How to Increase Investigation Speed, Efficiency and Accuracy

Saving the SOC. How to Increase Investigation Speed, Efficiency and Accuracy

By Nir Greenberg, senior director of field engineering and customer success, Illusive Networks

The status quo for most SOCs is untenable. Analysts are burning out. There aren’t enough of them, and they are struggling to find the legitimate threats among thousands upon thousands of alerts. Humans alone cannot keep up. Many organizations are applying automation to help, but it’s not enough. A new approach is needed, one incorporating deception technology and forensics.

The sad state of the SOC

SOC teams already were struggling with the demand on their attention; the pandemic has only made the situation worse. Modern networks push massive amounts of data throughout their ecosystems each day, generating thousands of alerts, and there is not enough staff to address them.

Valuable time is lost looking for the missing context needed to determine what’s a real threat and what priority it should have. Unfortunately, too much time is lost on overwhelming numbers of false positives. And while SOC analysts are working as hard as they possibly can, a significant number of real threats sail by, unaddressed and unmitigated.

Remote work brought on by the pandemic has made this scenario worse still. Suddenly, an estimated 70 million people in the U.S. were working from home at one time. That means increased traffic on VPN devices and organizations’ entire networks. In most cases, visibility into these users decreased as a result – meaning they may not be monitored by your firewalls, content filtering and other solutions – which leaves a gaping hole for attackers to walk through.

Additionally, SOCs have reported an increase of as much as 39% in insider security threats during the time of remote work. It’s also led to an uptick in alerts – the bulk of which are false positives triggered by work patterns coming from new locations or at different times.

For an organization with a mature, three-level SOC, the average triage time per incident for a Level One analyst is about 19-24 minutes – and these organizations are getting about 20-25 of these incidents per day. As for Tier 2 analysts, they’re spending 60-80 minutes on a typical incident, with as many as six to seven per day to address. This leaves essentially no time for any other activity, with a significant portion of those workdays devoted to incidents that turn out to be false positives.

Automation, response and coordination

With this bottleneck of too many alerts coming in, there’s a need for more automation, response and coordination. A recent report from the Ponemon Institute Research, Improving the Effectiveness of the SOC, recommended automating workflow as much as possible to help prevent security analyst burnout.

In terms of response and coordination, forensics and deception can help. Deception technology uses automation to create decoys that are mixed in with existing IT resources. These decoys mimic the kinds of assets that intruders are looking for, with the goal of detecting and stopping attackers who have accessed the network.

Deception technology tells you in real time when a malicious actor is actually at work—in the midst of the human decision-making process to probe the environment and attempt lateral movement. These are high-fidelity alerts, generated near “Patient Zero” through fake data residing on endpoints. Security teams also gain essential decision-making context needed to prioritize alerts. A wealth of forensic data collected directly from where the attacker is operating offers knowledge of the attacker’s location and how far away they are from privileged credentials and your organization’s most important digital assets: your crown jewels.

Integrating deception technology with Security Information and Event Management (SIEM) and/or Security Orchestration, Automation and Response (SOAR) systems provides rich, detailed forensics to the SOC about any machine whenever they are needed. Incident response teams thus have the flexibility to save time and money by reducing the number of agents needed to investigate attacks. This increases the number of events they’re able to investigate effectively and minimizes the burnout that comes with tracking down a huge volume of false positives.

What hampers adoption

Using deception technology and the forensics it enables, SOC teams can reclaim a vast chunk of the expensive time and effort lost to manual activities typical in the processes of triage, ticket enrichment, investigation and validation—all while becoming more proactive and efficient in incident response. Why, then, hasn’t this technology caught on faster? Part of the problem is that there are still a lot of misconceptions about what deception technology is – it’s not just honeypots anymore.

Honeypots are the forebear of modern deception. They could gather intelligence on and assess the behavior of malicious actors, but they were not created for threat detection. Today’s deception technology enables organizations to create highly realistic and interactive decoys that fool attackers into engagement almost immediately after they establish a beachhead. Deception not only detects lateral movement of an advanced insider but also helps root them out. Modern deception technology is automated and scalable, saving on human effort and able to provide true early detection to quickly stop attacks.

Deception brings clarity

The current SOC scenario has reached its breaking point, with a little help from the pandemic. There aren’t enough SOC analysts in existence to scale to meet the need of assessing the deluge of security alerts that crash in every day. To wade through the many false alerts, organizations can implement deception technology to find and stop attackers in their tracks. This technology increases investigation speed, efficiency and accuracy, creating a more secure organization and higher job satisfaction among SOC analysts.

About the Author

Nir Greenberg authorNir Greenberg, senior director of field engineering and customer success, Illusive Networks

As director of customer success, Nir Greenberg ensures that Illusive customers derive full value from their investment with Illusive, and helps Illusive channel partners provide service to their clients. Previously, he spent seven years with Check Point, where he led the International Endpoint Support Group. He also served as Communication Training Center Deputy Commander and Trainers’ Leader in the Hoshen unit of the Israel Defense Forces, which manages inter-unit communications for the IDF. He graduated from Rehovot’s ORT College as an electronic and computer practical engineer, and studied social science and management at the Open University.

Nir can be reached online at his company website

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.