on prevention, layering defenses so that if one layer failed another would be there to stop the attack. As the years passed, we realized that despite a defense-in-depth strategy, 100% prevention wasn’t possible.
In fact, attacks are happening with increasing velocity and the average cost of a data breach continues to rise – from $3.62 million last year to $3.86 million in 2018, according to a study by Ponemon Institute. A significant contributing factor to the increased cost is dwell time that has also rise to 197 days from 191 in 2017, not to mention the additional 69 days to contain a threat, up from 66.
These days we believe that “it’s not a matter of if, but when and how” we’ll be attacked. So, we’ve shifted our focus to include detection and response, and some people talk about using Security Orchestration, Automation and Response (SOAR) tools, specifically playbooks, to accelerate response and mitigate risk. Playbooks are good for automating known processes when you have high confidence in the data being used and the decisions that need to be made. However, the reality is that the confidence level for full automation is not there most of the time. Why? Data, especially with the increasingly large data sets we use, can be extremely noisy. If you start automating noise, the result will be amplified noise. Furthermore, decisions are not always black or white; they may need human intelligence or intuition. There is only one way to raise the confidence level so you know you’re automating the right actions and your response is effective. You first need to investigate.
Like any good detective, you need to gather facts and evidence. This starts with a platform that aggregates and normalizes data from disparate sources – the multiple internal systems (for example from your security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) and their events and associated indicators, along with the many external threat feeds you subscribe to. Combining your internal and external data provides the context to understand the who, what, where, when, why and how of an attack. However, you still have a lot of data to sift through. You need the ability to prioritize data based on relevance to your environment, customizing risk scores based on parameters you set instead of relying on the global risk scores some vendors provide.
In addition to looking at facts and evidence, detectives tap into their intuition, memory, learning and experience to refine their analysis and move faster through the investigation process. Recognizing the multiplier effect of collaboration, they gather in war rooms and work in teams to take advantage of the full breadth and depth of human intelligence available to solve the crime and catch the perpetrator.
Security professionals also need a way to leverage the knowledge of others and collaborate, but this can be difficult as teams tend to act independently and inefficiently using siloed technologies. With a platform that can act as a virtual cybersecurity situation room, teams and team members can share the same pool of threat data and evidence to conduct investigations collaboratively. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work. The platform must also be able to store and prioritize the data collected from all investigations so it can learn from new data and context as well as serve as organizational memory and facilitate future investigations. With access to a history of investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs), teams can conduct investigations more efficiently and effectively and can respond more quickly and accurately to a breach that has happened.
The above is all well and good when there is a trigger to start the process. But what about scenarios that may not have a trigger, like proactive threat hunting?
When detectives reopen a cold case or look for a serial killer that seems to be moving across the state and headed to their jurisdiction, they have the benefit of additional learnings. For example, they may be able to take advantage of advances in DNA testing, other modern forensics tools and a growing database of insights as the perpetrator commits additional crimes.
When security teams proactively hunt for threats that they learn about from an external report or believe they might have missed in the past, they can do the same. New data and learnings are continuously added to the investigations platform, resulting in a reevaluation and reprioritization of intelligence to support ongoing hunts. Prioritization is key to remove the noise and remain focused on the hunt at hand.
SOAR has been the catalyst for a lot of great discussions and advances in the security industry. It has breathed new life into the topic of automation and put response in the spotlight. But what is also clear, is that SOAR is much more than running playbooks. At its core, SOAR is about more efficient and effective investigations. We now see it giving rise to the age of the investigations platform, where data aggregation and prioritization are combined with human intelligence, collaboration and learnings. This allows us to raise the confidence level for automation and take the right actions faster to mitigate risk from the inevitable attack.