4.1 CTI Role in SOC Part 1

00:00

hell, guys and gals, welcome back to another model off introduction to Cyber Threat Intelligence.

00:07

We're gonna be talking about additional units under integration with type of credit. Intelligence has started with the security operations center, so let's not waste any more time.

00:18

Well,

00:19

to start as mention it in previous videos, a security operation center are sock is a unit in charge of monitoring ah, whole bunch off information in order to know when something is off or when an action should be taken. Or, most importantly, when an anti and response team has to be invoked

00:39

nonetheless, must soak teams find themselves hostages to the huge volumes off alert generated by the network date monitor. Creating these alerts takes too long, and many are never investigated at all.

00:55

Alert fatigue leads analysts to take alerts less seriously than they should

01:00

just to clarify the term. Triage is mostly using medical terms, but this burb refers to the assignment off a degree of urgency to wonder or ill patients,

01:11

and in her case, it applies to alert emerging in the locks that are being monitored

01:18

well. Secretariat intelligence provides an antidote to many of these problems among other users

01:25

it can be employed to filter out false alarms, a speed of triage and simplify incident analysis by giving the right information to the security and saving a lot of time in the manual analysis of these alerts

01:40

additional of words we have mentioned in the past videos More specific responsibilities of the South Teams include

01:46

Monitor for potential threats. This is done by configuring all the security sensors like firewalls, Ideas I PS access looks from Web servers are from any other service that could be available to the interest.

02:00

And by reviewing its locks, we can determine if a threat is coming or a militia behavior is identified.

02:07

This is specifically let's to sock teams the Texas Species Network activity on. By doing that in a template manner, the team will be able to contain active threats and remediated using available technology before any infection has happened.

02:22

So when a suspicion event is detective, the sub team investigates, then works with other security two teams to reduce the impact and severity of the attack.

02:32

You can think of the roles and responsibilities within a sock as being similar to those off emergency service's teams. Responding to 9 11 Colts

02:42

now, given the role turn responsibilities that we already discussed. We can think of this suck unit as an emergency service's team, where the response has to be fast, effective and else in nature presented. I record the future. It shows the similarities between these teams starting with the tree triage stage.

03:01

This face will be the entrance for an emergency state, and, as the chart shows, it will be similar to calling 911 or, in this case, a sock. Analysts

03:12

The suck analyst will be in charge of reviewing what is the event that triggered the alert on a study, its behavior in order to call it a legitimate event or a false positive.

03:23

Because this is an emergency state, rapid response is needed. Generally suck. Analysts are classified by different levels off. So very commonly we can find L one L two on El Tree analysts, the ones responding to Cole's RTL one analyst,

03:38

and they're in charge of collecting the most amount of information possible in order to call it a false positive

03:45

or escalated to an L to analyst

03:46

from their further analyses, he's done, and this role specially will focus on more on analyzing and correlating the information give him from the L one than collecting more information. If the L two analysts cannot solve the problem with the specific actions, then an Indian can be determined on the Indian response team is to be invoked

04:06

after your insanity is declared dainty and response team is called and the containment of the detective threats starts

04:15

in. The next topic will be covered in the interaction between Cyber Threat intelligence and Indian Response Team. But for now we will just glide on its surface. The responsibilities of the Ire team in this face is to identify affected and vulnerable systems and try to provide provide actionable items in order to contain the effects of the detect

04:34

to threat

04:35

after the containment and hopefully, eradication of the threat. That threat hunter is on to determine why is the whole compromise if any happened and what measures should be taken in order to completely remove any threat remains and to avoid something similar happening again,

04:54

it is important to notice that this time will provide recommendation and resources that can be used, but it is not responsible to implement these measures.

05:02

This has to be done by the team custodian of the assets, most likely the I T department

05:09

with a variety of tools that an organization implements in order to increase its detection capabilities. Security analysts are simple Natal to review, prioritize and investigates all these alerts on its own

05:20

because of these, all too often, Diggle in Your Alerts chase false positives and make mistakes overall.

05:29

And most of the time, executives will believe this is Old socks team's fault. But the reality is that this amount of data is just too hard to handle for this team. And instead of getting more men force ah, more effective approach is to take the intelligence and give this information context

05:46

to make it easier to handle and maybe suck procedures more efficient.

05:50

This approach is backed up by a survey performed by an industry analyst firm, E. S G,

05:57

who s cyber security professionals about their biggest security prison challenge.

06:01

And 35% say that he was keeping up with the volume of security alerts.

06:08

This not only reflects the issue with the great level of alerts, but it also shows that it is not one company's problem. But why challenge that most suck team steak

06:19

and to being a little forger, the next graphic presented by recorded Future but with information collected by a Cisco survey regarding security alerts in suck teams, we can see how a day today if a security analyst goes,

06:32

imagine that room all security alert received on Lee, 34% are legitimate.

06:40

This means that the other 66% has to be in one way or another, ruled out by some process. And if that process was preferred manually, it had to be ruled out by one analyst. Imagine how frustrating that 66% of your time you have to chase dead ends in orderto

07:00

proved their false positive.

07:01

This is not only a very effective way of getting things done, but a very demanding job for stock analysts, since now they have to deal with frustration in their everyday job by just getting useless alerts

07:15

and that 34% goes from the alerts that are investigated. Occurred it to these data 44% off alerts are not even investigated since the time of eye level for the security analysts full short and leave them overlooked.

07:30

Okay,

07:30

but let's leave that point aside and focus on the 34% that are actually legitimate. Out of thes alerts, 51% are correctly mitigated, following all the processes in place, and 49% are just contained and fixing the moment. But they're properly limitations are not applied.

07:50

This numbers are very alarming. Remedy dating just half of the legitimate alerts. Every given time Mitzi takes double the times is the non remediated alert will surely pop up in a lot of moment, and it may or may not fall into the alerts investigated.

08:07

This not only increases threat risks for the organization, but it makes the suck job ineffective and inefficient.

08:15

And that's why context is a very important matter for the stock unit

08:20

recorded future in its Rain Threat Intelligence Handbook. Clearly specified

08:24

threat Intelligence for the stock is about reaching internal alerts with the external information and context necessary to make risk based decisions.

08:35

Context is critical for rapid triage and also very important for a scoping and containing incidents.

08:41

The best way to alleviate the challenges that suck analysts face is by in reaching the information they are receiving, so they're not overwhelmed by alerts that end up being false positives off the 66% off false positive that we discussed. A great part of them could have been detected by an out of mighty system with no human interaction whatsoever.

09:01

If there is enough information available and this information percent the right context,

09:07

the context provided both do directly allow this suck and Alice to perform rapid trash. Seems most alerts will come with the right context on From There Are Quicker Decision can be taken to either escalated or discarded.

09:22

It was also enabled him to have a veteran scope of the tread. Since the information, How far can the trip go? We already be there and these will end up in a better incident. Containment improvement the whole cycle overall.

09:37

And that's erupt for these video What? But we are only halfway in. So into this video we dove into the sock challenges and how the Sybil Credit Italians unit can help to ease some of this, including the overwhelming amount of alerts that suck. Analysts have to go through

09:54

the key processes they have to assure to guarantee an effective, more enters and alerts enrichment in order to provide the necessary context to the analyst. I provide a more efficient use of their time.

10:07

In the next video, we will continue reviewing some of sock capabilities and how they should interact with the Cyber Trades Intelligence Unit.