Escaping Dante’s SOC Inferno: The Heresy of Orthodox SecOps
Treachery, Fraud, and Violence; they’re not just the making of the inner circles of Dante’s Inferno, they’re also the first three posts in this series. If you’ve been unfaithful in following the series, you can find redemption by reading each of the three and registering for our upcoming webinar. Welcome back. Let’s grab a cup of tea and talk about heresy.
“Now” is the era of atonement for security operations professionals. We must be redeemed for our heretical legacy ways!
But here’s the thing — we never truly were the heretics. We have been deceived by the traditional security vendor theologists and industry prophets for far too long. We’ve been led to the notion that it is indeed “we” who are the heretics, in our beliefs against an ill-fated doctrine of “The Way Of Legacy Security Operations.” Our attempts to achieve enlightenment in the great battle against the malicious cyber security deities have been laid bare, through the self-flagellation of manual triage, alert investigation and the endless circles of “search & pivot” on almost infinite raw data sets. Simply keeping up with the sheer volume of alerts can be enough to drive one (and many) mad. Processing an inferno of endless security events and alert feeds is a “living hell” for most security operations center (SOC) analysts — through no fault of their own — there’s just too much to deal with.
This established belief that “thou shalt triage using the same tools and techniques that have been utilized for decades” is treated as gospel, and any who speak against it must be cast down to the sixth circle of hell for eternity.
The golden path that we’ve been led down for years is running out of runway. It’s been preached from the pejorative pulpit that indicators of compromise (IOCs) and manual detection methods, through complex correlation rules with often static signature-based detection methods, are the holy grail of the SOC. Yet, we are still facing the same problems that we have since the dawn of time (or at least since the dawn of the internet era).
What if we told you that the old ways aren’t necessarily the best ways? What if there’s a new way to approach SOC operations that helps us to achieve better results and still meet our business objectives?
Would you be willing to go against traditional dogma or will you simply keep listening to the snake in the tree telling you, “Take this, it is good?” Are you willing to be born again and change your ways?
So, what is this new doctrine that we speak of and why is it considered heresy?
IOCs are not the Messiah.
Why do we say this? Think about it… Where have these IOCs, and our constant homage to the temples of static correlation rules and signature-based detection gods, really got us over the past two decades? They aren’t a patch on the Romans.
Thousands of IP addresses, domain names, malware file hashes and the like, have been the bane of the SOC’s existence since their creation in the last millennium. Almost endless barrages of manual detection rules, based on a complex search query language and often only appeasing the sect of the known knowns, has led the industry to a point of insanity.
So, while our adversaries have rapidly adapted to our defenses, we are still damned to the hell of doing things the same old way because that’s the way it’s always been done. And it’s blasphemous to think or speak otherwise. (Pray for us mere sinners.)
Back to where this thinking has got us, and how we can escape this circle of Dante’s SOC inferno.
Traditional thinking would have us just subscribe to some threat feeds, import those IOCs and endlessly tune our rules and signature detection methods through our legacy SIEM platform. We would then run around like some crazed person trying to stay a step ahead of our threat actors — a challenge that nobody, not even a Jedi master, could live up to.
According to AV-TEST Institute, there are over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA) registered every single day. That’s over 127,750,000 per year!
How can we possibly expect SOC analysts to keep up?
Change our thinking.
You see, our industry has long known that credentials, particularly those of administrators, are consistently among the highest-rated categories of targeted assets by malicious actors.
New employees and departing team members account for the highest percentage of insiders committing intellectual property law violations.
Rogue admins can wreak havoc on company networks and systems, while also accessing critical data with little or no security controls in place to monitor their activity.
And, yet we have the unrealistic expectation that all of the threat vectors (along with the onslaught of malicious outsider activity) is going to be unearthed from the heap of IOCs originating from threat intel feeds and our own systems. It’s just not down to earth.
Step toward the light — this is the way!
Our intent is not to demonize traditional thinking, but to guide our readership to a more enlightened path. A path that can allow you to be illuminated with the approaches of a traditional SIEM combined with the pillars of a new testament:
- Improve threat detection and automated incident investigations
- Provide storage cost savings while retaining full search and export capabilities
- Automate error-prone manual processes with security orchestration and automation playbooks
- Prevent security blind spots by ingesting log data from popular cloud-based services (Shadow IT)
- Detect anomalies using statistical models, machine learning, rules, threat signatures and more
By stepping into the light, we can achieve improved detection using behavior, not rules. We can investigate and respond in mere minutes, not days.
SecOps doesn’t have to be hell.
We also encourage everyone to join us on Thursday, Nov. 19 at 9 a.m. PT / 12 p.m. ET / 5 p.m. GMT for our first accompanying webinar in this blog series, where we’ll share how security teams can escape the three innermost circles of Dante’s SOC Inferno in greater detail.