How To Ensure The Watchers Are Being Watched

Saryu Nayyar | »

While security operations center (SOC) analysts are inherently trusted to protect the organization, their activity still needs to be monitored given their superuser privileges to access resources and data.

According to the findings in the 2020 Insider Threat Survey Report, 68% of organizations feel vulnerable to insider threats, and privileged IT users (63%), regular employees (51%), privileged business users (50%) and contractors (50%) are viewed as posing the greatest risks.

Consider the threat posed by privileged IT users, who are the “watchers” responsible for making sure the environment stays secure and protecting the organization against insider threats, intellectual property theft and data loss. Companies that have a dedicated SOC typically assign user monitoring to this team since it has resources and personnel required to perform this function. However, in many cases, the SOC also has access to potentially sensitive information. Analysts can not only see when a user has accessed something they shouldn’t but also what the user is accessing.

Given the sensitivity of this role, businesses with mature SOCs typically have policies in place that limit what analysts have access to — or at least protocols that assure they don’t abuse the access they do have. Another element that helps mitigate abuse is the fact that security analysts typically work together in the same physical space, namely the SOC. After all, it’s hard to abuse access privileges when a colleague can look over your shoulder at any given moment.

However, in response to Covid-19, many organizations have implemented a distributed SOC model due to stay-at-home orders. While this has been effective for business continuity, it has introduced new challenges for the SOC. The most obvious is the lack of face-to-face collaboration during security incidents. A distributed SOC lacks this physical proximity, which may lead to some unforeseen issues.

Given these new challenges, how can organizations address the risk of SOC analysts who go rogue and abuse their privileges?

An initial step is to review the SOC’s processes and procedures. Are they efficient and effective? If not, they should be adjusted. There is a wealth of best-practice resources available on how to improve SOC management, which represents low-hanging fruit. For example, making process improvements can reduce stress levels on the team and eliminate one of the primary causes that can lead analysts to become disgruntled and go rogue in the first place. There are other benefits, of course.

Reduced stress levels can lead to increased efficiency and effectiveness — which means intercepting more incidents and, ultimately, better security. A better work environment can lead to lower turnover and can reduce operating expenses associated with training new analysts to replace those who leave. It’s a win-win. Training and support can also have a big impact on how team members perform and their morale.

In addition to improving processes, procedures and providing professional development resources, SOC teams need the right tools to handle the volume and velocity of threats they must investigate and address. From my experience, one of the biggest complaints among SOC analysts is information overload. For example, technologies that use data science and analytics to identify anomalous behaviors can eliminate time-consuming manual threat hunting.

Behavior analytics tools can also identify risky activity by SOC analysts, whether they’re in the SOC or working remotely. This type of automation can be used to “watch the watchers” and detect when the watchers are trying to hide something. Unlike humans, software can’t collude with a colleague or be bribed, and it doesn’t sleep. It just watches, analyzes and reports what it sees.

Consider the following hypothetical scenario in which an organization has moved much of its workforce to remote access due to the pandemic. This included moving its SOC to a hybrid model where only a limited number of analysts are cycled through the physical SOC at any one time. Team members alternate spending time in the SOC to balance the load and keep everyone safe and healthy.

Next, let’s assume that one of the analysts has gone rogue and decided to use their access privileges to gather sensitive information and sell it to a third party. They know that all their access activity to the resource they want to exfiltrate is logged, which is typical for any high-value asset. However, they also know the logging is mostly used for audit purposes and are relatively certain that the logs are not being routinely monitored for security violations.

Monitoring software, on the other hand, could detect the activity and alert other analysts on their colleague’s unusual and high-risk behavior. This would initiate an investigation and lead to the analyst being stopped before they could exfiltrate the data. While there will always be ways a privileged attacker can access their target undetected, with behavior monitoring in place, none of them should be easy.

Every organization inherently trusts its SOC to keep its environment secure and to react quickly when an incident occurs. While most SOC analysts are unlikely to pose an insider threat, it can happen — which is why tools and processes should be implemented to prevent damage if an attack does occur.

SOC analysts

About Author

Saryu NayyarSaryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.


External Link: How To Ensure The Watchers Are Being Watched

Share this page:

Related Posts