Task and Purpose
Security operations’ (SecOps) overriding mission can be distilled down to three core functional areas: protect, detect, and respond. Note, those functions are listed in order of importance.
Preventative security technologies allow an organization to shrink its attack surface by enforcing access control to sensitive resources or signaturing known and, to some extent, unknown threats as an example. There is no shortage of preventative products and utilities capable of assistance. A defensible network architecture is yet another major help in this regard. Unfortunately, preventative controls are seldom perfect or even appropriate security instruments for many different attack surfaces.
That leaves the defenders with the challenge of threat detection and response/disruption. Certainly, there are products available that can assist, but it increasingly becomes more of an ‘art’ than a ‘science.’ Whole books have been written on that art.
But what makes SecOps successful at this stage is two critical and interrelated ingredients: speed and visibility. In other words, how much of the network you can see and how quickly you can respond to security events. One concept without the other offers marginal value. Knowing there’s been a security event without the ability to take action on it is meaningless. And naturally, you can’t react to what you can’t see.
Superior visibility comes from a combination of different sources in an organization’s environment, such as strong asset management, Windows security events logs, firewall logs, antivirus alert logs, Sysmon events, or network packet captures – to name just a few. The more sources available to the SecOps team, the more likely events can be traced from alert to their point of origin or root cause during an investigation.
Taking remedial action on, for instance, an endpoint with a quarantined piece of malware is useful, but it’s ideal to understand the root cause of the infection first. Superior visibility allows the investigator to understand the relevant attack sequence that led to the system infection and, just as importantly, what corrective steps are needed to prevent it in the future, if possible.
Other times it aids a defender by allowing her to correlate and confirm an as yet unqualified security event. Think about it; would you prefer one witness or several witnesses that all confirm a single critical happening? Lastly, strong visibility translates to more log sources available for utilization in threat hunting, which essentially means proactively monitoring for indications of a network compromise.
Faster Than a Speeding Bullet
Speed impacts actionability. It’s my contention that modern incident response has devolved away from the rarified air of retainer-based digital forensics firms down to savvy SecOps teams acting in an organized and timely way to swiftly respond to a potential compromise. Digital forensics is still extremely relevant. But SecOps has co-opted certain elements such as forensic triage so much so that incident response (IR) is now accessible to enterprises as well as SMB (small-to-medium-sized businesses).
It’s never enough to know something bad has happened. Defenders must be able to take timely and decisive action in response to qualified security events. Organizations that rely on one or two super heroes to fix every security incident are taking an enormous risk. The expert knowledge must diffuse throughout the security team. That’s why it’s critical to codify their expertise into incident playbooks. Strong planning during “peace time” when defenders can think clearly helps everyday organizations minimize the need for intense problem solving during a crisis. Incident playbooks improve the speed of SecOps by making complex remediation closer to mechanical.
Actionability takes different forms in practice. Modern SecOps aims to contain threats as fast as possible. Many advanced endpoint protection tools offer a host isolation feature that’s extremely handy for actionable incident response. Similarly, many next-generation firewalls support dynamic blocklists that allow you to block malicious sources. Good thorough scoping ahead of time is still highly recommended, but both aforementioned capabilities are quite effective so they’ve become an essential technology for speed-minded SecOps who want to stop the bleeding. IR firms are more than ready to provide expert forensic assistance, should things turn for the worst.
Good Living With Blumira
Speed and visibility are foundational to the Blumira platform. Blumira seamlessly integrates with several dozen of the top security technologies in order to optimize security visibility for client organizations. Every client receives built-in threat detections tailored to their unique security stack and automatically enriched with threat intelligence so they can realize time to value in minutes, not months like other prominent security information and event management (SIEM) solutions. Each detection is packaged with a playbook so client organizations can act with speed and precision when security events do happen, regardless of their security maturity. Schedule a demo today!
SecOps, Simplified: Part 3 – Security Orchestration, Automation and Response – Security Orchestration, Automation & Response (SOAR) solutions are the future – but there are limitations. Here’s how to leverage SOAR with lower overhead.
SecOps Simplified, Part 4: Staffing – Haven’t I Seen This Movie Before? – Hiring a full security operations team isn’t an option for small businesses. Learn how to automate security with a modern SIEM to alleviate the pain of infosec staffing.