2nd Edition

Tracking the trends and news for IT and IT Security

Paul

How a modern SOC can make your threat hunting smarter

android-chrome-192x192.pngHow a modern SOC can make your threat hunting smarter>
Tech Beacon – Kate Scarcella
Security operations centers are being overwhelmed by data. Information from numerous sourcesâdata from usage directories, asset inventory tools, geolocation tools, third-party threat intelligence databases, just to name a fewâpour into the SOCs, where it’s expected to be crunched for possible threats that can be remedied by security analysts.

The funnel-and-crunch approach can also produce a boatload of alerts for analysts to investigate. According to one Fortinet estimate (PDF), an analyst can expect to clear 20 to 25 alerts in a day. Yet the average SOC receives 10,000 alerts a day. For larger organizations, it’s even worseâupwards of 150,000 alerts a day.

When you consider how many of those alerts are false positivesâaround 50%âand how many lack severity, it’s easy to understand why there can be a lot of analyst churn in SOCsâanywhere from 10% to 50%, according to vendor Help Net Securityâand why there’s little time for threat hunting.

According to a 2019 survey by the SANS Institute, 14% of organizations pegged the time between compromise and detection at from one to six months. Adding to a SOC’s data woes is the Internet of Things. There can be thousands of those devices feeding data into the SOC, turning a data pool into a data swamp. If any of those devices are compromised, it is nearly impossible for a security team to discover it in time to make a difference by using the common approaches of data collection and analysis.

A system with intelligent agents on the IoT devices can also thwart threats in the bud through application whitelisting, preventing unauthorized data modification on the device, and controlling data flow integrity, making sure executables run correctly.

What’s more, machine learning and analytics can profile devices; they essentially create a unique fingerprint for each one. Data from the devices can be enriched in real time and given context, which can make a SOC and threat hunters more effective. Threat intelligence context can be used to enhance detection analytics, improving a SIEM’s ability to identify threats. It can also be used to boost a threat’s risk score, prioritizing higher-risk threats for investigation.

By using endpoint detection and response (EDR) as a primary source of data, threat hunters can receive a handful of quality leads about potential malicious activity in their environment. Keep learning Learn from your SecOps peers with TechBeacon’s State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations. Get a handle on SecOps tooling with TechBeacon’s Guide, which includes the GigaOm Radar for SIEM. The future is security as code. Find out how DevSecOps gets you there with TechBeacon’s Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners. Get up to speed on cyber resilience with TechBeacon’s Guide. Plus: Take the Cyber Resilience Assessment. Put it all into action with TechBeacon’s Guide to a Modern Security Operations Center.
Link: https://techbeacon.com/security/how-modern-soc-can-make-your-threat-hunting-smarter

Categories:

Tags: