Improving SOC Operations in the Covid World
At the onset of the current Covid-driven pandemic, no one visualized either the timeframe it would take to begin recovery, or how it would change the work environment for the foreseeable future. The workforce, including the SOC (Security Operations Center) operators, are all (mostly) working remotely, and with analysts working on rigs assembled at home, they do not necessarily have the better configured or standardized builds they would be using the SOC. That is already a major risk – adding to the fact that with almost all workers working remotely, spam and phishing attacks are on the rise – as well as their success rates (see https://www.pcmag.com/news/phishing-attacks-increase-350-percent-amid-covid-19-quarantine).
Why? Again, look no further than the technical environment all workers are in – a home office, with residential internet, a network that has many potentially unprotected endpoints, and all the distractions available in a home environment. While the odd “work-from-home” setup once in a while was manageable, this continued “work-from-home” scenario has pushed security analysts over the edge of manageable security. When the average worker is at work using an organization-provided internet connection, managing their access and ensuring that they did not succumb to all the pretty attractions of the internet, was a challenge. So how do we address this new situation?
Enter the Active Cyber Defense Resiliency Center (CDRC)
CDRC automates 80% of the regular work of the Tier-1 analyst and hands it off to a software bot that can troll through a million log entries in under 3 seconds. So, what happens to the analyst’s job. Well, it is not being sacrificed to another computer. This is where the true value of the analyst kicks in. The software bot can troll through the logs, but it needs a human analyst to parse through the findings of the bot, make logical sense and take appropriate action.
The bots do make life easy – but how are we sure they are doing the right thing? This is where the strength of the Active CDRC shows:
- Continuous, automated Red Teaming emulates attackers, identifies potential paths attackers might prefer, checks them for vulnerabilities and highlights those to the analyst for appropriate action.
- Continuously running simulations look at all possible consequences of incident remediation and identifies the creation of new weaknesses before they become real.
- Integrated threat intelligence (via live feeds) allow the bots to analyze the relevance of the intelligence to a specific infrastructure and inform the analysts appropriately.
While the Active CDRC has many other features, these, in my humble opinion, are the important ones in the world today, with remote workers everywhere. The automation improves detection, and a less-stressed analyst (with bots doing the grunt work) improves reaction. When the security posture is enhanced remarkably, the attack surface reduces with the attention they can now spare, and the analysts can also work to improve security in all those other areas that had to be put on the back burner, as they were busy fighting fires all over! A win all around, and the CISO is now less worried, despite the challenges induced by the new normal.
Red Teaming – In the CyberSecurity space, red teaming refers to the security team that is engaged in attacking the entire infrastructure with the intent of finding chinks in the security shield around the infrastructure, so that they can be fixed or alternate protections erected before they are exploited by an attacker.
Latest Blogs
Tired of spending countless hours troubleshooting failed API tests and keeping up with constant…
The business world is moving quickly and the only way to make informed decisions is to leverage…