Escaping Dante’s SOC Inferno Greed Gimme Mindset

Escaping Dante’s SOC Inferno: Greed and the Gimme Mindset 

Published
November 20, 2020

Let’s face it, we live in a mobile-first, always-on, data-centric world today. We walk around now with terabytes of data in our pockets, petabytes of data on our servers, and almost unfathomable amounts of infrastructure available to us in the cloud, assuming our pockets are deep enough.

Don’t want to read? Listen to the post here:

Let’s face it, we live in a mobile-first, always-on, data-centric world today. We walk around now with terabytes of data in our pockets, petabytes of data on our servers, and almost unfathomable amounts of infrastructure available to us in the cloud, assuming our pockets are deep enough. 

Yet we want more and more and MOAR.

Each new phone we purchase must be kitted out with at least twice the storage of our last device, even if we never came close to filling it all up. Servers, physical or virtual, are doubling up in storage and memory configurations every year. 

The same gimme mindset has created a hell scenario in the SOC. Analysts continue to be overwhelmed with alert fatigue. Every alert that comes into the SIEM must be triaged — whether with orchestration that requires complex rules based on known IOCs or manual efforts based on tribal knowledge. 

The more threat intelligence data feeds we consume the more this cat-and-mouse game continues. Our adversaries continue to find new holes to exploit, change their tactics and pump out new malware and in turn we write our YARA rules, Python scripts and runbooks to respond. By the time we’ve finished these tasks for one threat, ten more come in. And so, the game continues. 

Still, we have this belief, this need, that the more information we have the more secure we will be as a result. “Send MOAR logs!” we scream to the heavens, “let our SIEMs overfloweth with glorious data!” but we’ve ended up with so much data to comb through with our queries and rules that we can’t see the wood for the, er, logs. And arguably, more logs more secure — we’re merely doing what we can to not drown in the big data ocean. 

“Quantity” versus “quality”

Consider for a moment the volume of data you must gather in a SIEM, from a multitude of sources, just to attempt to eliminate false positives from trying to detect impossible “Superman” travel scenarios — a known problem with geo IP blocking. Not to mention it’s also time consuming, fiddly, and ostensibly not allowing you to focus on the issue you’re actually trying to solve: Have any of our user accounts been pwned, meaning we’ve got a compromised credentials issue on our hands, or has geo IP blocking falsed again?  

And then apply that same thought process to other investigations you perform. Whether it’s trying to ascertain which user was on a machine when something happened, or which asset had a specific IP address at a specific time, or <pick your investigation pain point of choice>. 

The end is nigh

With traditional, legacy SIEMs you can find yourself ingesting vast amounts of log data and be still unable to correlate these types of events quickly and efficiently. All too often, we’ve seen SIEMs set up for disaster, without thought for use cases, nor outcomes, and it’s causing a nightmare for the smart, knowledgeable analysts who are tasked with distilling fine wine from a salty ocean of disparate data.  

Change is the only constant in life. And for a SOC analyst, this means our daily routines are constantly changing and always evolving as well. The ways of our past are no longer working for us. The very end of traditional “gimme all the logs, alerts, and threat intelligence” is now. We need to look at a different approach and escape this SOC hell. And lo! there is light at the end of the proverbial tunnel. 

Use your data wisely, you must.

If we look at the Superman scenario we talked about earlier — is it a pwn? Is it a false? Is it a pain in the ass to find out? — answering this is easily achieved using Exabeam Advanced Analytics and just a smattering of the right logs. And then we broaden that out to the real use case which is detecting compromised credentials, which can also be achieved with a handful of quality logs. You don’t need to manually trawl the data ocean — the information you need is presented to you automatically, so you can take action instead of wasting hours of your time trying to fathom out if an alert is real or just junk. 

We’re not saying throw all the logs into a pit and burn them — that would be a fun conversation to have with the auditors. We recommend you store them somewhere accessible for as long as you need to (BTW, we’ve got a Cloud Archive for that), or keep them in your traditional SIEM if you have one. Meanwhile, back at the SOC what we really need is the right data over quantities of data, to focus on use cases that drive improved security outcomes. Which in turn creates a better experience for the folks who are hands-on-keyboard. 

At Exabeam, we’ve helped hundreds of organizations determine where the value lies in their data, and how to wield it in a manner that helps analysts investigate accurately and quickly. Want to see it in action? We’ll happily walk you through a demo.

Data doesn’t need to be hell.

Missed an episode of our “Escaping Dante’s SOC Inferno” series? Catch up here:

You can also watch a recording of our first webinar diving deeper into the bottom-most circles of Dante’s SOC Inferno and how to escape it. Check it out here

Recent SIEM Articles
Exabeam Leverages the Power of SaaS to Proactively Improve Security Content and User Experience

Exabeam recently released i54, the latest version of Exabeam...

Recent Breaches Show Why Federal Agencies Need These 3 Requirements From Modern SIEMs

The SolarWinds compromise that affected multiple key federal...

New Features in Exabeam Content Library Now Available 

Exabeam recently released an update to its Content Library, ...

Escaping Dante’s SOC Inferno: The Anger of Shattered Dreams  

What the…Hell? (An Open Letter) Cutting straight to th...

Auto Parser Generator Now Available for Customers

Exabeam recently released Auto Parser Generator, a new tool ...




Recent Information Security Articles
Advanced Analytics Use Case: Detecting Compromised Credentials 

Stolen credentials have been a persistent problem, and organ...

Outcomes Above All: Helping Security Teams Outsmart the Odds

Author: Sherry Lowe, Chief Marketing Officer The world’s g...

Ethical Hacking: Why It’s Important & What Makes a Good Hacker

What Is ethical hacking? Ethical hacking is a practice where...

Understanding Cloud DLP: Key Features and Best Practices

Cloud DLP enables organizations to protect data residing in ...

How Lineas, Europe’s Largest Private Rail Freight Operator Found the Right Cybersecurity Tool

Vital infrastructure has become an area of concern for cyber...

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Learn what an insider threat is and how they can hurt an org...