Escaping Dante’s SOC Inferno: A Question of Lust

So far in this series we’ve escaped seven of the nine circles of SOC hell. In this penultimate post, today we’re looking at the second circle: Lust. Lust and SecOps are not two words you’d immediately put together in a sentence, certainly not in polite conversation. But this blog series has brought themes together in a multitude of interesting ways, so let’s start with a TV show reference that is safe enough for work…

“What do you desire? What do you truly desire?”

Fans of the cult favorite television series “Lucifer” will immediately recognize the title character’s signature catchphrase as he enchants his target subjects with his alluring eyes, raspy English accent, and devilish abilities to charm others into divulging their darkest desires.

As he actively listens to his suspects go on about what lusts they conceal within, he is already devising his strategy of how to lure them into his netherworld by graciously granting their requests for a favor.

These so-called “favors” fulfill the lustful desires of Lucifer Morningstar’s human counterparts in exchange for an IOU to be cashed in later — often at the most inopportune times. But these silly humans don’t care about the costs. They just want their lust fulfilled for something more, something better, or just something different. Sound familiar? How many times have we seen a management lust for time-driven metrics perfection resulting in no time for deeper investigations? And the price we paid for such behavior was missed events which quickly became a significant security incident — and for the less fortunate of us, a major breach!

In our search for the Holy Grail, we often lose sight of what is right in front of us, those opportunities that we have been afforded. We catch sight of a bright shiny object and become entranced by its wonder. And we will follow it to all four corners of the earth — even into battle if need be.

The plight of our misplaced lust

What is it that we think we desire in the SOC? And what do we give up in exchange for the fulfillment of such desires? We’re caught in an almost endless loop of lusting for more; more threat intel feeds, more IOCs, more data feeds, more data volume, more detection tools, more deception tools. Surely if we can do the same we’ve always done, but faster, that’s better right? We feel that with all these new things to add to our existing mountain of stuff, that we’ll somehow be better, smarter, stronger and even more agile than the adversary — whether they’re an insider threat or an external one.

We have an insatiable desire to try and outperform the rest in the great crusade of technology, that we’ve almost forgotten our mission, in the seemingly ad infinitum battle against the demons of the dark web, who are hell bent on stealing our IP and disrupting our business operations. Whilst the intense desire for the “latest and greatest” prevails, the forces that drive us to adopt the next “thing” (product, process or otherwise), must also drive us to question, what is it that we truly desire?

To take the aforementioned bright shiny object as an example, consider the last time a new piece of technology was brought into the fold. Whose desires were being met by the decision to do this? Leadership? Finance? The vendor’s sales team? Or the security analysts who would eventually be hands on keyboard? Often it tends to be the first three, and the latter gets left out in the cold until a technology is deployed. 

Marketing teams tend to focus on the “buyer journey” but not the user needs. Buzzwords and phrases in security vendorland are rife (“now with 20% more AI!”) and are used to entice the reader (read: buyer) into lusting after a better world – but in whose reality? When was the last time you were involved in putting a new technology through its paces before the purchase order was delivered? Or for that matter even consulted about what your challenges were, in order to see if XYZ shiny tech was actually going to deliver? But all too often, because SOC analysts aren’t part of the purchasing process, shiny new toys can become old shelfware, their promises of “faster, better, stronger, cheaper, more AI-er”, left to rot. 

A place where lust turns to dust.     

Lust is a virtue if we wield its power wisely!

Might we turn our innermost desires to a path that delivers on the security operational values we’ve been seeking for so long? It is indeed a hedonistic notion, but certainly not a hopeless one! There is a better way and all who shall follow the path of SecOp’s transformation will forevermore find redemption as the “reformed analyst.” 

Our doctrine shall be built upon the holy trinity of “find bad stuff, fix bad stuff and take credit for it”. Through the application of functional automation and data science, we can be empowered to ask infinitely better questions of the data-sets we’ve already acquired, with the tools we already have and delivered by the teams already in operation. The intense desire to follow our own instincts and not be lured by the cyber and data security vendor sirens of false promises will deliver us to a new dawn of SecOp’s transformation.

Spellbound in the pale moonlight

When we dance with the devil, err legacy security vendors, we can find ourselves completely spellbound by their display of power and influence.  Consider what it would take for your organization to break free from the devil you’ve always known, despite their (empty) promises! It is not an easy task, to say the least. To embark on a mission to break such a spell could be at least a multiyear commitment and involve a significant team effort to make the transition. Yet, all the planning and preparation in the world cannot fully cover all the possible scenarios for the cut-over date. Do we let such barriers become the “great wall of SecOps stagnation” within our respective organizations? Unfortunately many feel that there is no other way and as such remain under the enchantment of legacy chains. There is a way and it’s OK to lust after those things you know will deliver on your SecOps panacea, without destroying the mount upon which your security operations hopes and prayers were built.

The aforementioned TV character Lucifer offers to make people’s deepest desires come true, through a bevy of highly influential contacts and seductive offers that can help grease-the-wheels to make things happen. Do we (or our management team) become seduced by the personas at the round-table of executive decision-making? Do pristine demo environments and the lure of the perfectly presented antidote to our woes, pave the way towards a predestined and often ill-fated future?

Oddly enough, in the TV series, Lucifer never lies. He is brutally honest with others, regardless of the impact or outcome. Not wanting to replicate the Dark One’s character traits, but, perhaps if we were a bit more honest with ourselves, we’d come to realize that the proverbial grass isn’t always greener on the other side. Yet, our lustful desires keep telling us that surely it must be.

A different dance, to the beat of the SOC analyst’s drum

Sure, if we could all design our security stacks from the ground up there is a ton that we would likely do differently, if given the opportunity. But the rip-n-replace approach should really be reserved for the worst-case scenarios. Wouldn’t you agree?

Instead, what if we were able to take inventory of our shortcomings, maximize the use of our existing investments and fill the gaps with right-sized technologies that empower you to be much more proactive. 

What if rather than just harvesting and querying log data, while pivoting from one IOC to the next, we were able to map out and replay entire sequences of events and have them automatically correlate into a timeline pertaining to individual user accounts or entities? What if the entire chain of events were just converged and chronologically mapped out before your very eyes, providing answers to the questions you wanted to ask (and many you hadn’t considered!)?

Wouldn’t that be just heavenly?

Well, it just so happens that heaven is indeed a place on earth; you just need to know where to look.

We can help you

Here at Exabeam, helping SOC teams achieve their mission is in our genes. And no one knows more about jeans than the team at Levi Strauss & Co. (#notsorry for the genes/jeans terrible linkage). Hear them tell their story in this video.  

And maybe you’d like to take a peek into a world that isn’t fraught with manual processes, query/pivot investigations that take forever (assuming metrics aren’t pulling you in a different direction), or that sinking feeling inside when the auditors show up and start asking questions about how you determine malicious activity? We’d love to show you how we can help you with all of these things and more. 

More good news, security teams don’t even need to make a deal with Lucifer to experience the benefits of Exabeam – we can add analytics and automation to the SIEM or log management tool you already have in place.  

If you’ve missed out on the previous posts in our Dante’s SOC inferno series, here’s where you can binge read the rest: 

• The Treachery of SIEM Lies 
• Fraud and the Truth About Normal 
• The Violence of Destructive Metrics 
• The Heresy of Orthodox SecOps
• The Anger of Shattered Dreams 
• Greed and the Gimme Mindset
• Gluttony and the SOC Skills Shortage