Zero to SIEM in Seconds Part 4: Respond in Seconds

It all winds up here at the final part of the SOC lifecycle, Respond in Seconds to the attack. However, each of the other parts in the series: “Operationalize, Detect and Investigate In Seconds” all improve each downstream stage by improving the speed at which the team can respond and also improve the precision of that response. At each stage the goal is to unify context and visibility and reduce the manual workload on security analysts while improving accuracy, something most SIEMs do poorly.

We will focus on what is required to build a risk-ranked and precise set of response actions without the need for customization. The ultimate goal is a clear and concise game plan for preventing a successful breach before it is too late.

At Gurucul we believe that the right platform can compress the time required by security teams across every part of the SOC lifecycle so they can get ahead of the attack. This starts with gathering the right data, achieving full visibility without gaps, going beyond detecting a threat and constructing and validating the whole attack chain.

Limitations in current SIEM and XDR architectures have led to challenges for Security Operations Teams in leveraging their SIEM for executing targeted responses. This includes:

  1. Manual and potentially incomplete investigations lead to a lack of necessary context.
  2. Most playbooks and recommended actions provide unspecific guidance.
  3. Generic playbooks don’t effectively prioritize remediation actions.

All three of these challenges slow down security operations teams and make it more difficult to work with other security and IT teams for executing remediation actions to prevent potential damage from an attack campaign.

Poor Context Provided Due to Manual and Incomplete Investigations

When investigations are manual and require an analyst to manually piece together contextual information across security solutions and other systems to validate an attack, it can lead to incomplete context due to the sheer amount of effort involved. With this lack of context and even the difficulty in eliminating unrelated alerts, security operations teams struggle to include clear and precise context when building a case or have the confidence to customize playbooks without a lot of time and effort to make sure it is accurate.

Providing a rich set of the right context is only possible with the right visibility into a wide variety of data sources and accuracy in the models provided. In addition, with the right analytical capabilities, unrelated or unnecessary context can be eliminated. This paints a better picture for other security and IT groups that are most likely responsible for the actions that need to be taken. In addition, workflows for response action need to always be catered to the organization and based on available threat intelligence. This leads to not just a blueprint or guidance on how to fix a security problem, but targeted response actions to accelerate prevention of the damage attempted by an attacker.

The ugly truth about most Security Operations, Automation and Response (SOAR) solutions are that they mainly provide guidance for security operations teams in building a potential response. If relying on legacy SIEM, there is even a good chance the playbook may not necessarily be relevant. Most playbooks need to be customized, reviewed, and potentially even tested before being used or shared. In order for them to be effective, the gather context must be accurate and used to customize the workflows within the playbook to cater to the specific needs of the organization. This requires an immense amount of manual effort by the analyst, but also is dependent on properly operationalizing your SIEM, being able to ensure accurate detection, and a true understanding of the full scope of the attack campaign, not just an individual event or threat.

Context and precision are lacking in most response playbooks, and this leads to them offering nothing more than guidance that requires a lot more discussion across IT teams to come up with the right corrective action that fits the organization. This slows down efforts and limits response time.

Gathering context and providing accurate details about the attack leads to a more precise set of actions for stopping a breach.

Generic Playbooks Lack Precision to Effectively Prioritize Actions

When taking a generic playbook customizing the workflows based on the context gathered and that meets the current organization is already challenging. Figuring out which actions to take first and provide the most impactful steps in preventing a breach upfront can also be extraordinarily difficult. Prioritizing the attack is one thing, prioritizing the individual steps is critical to lessen the potential damage if the attack is detonated in the middle of investigation and response stage. This is a common problem for security teams is how quickly they can respond once an attack is confirmed but becomes worse if the threat actor has determined they have been caught and move to accelerate their attack.

The ability to prioritize actions can minimize business disruption and provide actions that can help other teams outside of the SOC minimize the impact of attempting to thwart a threat actor through targeted responses. Prioritizing actions can help security teams take the necessary steps to stem or limit the attack as other steps are applied. Rather than waiting to take all the necessary actions, providing a ranked list of actions based on risk score is critical to building the response plan.

Putting It All Together to Reduce Mean-time-to-Respond (MTTR)

As we have talked through the four stages in achieving a faster and more accurate threat detection program, it is important to understand that every stage is important, but every stage improves the next downstream stage starting with improving the operationalization of your SIEM as you migrate to the cloud and require better observability. As we have described in this series from that starting point, each stage is critical in improving Mean-Time-To-Detect (MTTR), the overlooked Mean-Time-To-Investigate (MTTI) and Mean-Time-To-Respond (MTTR), with the later being what stops a successful breach.

In order to accelerate every stage of the SOC lifecycle, eliminate manual efforts through advanced ML and analytics, and respond to threats and targeted attacks more effectively, we ask you to evaluate the Gurucul Next Generation SIEM. Gurucul offers an award-winning Next Generation SIEM that is recognized by industry analysts as being the most innovative in its ability to address the needs of the market today beyond what other solutions can do.

To learn more about Gurucul Next Generation SIEM, visit our product page or request a demo.


About The Author

Sanjay RajaSanjay Raja, VP Product Marketing and Solutions, Gurucul

Sanjay brings over 20 years of experience in building, marketing and selling cyber security and networking solutions to enterprises, medium-to-small business, and managed service providers. Previously, Sanjay was VP of Marketing at Prevailion, a cyber intelligence startup. Sanjay has also several successful leadership roles in Marketing, Product Strategy, Alliances and Engineering at Digital Defense (acquired by Help Systems), Lumeta (acquired by Firemon), RSA (Netwitness), Cisco Systems, HP Enterprise Security, Crossbeam Systems, Arbor Networks, Top Layer Networks, Caw Networks (acquired by Spirent Communications), Nexsi Systems, 3Com, and Cabletron Systems. Sanjay holds a B.S.EE and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP as well as Pragmatic Marketing certified.