Back to BlogRSA Conference: Sysmon, SOCs & Security Success
The second day of the RSA Conference was packed with sessions, keynotes and insight from cybersecurity experts.
As a first-time RSA attendee, I was excited to jump into my first full day and learn as much as I could. Here are some highlights.
Threat Hunting With Sysmon
The first thing on my agenda was cheering on my colleague Amanda Berlin, Blumira’s Lead Incident Detection Engineer, as she kicked off the morning with a fascinating session Getting The Most Out Of Sysmon. She explained that the free Sysinternals tool Sysmon is like “The Incredible Hulk version of Windows logs,” providing increased visibility into endpoint logging that Windows Event Viewer cannot. In fact, at Blumira we built Sysmon’s implementation into our customer onboarding process; that speaks to how much we believe in its value.
Amanda uncovered three threat hunting scenarios for Sysmon, and showed how Blumira’s team was able to detect a Microsoft Exchange compromise via Proxy Logon with a series of suspicious behavior, ranging from NET user recon commands to SYSTEM mounting remote systems in the C drive.
The SOC Of The Future?
After Amanda’s session, I headed down to the main hall to catch a keynote presentation, The Journey To The Self-Driving SOC. Nir Zuk, CTO and founder of Palo Alto Networks, argued that today’s security operations center (SOC) is ineffective; humans cannot triage, respond and investigate alerts quickly enough to make a real impact. Instead, Zuk said, we should model the SOC after the self-driving car, centering it on AI and ML rather than humans. This requires a massive amount of diversified data to train ML algorithms — and that data needs to be in one centralized location.
Completely automated SOCs are already a reality, said Zuk. But listening to this keynote, I wondered how many organizations can realistically afford to implement these suggestions. Training ML models, as Zuk pointed out, requires a massive amount of data storage and processing. A bare minimum approach to deploying and maintaining a ML model costs $60k over the first five years, according to PhData — and that approach likely won’t scale over time and omits key features that will lead to performance degradation. That $60k also doesn’t account for other factors such as data storage, hardware and software costs.
Zuk’s approach certainly wouldn’t be viable for any small to midsize business — who, as Patel mentioned in yesterday’s keynote, are struggling to stay above the security poverty line. At Blumira, we recently published a guide for folks without the budget to staff a full SOC — let alone train ML models — to get SOC-like capabilities. You can download that here.
What Actually Makes Security Programs Successful
RSA day two brought another interesting session, What (Actually, Specifically) Makes Security Programs EVEN MORE Successful? Wendy Nather, Head of Advisory CISOs at Cisco, and Wade Baker, Partner and Co-Founder of Cyentia Institute, surveyed 4,800 IT and security pros to understand which actions led to success in a security program.
Five practices had the greatest statistical likelihood of improving all the desired program outcomes across the board, including recruiting and retaining talent, creating strong culture, and avoiding major incidents. Those five practices were:
- Proactive tech refresh
- Well-integrated tech
- Timely incident response
- Prompt disaster recovery
- Accurate threat detection
The study also posed the question: can automation compensate for lack of talent? I thought this was particularly relevant in light of the earlier session on SOC automation. Unsurprisingly, the speakers found that a weak technical staff combined with no automation was a bad mix; less than 36% of those organizations reported a strong security operations program. But the more processes the organization automates, the better the outcomes; over 78% of organizations reported a strong SecOps program when they automated three or more processes, even if their talent was weak.
The message here, Nather and Baker emphasized, is not to replace people with automation, but to combine them. That’s an approach that we can get on board with at Blumira. We find that providing SecOps teams with automated threat response provides better outcomes by saving time and filling in gaps of expertise — especially for smaller teams with fewer resources. Tools such as automated workflows, built-in playbooks and dynamic blocklists speeds up the process of investigating and responding to an alert and takes guesswork out of the equation.
Visit Blumira at RSA
Stop by Blumira’s RSA booth #3222 in the South Expo to get a demo, snag a free t-shirt, and speak to one of our security experts.
