For the vast majority of organizations today, incident response is reactive, and for larger ones with an established Security Operations team, they are increasingly strained with the volume of alert “noise” created by too many security and perimeter devices.
Knowing when something is not working, or that there is something different you want to do, is relatively easy. The hard part is how to make the change, especially when new funding and skills are not easy to come by. It certainly does not come in the form of a tool. That is the next stage, when you already have both the shift in sight, and a plan of how to get there.
So how do you start, how do you “break-out” of your current reactive state and become more proactive so you can find the bad threats faster, and contain them?
The core tenets to this change are philosophical and tactical changes in how you manage your Security Operations and IR function today, while adding a new “Intelligence and Hunting” capability.
Examples of initial steps organizations have taken to make the shift without new budget or extensive changes to teams include:
- Reducing the number of Tier 2-3 analysts working on security events, and having 1-2 analysts (either re-training, recruiting from an existing pen-testing/ Vulnerability management team in house, or hiring new members) solely focus on hunting for threats in areas of their network/ business.
- Outsourcing their SOC altogether, and retaining a set of Tier 3 analysts with both core “responding” and hunting skills to investigate critical issues/ events from the SOC and also to hunt.
- Setting up an Intelligence team that is separate or integrated into the IR or Security Operations function. This team may start by manually aggregating all the alerts from myriad sources (law enforcement, vendors, Intelligence/ IR firms), and setting up new processes and workflow to pass to the Hunting-focused analysts. This turns the organizational focus from looking at potential indicators of compromise to indicators of attack, and pulling together the campaign of activity that identifies an attacker lurking in the network
- Creating a threat and risk-based model and view of locations and assets within the network of the organization (and keeping it updated based on Intelligence and other factors). For example: certain POS locations during Black Friday to Valentine’s Day for retailers. Highlight the “blind spots” where perimeter devices and end-user controls may be more limited; for example subsidiary, remote location or a new JV. This is provided to hunting focused analysts to inform their priorities and cadence on a weekly to quarterly basis.
From our research, these four steps form the essential building blocks to crossing the “chasm” from preventing and responding to events that are “percolated” up from existing perimeter and internal devices to also going out on the “hunt” for unknown attacks looming that could hit the organization.
Next week we will describe how an organization took the leap, what benefits were accrued, and the challenges and changes needed to make it happen.