In the ever-evolving landscape of cyber security, security operations centres (SOCs) are integral for proactively detecting and responding to threat actors. Using a combination of people, technology, and processes to monitor, detect and prevent cyber attacks, we’ve found SOC-as-a-service to be one of the most popular cyber security operations to outsource, and used by almost a third of CISOs and cyber security decision makers (29%).
However, we’ve also uncovered that a third (36%) of UK businesses feel their provider is underperforming. It’s a recurring theme I have encountered more frequently when in conversation with my fellow cyber professionals. Many SOC-as-a-service and Managed Security Service Providers appear to be relying on re-selling pre-configured product offerings that will inevitably lack sufficient tuning and therefore pull a frustratingly high percentage of false positives.
Indeed, we found that providers not fulfilling their tuning obligations and escalating too many false positives was a frustration felt by almost a third (29%) of the 500 CISOs and cyber security decision makers surveyed.
What is most concerning is when we delve deeper into the impact of services operating in this way, it becomes evident that these monitoring methods are no longer sufficient to accurately protect UK businesses. Modern threat actors are moving much quicker from initial access to data encryption, resulting in an increased need for improved detection and response techniques.
Most SOCs have a simplified IT infrastructure setup which depicts a user’s endpoint device, providing access to data that is valuable to a threat actor. The user endpoint device has a detection and response agent installed, but crucially, this is only deployed in what we call audit mode.
Events and alerts may be generated and sent to a central Security Incident and Event Management (SIEM) platform for logging. But if the alert is not tuned to the correct priority or is using an outdated ruleset, this won't be enough to raise a critical incident in many cases.
As a result, escalations of malicious activity may be too slow and lead to an even slower approval time from the appropriate authoritative individual to take containment action.
False alerts cause burnout
The traditional SOC models reliance on ‘out of the box’ set ups, that are not efficiently tuned to the environment they’re monitoring, can lead to overwhelmed and burnt out analyst teams.
The constant influx of false positives wastes precious analyst time, which could be spent proactively mitigating risk through proactive threat hunting activities and quickly investigating true malicious alerts.
With over 70% of CISOs telling us that they would pass responsibility over to an outsourced provider to gain quicker decisions, the question is how can this be best achieved if current technology methods are failing?
Solving the problem with attack disruption
The most important implementation any cyber security team should be deploying right now is what we refer to at e2e-assure as Attack Disruption.
This involves applying automation into the security operation to isolate first and investigate immediately.
By this I mean, where appropriate, rulesets and automation are implemented to detect anomalous account activity, rogue processes, or malware. Rather than wait for an analyst to manually act further down the chain, the account is temporarily disabled, or the endpoint is temporarily isolated from the network.
SOC analysts are then immediately alerted to a high priority incident which is triaged as being a true or false positive. If it does happen to be a false positive, the account is re-enabled, or the device is released from isolation. If it's a true positive, the next steps in the response process are then activated.
We have recently seen Microsoft reveal their own automatic attack disruption implemented within Microsoft Defender for Endpoint, with their focus on ‘human operated attacks’.
The implementation of an Attack Disruption technique makes your environment increasingly more difficult to bypass as threat actors must invest in a whole new operating model to have any hope of going undetected. This consequently makes you a much less desirable target.