Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Excerpts from Building a High Speed SOC: Achieving Speed (Part 1)

timeline-high-speed-soc-card
Rick McElroy
sean_blanton
December 5, 2017 / Rick McElroy Sean Blanton

Carbon Black recently published an in-depth guide on what it takes to develop a “high speed” security operations center, or SOC; this is an excerpt from that guide, which you can find here. For more information on building high speed SOCs, including how to eliminate the “response gap,” check out the Transform Into a High Speed SOC hosted by IBM and Carbon Black.


What are the Basics We Need to Master First?

Speed is only built on a strong security foundation. A process is only able to be automated once it has been perfected by your team. Automating a process that your team does not fully understand will create blind spots and likely decrease your visibility as you attempt to scale. Before tasking machines with processes that are key to your security, make sure you understand all the weaknesses of your current posture.

  • Have you minimized your attack surface?
  • Have you inventoried every asset?
  • Are your systems being properly patched?
  • How would you know if they were not?

These questions may have more in common with basic IT hygiene than security, but they are essential to the success of your SOC. Using Cb Response, our customers enjoy complete visibility across their environment to continuously monitor every detail of every event.

We asked Ismael, a senior security analyst at a firm operating a global network of telecommunication satellites, how he uses Cb Response to master the basics of security and achieve speed. “Carbon Black has decreased the time required to identify and respond to a security incident. Before Cb Response, we required hours or days before we could identify an endpoint compromised by a zero-day in Microsoft Word, for example, often because the affected user notified us about a suspicious document or PDF. Nowadays, we are able to detect and respond even before the user contacts us. To date, we have reduced the IR time from days to hours.”

 

______________________________________________

 

For more information on building high speed SOCs, including how to eliminate the “response gap,” check out the Transform Into a High Speed SOC hosted by IBM and Carbon Black.

Watch Now

______________________________________________

 

How Can I Efficiently Organize and Lead the People on My Team?

Organizing your team to protect your environment with agility is a difficult task with all the varied skills and challenges related to traditional SOC structures. We asked our partners at Red Canary, who every day provide security solutions that harness the visibility of Carbon Black’s products, to share how they keep up with the constantly evolving functions of today’s intelligence-driven security teams.

 

Nowadays, we are able to detect and respond even before the user contacts us. To date, we have reduced the IR time from days to hours.

Ismael Briones-Vilar, Senior Security Analyst, Inmarsat

 

“At Red Canary, efficiency starts with breaking down the structures seen in traditional SOCs. We have found the most success by moving beyond an operation that focuses solely on event analysis. To do this, we include our Intel team in engineering efforts, engineers in analysis efforts, and so on. Rather than assigning each team member a label to exclusively focus on, each person has a core ‘practice.’ They still develop and improve within their practice, but they are also challenged to engage with other functions in the SOC.

“This approach completely bucks traditional views of security operations, and has led to amazing innovation within our security team and around the investigation process. Our engineers are actively examining the analysis process, seeing the results, and continuously working to develop efficiencies for our analysis team. This approach has led to data analysis and automation efforts that have removed the need for in-depth investigation in nearly 10% of all threats. It has led to effective suppression that provides each individual analyst with the ability to ‘tune’ detection criteria during an investigation. That tuning is then used to automatically suppress potential threats in the future. Doing so has enabled our analysts to be 4-5X more efficient over the last three years, and much of this can be attributed to how we evolved our security team by removing more traditional, time-intensive job functions.”

 

How Can Technology Help Streamline Our Detection and Response Processes?

Complete control starts with complete visibility over your endpoints. Being able to quickly detect an attack depends on how centralized all your data is. Cb Response works with your current SIEM and many other elements of your security stack to ensure that every system event is recorded continuously and readily available for you to visualize when an investigation is necessary. At a glance, analysts also have instant access to a readout of endpoint health and your SOC’s key performance indicators.

Proactively hunt threats across your enterprise. With Cb Response you can explore your environment, discover threats missed by outdated detection methods, and reduce attack dwell time. Security professionals use Cb Response to validate their hunting hypotheses and create automated watchlists to generate custom alerts for suspicious patterns they identify. We asked Dan, a cyber defense analyst at Motorola Solutions, how he uses Cb Response to rapidly uncover threats from a single console and enable his organization to continue providing mission critical communication products and services all over the world. “The time saved is immense, because Cb Response makes it easy to determine if a hit is a false positive or not. Usually, just looking at the command line, parent/child processes, and netconns will let you make an assessment.”

Rapidly drill down to root cause. In the case of malicious attacks, it can take over 9 months on average to properly identify the root cause of an incident and contain it. Cb Response allows analysts to visualize the complete attack kill chain and then respond and remediate the attack within minutes, without having to manually aggregate and sift through relevant raw data post-incident. Cb Response allows you to safely isolate an infected host and then obtain secure direct access to that endpoint to continue your investigation. Our Live Response functionality enables IR professionals to pull or push files, run commands, and perform memory dumps, all from within a single console.

 

The time saved is immense because Cb Response makes it easy to determine if a hit is a false positive or not.

Dan Banker, Cyber Defense Analyst, Motorola Solutions

 

 

______________________________________________

 

For more information on building high speed SOCs, including how to eliminate the “response gap,” check out the Transform Into a High Speed SOC hosted by IBM and Carbon Black.

Watch Now

______________________________________________

 


Join us next week as we continue to explore “Building a High Speed SOC,” our in-depth guide on what it takes to develop a “high speed” security operations center. If you can’t wait until next week, however, you can click here to get a copy of the full report.

TAGS: Cb Response / Excerpts / High Speed SOC / security operations

Related Posts