Skip to main content

SIEMs are dead; long live SIEMs

November 24, 2020
clock 5 MIN READ

Having discussed the command center level value that a centralized cybersecurity platform (CCP) creates for security success, the following is an example of an incident response path enabled by the CCP. A CCP can take the form of something that is being marketed as a next-gen SIEM. If looking for one, here’s what it should look like in action:

Let's pretend an alert fires for a new malware: A page is then sent in to CCP chats ops functionality, and a SOC analyst immediately responds by viewing the alert.

Upon opening the alert by clicking the link in chat ops, the analyst is taken to the details of the alert in a concise format with which they are familiar. The workings of the CCP have already enriched the alert by gathering information from internal and external sources. The analyst sees from the enriched information that an endpoint has tried to execute improper actions. Threat attribution of the signature identifies this observed threat as new malware while controls looking for this particular behavior, (not a particular signature) prevented the threat from executing. This strategic approach of identifying behavior over signature reflects the SOC team operating at the top of the Pyramid of Pain. In this case, the new malware threat was stopped, and there is no damage on this particular endpoint.

Due to the aforementioned intelligence enrichment of the alert through systemic automation, the analyst has the pertinent context and details needed to begin analyzing the alert. Lacking CCP, the analyst would first spend significant time researching this context to further understand the surrounding actions that led to the alert. The research may even take an analyst to external sources to gather external data to assist in learning about the threat that caused the alert. In limiting or stopping potential further damage, every minute counts. Spending time researching takes analysts away from what they do best: analyzing information and taking action.

Within the enriched alert, the analyst promptly concludes the new malware payload was delivered by badurl.com.

Thanks to the enterprise having full visibility of its infrastructure and CCP, the analyst can extract from the alert the puzzle pieces they need to determine the next step. In this case, they are presented with details that badurl.com was served via a phishing email.

Staying in the alert on CCP, the SOC analyst is able to click-start an automated process to hunt through the entire enterprise events for badurl.com.

The search returns 11 employee inboxes that have the identified malicious email content; thankfully, each of the emails are currently unread. The SOC analyst initiates an automated process from the CCP alert to instantly delete the 11 emails from the each of the inboxes, preventing those 11 employees from having an opportunity to click badurl.com. The process confirms all 11 are deleted before being read by employees and tracks these actions in CCP. 

Additionally, via CCP, the analyst can see that this particular new malware has not produced any other alerts within the infrastructure. The analyst now has confidence that the damage of this malware is presently contained. But, with the capability of a good SOC with a centralized platform, it doesn't stop here — it's time to look beyond, especially since this malware appears to be new.

Turning to the security community, the analyst shares the findings up to this point as a means of alerting others as well as building a knowledge coalition (assuming the malware is indeed new). Others within the community respond with like feedback on the malware. With this additional external information now being fed into CCP, the analyst continues their investigation. Using this latest external data, which provides other indicators of compromise (e.g., other bad URLs), the analyst searches past history via CCP for those indicators, but finds no records. The analyst now has high confidence that containment has been achieved and there is no damage from this new malware within the infrastructure.  

Concurrently, another analyst who specializes in control writing is working on improving the security posture from this incident. As the alert is being updated with all internal and external data, the control writing analyst is converting the data into actionable intelligence by crafting new controls for email protection tools and network protection tools that previously missed this new malware. For tuning specific to this enterprise's environment, the analyst will use CCP to:

  • Test these new controls against historical data in the enterprise 
  • Test controls against new external data received 
  • Test against malware analysis platform tools to greater expand the sample size

When successful, these controls will now fire with efficiency against the historical missed internal events in the email and network tools, as well as firing against the newly ingested external/community shared activity and malware analysis tool. The team is confident that the previous failures at the network and email pillars will now prevent and detect this new malware earlier in the cyber kill chain. The updated controls are deployed, and coverage for this threat is now known, tracked, and prioritized.

The control analyst chooses to click a button in CCP to share the new controls written, along with test results to the external security community.

All cybersecurity team members are now aware of this new malware, how defense in depth prevented damage, how operating at top of the Pyramid of Pain aided in stopping the new malware, how the SOC will prioritize their efforts against this new malware moving forward, and continuing the discussion on this new threat in the greater community.

Via this incident, analysts in one tool were notified of an incident, contained the incident with high confidence, implicitly collaborated against a threat, prevented the incident from spreading, deployed new controls to enhance protections against the threat, and shared success with the cyber community — all within minutes or hours, not days or weeks or never. This is a Centralized Cybersecurity Platform in action.

More from The Sphere Blog

Helping to identify the intersection of people, process, tools and budget for optimal risk control.

Let's connect

Learn more about how we can help enhance your cybersecurity posture.