Escaping Dante’s SOC Inferno: Greed and the Gimme Mindset 

Don’t want to read? Listen to the post here:

Let’s face it, we live in a mobile-first, always-on, data-centric world today. We walk around now with terabytes of data in our pockets, petabytes of data on our servers, and almost unfathomable amounts of infrastructure available to us in the cloud, assuming our pockets are deep enough. 

Yet we want more and more and MOAR

Each new phone we purchase must be kitted out with at least twice the storage of our last device, even if we never came close to filling it all up. Servers, physical or virtual, are doubling up in storage and memory configurations every year. 

The same gimme mindset has created a hell scenario in the SOC. Analysts continue to be overwhelmed with alert fatigue. Every alert that comes into the SIEM must be triaged — whether with orchestration that requires complex rules based on known IOCs or manual efforts based on tribal knowledge. 

The more threat intelligence data feeds we consume the more this cat-and-mouse game continues. Our adversaries continue to find new holes to exploit, change their tactics and pump out new malware and in turn we write our YARA rules, Python scripts and runbooks to respond. By the time we’ve finished these tasks for one threat, ten more come in. And so, the game continues. 

Still, we have this belief, this need, that the more information we have the more secure we will be as a result. “Send MOAR logs!” we scream to the heavens, “let our SIEMs overfloweth with glorious data!” but we’ve ended up with so much data to comb through with our queries and rules that we can’t see the wood for the, er, logs. And arguably, more logs ≠ more secure — we’re merely doing what we can to not drown in the big data ocean. 

“Quantity” versus “quality”

Consider for a moment the volume of data you must gather in a SIEM, from a multitude of sources, just to attempt to eliminate false positives from trying to detect impossible “Superman” travel scenarios — a known problem with geo IP blocking. Not to mention it’s also time consuming, fiddly, and ostensibly not allowing you to focus on the issue you’re actually trying to solve: Have any of our user accounts been pwned, meaning we’ve got a compromised credentials issue on our hands, or has geo IP blocking falsed again?  

And then apply that same thought process to other investigations you perform. Whether it’s trying to ascertain which user was on a machine when something happened, or which asset had a specific IP address at a specific time, or <pick your investigation pain point of choice>. 

The end is nigh

With traditional, legacy SIEMs you can find yourself ingesting vast amounts of log data and be still unable to correlate these types of events quickly and efficiently. All too often, we’ve seen SIEMs set up for disaster, without thought for use cases, nor outcomes, and it’s causing a nightmare for the smart, knowledgeable analysts who are tasked with distilling fine wine from a salty ocean of disparate data.  

Change is the only constant in life. And for a SOC analyst, this means our daily routines are constantly changing and always evolving as well. The ways of our past are no longer working for us. The very end of traditional “gimme all the logs, alerts, and threat intelligence” is now. We need to look at a different approach and escape this SOC hell. And lo! there is light at the end of the proverbial tunnel. 

Use your data wisely, you must

If we look at the Superman scenario we talked about earlier — is it a pwn? Is it a false? Is it a pain in the ass to find out? — answering this is easily achieved using Exabeam Advanced Analytics and just a smattering of the right logs. And then we broaden that out to the real use case which is detecting compromised credentials, which can also be achieved with a handful of quality logs. You don’t need to manually trawl the data ocean — the information you need is presented to you automatically, so you can take action instead of wasting hours of your time trying to fathom out if an alert is real or just junk. 

We’re not saying throw all the logs into a pit and burn them — that would be a fun conversation to have with the auditors. We recommend you store them somewhere accessible for as long as you need to (BTW, we’ve got a Cloud Archive for that), or keep them in your traditional SIEM if you have one. Meanwhile, back at the SOC what we really need is the right data over quantities of data, to focus on use cases that drive improved security outcomes. Which in turn creates a better experience for the folks who are hands-on-keyboard. 

At Exabeam, we’ve helped hundreds of organizations determine where the value lies in their data, and how to wield it in a manner that helps analysts investigate accurately and quickly. Want to see it in action? We’ll happily walk you through a demo.

Data doesn’t need to be hell.

Missed an episode of our “Escaping Dante’s SOC Inferno” series? Catch up here:

• The Treachery of SIEM Lies 
• Fraud and the Truth About Normal 
• The Violence of Destructive Metrics 
• The Heresy of Orthodox SecOps
• The Anger of Shattered Dreams