Escaping Dante’s SOC Inferno: The Heresy of Orthodox SecOps

Escaping Dante’s SOC Inferno: The Heresy of Orthodox SecOps

Published
November 05, 2020

Treachery, Fraud, and Violence; they’re not just the making of the inner circles of Dante’s Inferno, they’re also the first three posts in this series. If you’ve been unfaithful in following the series, you can find redemption by reading each of the three and registering for our upcoming webinar. Welcome back. Let’s grab a cup of tea and talk about heresy.

“Now” is the era of atonement for security operations professionals. We must be redeemed for our heretical legacy ways!

But here’s the thing — we never truly were the heretics. We have been deceived by the traditional security vendor theologists and industry prophets for far too long. We’ve been led to the notion that it is indeed “we” who are the heretics, in our beliefs against an ill-fated doctrine of “The Way Of Legacy Security Operations.” Our attempts to achieve enlightenment in the great battle against the malicious cyber security deities have been laid bare, through the self-flagellation of manual triage, alert investigation and the endless circles of “search & pivot” on almost infinite raw data sets. Simply keeping up with the sheer volume of alerts can be enough to drive one (and many) mad. Processing an inferno of endless security events and alert feeds is a “living hell” for most security operations center (SOC) analysts — through no fault of their own — there’s just too much to deal with. 

This established belief that “thou shalt triage using the same tools and techniques that have been utilized for decades” is treated as gospel, and any who speak against it must be cast down to the sixth circle of hell for eternity. 

The golden path that we’ve been led down for years is running out of runway. It’s been preached from the pejorative pulpit that indicators of compromise (IOCs) and manual detection methods, through complex correlation rules with often static signature-based detection methods, are the holy grail of the SOC. Yet, we are still facing the same problems that we have since the dawn of time (or at least since the dawn of the internet era). 

What if we told you that the old ways aren’t necessarily the best ways? What if there’s a new way to approach SOC operations that helps us to achieve better results and still meet our business objectives? 

Would you be willing to go against traditional dogma or will you simply keep listening to the snake in the tree telling you, “Take this, it is good?” Are you willing to be born again and change your ways?

So, what is this new doctrine that we speak of and why is it considered heresy? 

IOCs are not the Messiah.

Why do we say this? Think about it… Where have these IOCs, and our constant homage to the temples of static correlation rules and signature-based detection gods, really got us over the past two decades? They aren’t a patch on the Romans.

Thousands of IP addresses, domain names, malware file hashes and the like, have been the bane of the SOC’s existence since their creation in the last millennium. Almost endless barrages of manual detection rules, based on a complex search query language and often only appeasing the sect of the known knowns, has led the industry to a point of insanity.

So, while our adversaries have rapidly adapted to our defenses, we are still damned to the hell of doing things the same old way because that’s the way it’s always been done. And it’s blasphemous to think or speak otherwise. (Pray for us mere sinners.)

Back to where this thinking has got us, and how we can escape this circle of Dante’s SOC inferno. 

Traditional thinking would have us just subscribe to some threat feeds, import those IOCs and endlessly tune our rules and signature detection methods through our legacy SIEM platform. We would then run around like some crazed person trying to stay a step ahead of our threat actors — a challenge that nobody, not even a Jedi master, could live up to. 

According to AV-TEST Institute, there are over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA) registered every single day. That’s over 127,750,000 per year! 

How can we possibly expect SOC analysts to keep up?

Change our thinking.

You see, our industry has long known that credentials, particularly those of administrators, are consistently among the highest-rated categories of targeted assets by malicious actors. 

New employees and departing team members account for the highest percentage of insiders committing intellectual property law violations. 

Rogue admins can wreak havoc on company networks and systems, while also accessing critical data with little or no security controls in place to monitor their activity. 

And, yet we have the unrealistic expectation that all of the threat vectors (along with the onslaught of malicious outsider activity) is going to be unearthed from the heap of IOCs originating from threat intel feeds and our own systems. It’s just not down to earth.  

Step toward the light  this is the way!

Our intent is not to demonize traditional thinking, but to guide our readership to a more enlightened path. A path that can allow you to be illuminated with the approaches of a traditional SIEM combined with the pillars of a new testament:

By stepping into the light, we can achieve improved detection using behavior, not rules. We can investigate and respond in mere minutes, not days. 

SecOps doesn’t have to be hell.

We also encourage everyone to join us on Thursday, Nov. 19 at 9 a.m. PT / 12 p.m. ET / 5 p.m. GMT for our first accompanying webinar in this blog series, where we’ll share how security teams can escape the three innermost circles of Dante’s SOC Inferno in greater detail.

Register here!

Recent SIEM Articles
Exabeam Leverages the Power of SaaS to Proactively Improve Security Content and User Experience

Exabeam recently released i54, the latest version of Exabeam...

Recent Breaches Show Why Federal Agencies Need These 3 Requirements From Modern SIEMs

The SolarWinds compromise that affected multiple key federal...

New Features in Exabeam Content Library Now Available 

Exabeam recently released an update to its Content Library, ...

Escaping Dante’s SOC Inferno: Greed and the Gimme Mindset 

Let’s face it, we live in a mobile-first, always-on, data-...

Escaping Dante’s SOC Inferno: The Anger of Shattered Dreams  

What the…Hell? (An Open Letter) Cutting straight to th...




Recent Information Security Articles
Advanced Analytics Use Case: Detecting Compromised Credentials 

Stolen credentials have been a persistent problem, and organ...

Outcomes Above All: Helping Security Teams Outsmart the Odds

Author: Sherry Lowe, Chief Marketing Officer The world’s g...

Ethical Hacking: Why It’s Important & What Makes a Good Hacker

What Is ethical hacking? Ethical hacking is a practice where...

Understanding Cloud DLP: Key Features and Best Practices

Cloud DLP enables organizations to protect data residing in ...

How Lineas, Europe’s Largest Private Rail Freight Operator Found the Right Cybersecurity Tool

Vital infrastructure has become an area of concern for cyber...

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Learn what an insider threat is and how they can hurt an org...