Responding to a data-breach is hard. But understanding how you got there is key to moving an effective defense towards reality. In security operation centers (SOC), it's often said you have to crawl before you walk. Most enterprise firms are just now capable of walking. To us, this we see walking as having a repeatable event analysis process and relative achievement of "complete visibility", (internal) data aggregated into a SIEM or log management/big data analytics tool for search and correlation.
Running means: walking, plus effectively having all of these 3 things - (let's call it the new SOC Holy Grail):
- Risk-classified Asset information w/ Vulnerability Data
- External Security Intelligence *integrated* or operationalized as a correlated data-stream.
- Kill Chain Enforcement (Stopping an attack before having to call Mandient)
The standard set of logs to give complete visbility will include OSI layers 3-7. The enteprise average usually amounts to:
Firewall accept/denys, Netflow or Equiv Network State
Web Gateway / Proxy Logs or Equiv HTTP transactions records
DPI - IDS/IPS/DLP etc.
Malware Defense - Endpoint (EPO/SEP11), Sandbox (FEYE), Something Newer
Getting these logs into one place with cross-device reporting and correlation is walking the walk. The issue with walking, is the result is in the hundreds if not the thousands of security events in which you now have visibility. Zeus bot infections to SQL injection attacks is an overwhelming flood of events with little to no prioritization. This keeps most SOC analysts completely brain fuddled in copy-and-paste help desk ticket cycles. What's worse, is hours of wasted "Riding-the-Google-Train" - our cheeky phrase for manual IOC investigation: Is this IP really bad?
When you have an effective stream of aggregated threat intelligence filtered down to only the actionable, business relevant data, and layered into (Read: Operationalized) to the SIEM, you have a powerful ability to cut thousands of security events down to the ones that really matter.
Of course most SOC teams don't ignore signs leading to a breach. They are increasingly just overwhelmed with un-prioritized, seemingly similar security events. They just were too far behind in their process - (ie. walking).
So here's to all the new technologies and start-ups devoted to helping an organization achieve a full-sprint. @threatstream we think #SOCHolyGrail is not hard to get to with the right approach.