jro-grafik - Fotolia
Over the years, infosec leaders have become increasingly reliant on automated solutions to detect and prevent threats and to handle repetitive operational tasks, like alert monitoring and triage. As malicious actors grow in sophistication and alert volumes increase, automated detection, prevention and response have become must-haves. In fact, according to Imperva, 27% of IT professionals receive more than 1 million security alerts daily. A security operations center, or SOC, of 10 people cannot possibly manage this volume of alerts without the assistance of automated tools.
Too much reliance on AI in security?
Security vendors have developed advanced, AI-based tools, including next-generation antivirus, next-gen firewalls and security orchestration, automation and response platforms, to address the growing volume and sophistication of threats. However, we must ask ourselves: Have we become too reliant on these tools? Unfortunately, even the best AI cannot detect and prevent 100% of the threats to our organizations. Some attacks will eventually get through. Once this happens, we depend entirely on the skills of our incident response teams, which, unfortunately, many attackers are prepared for.
Cybercriminals are continuously advancing, with 2020 VMware research indicating 92% of U.S. businesses surveyed saw an uptick in attack volume and 84% reported that attacks have grown in sophistication. Not only are attackers becoming more effective, but our attack surface is also expanding with new soft spots, including supply chain vulnerabilities, application vulnerabilities and human error. Industry leaders are now acknowledging the impact of increased attack sophistication on the cybersecurity industry at large, warning that major breaches, like the recent SolarWinds attack, can no longer be thought of as outliers. Attacks that would have been considered highly advanced threats just a few months or years ago are now commonplace, and they are, in many cases, no less effective.
These high-profile attacks are a result of the combined failure of our technologies, which failed to detect, alert and prevent those attacks, and the human factor -- our incident response teams, who did not succeed in their role as the last line of defense. In this role, they are tasked with analyzing the information provided by security tools and conducting investigations that enable them to rapidly identify the source of the threat, understand the organization's current risk, contain the attack, understand its root cause, mitigate it before damage is done and remediate future occurrences of this same threat or ones with similar characteristics. But, when the people operating these tools are not skilled and trained to use them, it does not matter how much we have invested in the tools. Organizations must shift their mindset and accept that their technologies are only as effective as the people who operate them.
How SOC teams often operate
During an active cyber attack, SOC teams operate in one of three scenarios:
- Scenario 1. Automated prevention tools detect and block the attack before it enters the network; all is well. Typically, these would be less-sophisticated attacks and attackers. We analyze the attack after the fact and tighten our security policies.
- Scenario 2. Our detection tools raise an alert. We look into the alert and determine that it was not a false positive, requiring immediate investigation. Now, it's a race against time, with our response time directly impacting the overall cost to the company following the breach.
- Scenario 3. Attackers successfully infiltrate our network, under the radar, without raising any alert. This is the worst-case scenario. The attackers actively work to escalate their access privileges and move laterally to find where private data is stored or locate a mission-critical workstation, which they can encrypt and use for ransom. Successful organizations address this difficult but common scenario by employing regular threat-hunting processes in which teams continuously sift through the network to look for suspicious signs, which may indicate an ongoing attack. These processes are typically done by means of endpoint detection and response (EDR) and SIEM platforms.
The two latter scenarios are the most common in high-profile attacks and require significant expertise from SOC teams. No matter whether you've invested in state-of-the-art SIEM and EDR platforms, the teams need to be skilled and trained to understand where they should look for evidence, how to analyze the evidence to understand what it means, and how to act upon the evidence to contain and mitigate the attack. They must be extremely proficient with the tools as they will need to do this quickly.
Moreover, they must work effectively as a team, under severe time pressure. One team member may be looking for suspicious indicators in workstations using EDR, while another might be using SIEM platform to go through logs to try to correlate them with the EDR indicators. Others will collaborate to find related threat intelligence about those findings and then review the organizational knowledge base to find similar cases from the past that might help.
The human element proves to be quite important
The element of human response speed is critical. According to IBM, the average total cost of a 2020 enterprise data breach worldwide was $3.86 million, with the U.S. ranking as the most expensive, costing a business $8.64 million on average. At the same time, these breaches took around 280 days to identify and contain. Industry research showed that the cost of a breach increases with attack duration, and so a faster response time is a critical component for businesses to strive for when looking at budgeting for new tools or when supporting better skill development and training for their teams. Moving forward, well-versed SOC teams will respond much more quickly than those with less proficiency or weaker tools.
Based on hundreds of exercises I've run with SOC teams, I found that most organizations have failed not because of insufficient investment in technology. On the contrary, they had some of the latest and priciest tools in their stack, but these teams did not have the skills to operate the tools effectively in an incident or threat hunting scenario. Unfortunately, reading the manual is not enough. Compare this to a nation buying the latest combat-ready jet fighters to defend its airspace and then assigning pilots who have been only trained in basic takeoffs and landings.
As threat actors' tactics become more pervasive and prolific, it's more critical than ever for SOC teams to think on their feet. Enterprise security tools -- while great on their own -- are ultimately only as sophisticated as the cybersecurity professionals who use them. We cannot assume tools will do the job on their own, and we cannot underestimate the importance of our teams' skill level. Effective defense requires a convergence of the improved tools available on the market and enhanced skills of cybersecurity teams.
Amid a global cybersecurity shortage anticipated to leave a staggering 3.5 million jobs unfilled internationally in 2021 according to Cybersecurity Ventures, it's now more important than ever for business leaders to look to train, retain and increase the skills of their SOC teams to ensure they have the capabilities to operate the expensive tools their security budgets cover. Those tools are excellent but only when wielded by skilled hands. Following an unprecedented year of cyber attacks, we know that these expensive tools will only become more effective in 2021 as the professionals operating them advance their skill sets. To this end, enterprise leadership must prioritize strengthening their SOC team's manual skills to avoid the next big breach or, if they are impacted, to reduce the ultimate cost to their organization, data and customers.
About the author
Wayne Pruitt, technical trainer and customer success manager at Cyberbit, is a former Army logistics team member and systems and network administrator for the Department of Defense. Having served in multiple capacities in both the public and private sectors, he has extensive experience in SOC operations, training, defense techniques and incident response and holds multiple certifications from EC-Council in a number of technical skill sets. Pruitt has a wide range of experience that gives him unique insight into the world of cybersecurity.