Excerpts from Building a High Speed SOC: Achieving Speed (Part 1)

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

Carbon Black recently published an in-depth guide on what it takes to develop a “high speed” security operations center, or SOC; this is an excerpt from that guide, which you can find here. For more information on building high speed SOCs, including how to eliminate the “response gap,” check out the Transform Into a High Speed SOC hosted by IBM and Carbon Black.


What are the Basics We Need to Master First?

Speed is only built on a strong security foundation. A process is only able to be automated once it has been perfected by your team. Automating a process that your team does not fully understand will create blind spots and likely decrease your visibility as you attempt to scale. Before tasking machines with processes that are key to your security, make sure you understand all the weaknesses of your current posture.

  • Have you minimized your attack surface?
  • Have you inventoried every asset?
  • Are your systems being properly patched?
  • How would you know if they were not?

These questions may have more in common with basic IT hygiene than security, but they are essential to the success of your SOC. Using Cb Response, our customers enjoy complete visibility across their environment to continuously monitor every detail of every event.

We asked Ismael, a senior security analyst at a firm operating a global network of telecommunication satellites, how he uses Cb Response to master the basics of security and achieve speed. “Carbon Black has decreased the time required to identify and respond to a security incident. Before Cb Response, we required hours or days before we could identify an endpoint compromised by a zero-day in Microsoft Word, for example, often because the affected user notified us about a suspicious document or PDF. Nowadays, we are able to detect and respond even before the user contacts us. To date, we have reduced the IR time from days to hours.”

 

______________________________________________

 

For more information on building high speed SOCs, including how to eliminate the “response gap,” check out the Transform Into a High Speed SOC hosted by IBM and Carbon Black.

Watch Now

______________________________________________

 

How Can I Efficiently Organize and Lead the People on My Team?

Organizing your team to protect your environment with agility is a difficult task with all the varied skills and challenges related to traditional SOC structures. We asked our partners at Red Canary, who every day provide security solutions that harness the visibility of Carbon Black’s products, to share how they keep up with the constantly evolving functions of today’s intelligence-driven security teams.

 

Nowadays, we are able to detect and respond even before the user contacts us. To date, we have reduced the IR time from days to hours.

Ismael Briones-Vilar, Senior Security Analyst, Inmarsat

 

“At Red Canary, efficiency starts with breaking down the structures seen in traditional SOCs. We have found the most success by moving beyond an operation that focuses solely on event analysis. To do this, we include our Intel team in engineering efforts, engineers in analysis efforts, and so on. Rather than assigning each team member a label to exclusively focus on, each person has a core ‘practice.’ They still develop and improve within their practice, but they are also challenged to engage with other functions in the SOC.

“This approach completely bucks traditional views of security operations, and has led to amazing innovation within our security team and around the investigation process. Our engineers are actively examining the analysis process, seeing the results, and continuously working to develop efficiencies for our analysis team. This approach has led to data analysis and automation efforts that have removed the need for in-depth investigation in nearly 10% of all threats. It has led to effective suppression that provides each individual analyst with the ability to ‘tune’ detection criteria during an investigation. That tuning is then used to automatically suppress potential threats in the future. Doing so has enabled our analysts to be 4-5X more efficient over the last three years, and much of this can be attributed to how we evolved our security team by removing more traditional, time-intensive job functions.”

 

How Can Technology Help Streamline Our Detection and Response Processes?

Complete control starts with complete visibility over your endpoints. Being able to quickly detect an attack depends on how centralized all your data is. Cb Response works with your current SIEM and many other elements of your security stack to ensure that every system event is recorded continuously and readily available for you to visualize when an investigation is necessary. At a glance, analysts also have instant access to a readout of endpoint health and your SOC’s key performance indicators.

Proactively hunt threats across your enterprise. With Cb Response you can explore your environment, discover threats missed by outdated detection methods, and reduce attack dwell time. Security professionals use Cb Response to validate their hunting hypotheses and create automated watchlists to generate custom alerts for suspicious patterns they identify. We asked Dan, a cyber defense analyst at Motorola Solutions, how he uses Cb Response to rapidly uncover threats from a single console and enable his organization to continue providing mission critical communication products and services all over the world. “The time saved is immense, because Cb Response makes it easy to determine if a hit is a false positive or not. Usually, just looking at the command line, parent/child processes, and netconns will let you make an assessment.”

Rapidly drill down to root cause. In the case of malicious attacks, it can take over 9 months on average to properly identify the root cause of an incident and contain it. Cb Response allows analysts to visualize the complete attack kill chain and then respond and remediate the attack within minutes, without having to manually aggregate and sift through relevant raw data post-incident. Cb Response allows you to safely isolate an infected host and then obtain secure direct access to that endpoint to continue your investigation. Our Live Response functionality enables IR professionals to pull or push files, run commands, and perform memory dumps, all from within a single console.

 

The time saved is immense because Cb Response makes it easy to determine if a hit is a false positive or not.

Dan Banker, Cyber Defense Analyst, Motorola Solutions

 

 

______________________________________________

 

For more information on building high speed SOCs, including how to eliminate the “response gap,” check out the Transform Into a High Speed SOC hosted by IBM and Carbon Black.

Watch Now

______________________________________________

 


Join us next week as we continue to explore “Building a High Speed SOC,” our in-depth guide on what it takes to develop a “high speed” security operations center. If you can’t wait until next week, however, you can click here to get a copy of the full report.

The post Excerpts from Building a High Speed SOC: Achieving Speed (Part 1) appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
148 Followers
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel