Security operations (SecOps) teams continue to be under a constant deluge of new attacks and malware variants. In fact, according to recent research, there were over 170 million new malware variants in 2021 alone. As a result, the burden on CISOs and their teams to identify and stop these new threats has never been higher. But in doing so, they’re faced with a variety of challenges: skills shortages, manual data correlation, chasing false positives, lengthy investigations, and more. In this article, I’d like to explore some of the threat detection program challenges CISOs are facing and provide some tips on how they can improve their security operations.
CISOs ensure the security operations program for threat detection, investigation and response (TDIR) is executing at peak performance. Let’s look at seven key issues that can affect TDIR programs and some questions CISOs should consider asking their organization, security operations team, and the vendors providing solutions to resolve them.
1. There are too many indicators of compromise (IoCs) or security events happening across a network to properly identify malicious activity. As a result, CISOs are looking for advanced tools that can correlate and analyze this data effectively to eliminate false positives. The last thing any CISO wants is for his/her team to waste time on an event that might simply be a failed login associated with a user incorrectly typing their password multiple times.
Questions to ask: Can I correlate data from any source (such as logs, cloud, applications, network, endpoints, etc.), no matter what it is? Can I fully monitor all these systems, ingest all the telemetry needed, and perform correlation automatically? And what is it costing me to correlate all that data (i.e., what is my solution provider charging)?
2. Correlating data over time is hard. It’s like putting puzzle pieces together from a box filled with multiple puzzles. An attack that occurs once can be difficult enough to identify. But once threat actors are inside an environment, they’ll often do a little activity spread over a longer period (sometimes days, weeks or months later). This makes is almost impossible for a human analyst to take these seemingly disparate events across time and connect them to complete the puzzle.
Most tools also struggle to correlate those seemingly independent events as part of the same attack because they seem unrelated over time. CISOs are responsible for making sure the team has everything it needs (based on constrained budgets) to put that puzzle together before damage is done.
Questions to ask: Do I have a wide variety of data sources and analytics that can process events and correlate them across time effectively? Is out-of-the-box threat content included for real-time attack detection?
3. When piecing together an attack campaign, manual correlation and investigation of disparate security sources drastically extends the time and resources required from a CISO and his/her team. Pulling data from several systems at once is necessary to get the contextual information needed to find out what’s wrong (and how to respond). But in the time this takes, the damage could already be done. This challenge can easily frustrate CISOs that have invested so much time and money in building up the security operations program.
Questions to ask: Does your current team have to do a lot of manual correlation, and how are they able to accomplish that with events that span weeks or even months? Does your team have to search through multiple tools and put together context on their own to see patterns that will help formulate a better response when working with other IT teams?
4. The skills gap remains a problem. However, as more seasoned practitioners who were fundamentally trained across networking, servers, and other aspects of IT are aging out of the workforce, CISOs are being forced to hire more security focused analysts, but with less broad practitioner experience. This is impacting the amount of on-the-job training and experience required (and offered) for them to be effective. There are just not enough skilled cybersecurity professionals in the market today.
Questions to ask: How can my TDIR platform automate certain tasks and bring the right context to the forefront. How can it provide the necessary context that can help a less experienced analyst learn over time and increasingly add value?
5. Vendors are overpromising and underdelivering. When it comes to threat detection, too many vendors falsely claim or exaggerate that they have machine learning (ML), artificial intelligence (AI), multicloud support, and/or apply risk metrics. CISOs are barraged with vendors claiming to offer a silver bullet at worst or using questionable marketing claims at best. Neither delivers what’s promised.
Questions to ask: Does the solution use rule-based ML/AI (which is important to understand considering it’s static in nature, requires updating, and is ineffective at identifying new attacks and variants)? Does multicloud just do correlation (leaving it up to the analyst to determine if an attack is occurring across multi-cloud)? Is risk scoring just aggregated scores from public sources (not leveraging an enterprise-class risk engine powered by analytics)?
6. The tradeoff of cost and budget versus better security visibility can be a painful choice. CISOs often are presented with platforms (like a SIEM) that charge organizations based on volume of data ingested. As an organization grows, charging by data ingested is unpredictable and can quickly lead to rapidly escalating costs in licensing and storage. As a result, CISOs should be looking for solutions that reduce this cost burden, while still allowing the organization to pull in and ingest as much data as possible. The result is better SOC visibility and more effective TDIR.
Questions to ask: For a solution that employs true machine learning, the more data that can be pulled in the better. Does my solution penalize me for bringing in more data? Or does it embrace more data ingestion to offer better visibility and do so by providing flexible licensing? How can my provider help reduce storage costs?
7. Automation can drive efficiency and speed threat detection. This can free up security team members to focus their attention on more intensive tasks. When done effectively, this provides OPEX savings – which means less time and resources spent on simple and manual tasks of low value, while also shrinking the time for high-value tasks. It can also provide better experience for junior analysts, especially when your analytics and automation are transparent, allowing them to learn and improve.
But not all automation is created equal. Solutions that produce too much noise and too many false positives make it difficult to prioritize investigation and automate responses. The more accurate the threat detection is, the more targeted the automated response can be.
Questions to ask: Is automation in the solution inherent across my entire SOC lifecycle? If so, how do I know it’s working and how can I trust that it’s optimizing my operations (for example, can it show that I’m stopping threats earlier in the kill chain)?
As CISOs and their security operations teams look to improve threat detection they’ll face a variety of issues around visibility, cost, flexibility (especially into cloud environments), analytics, prioritization, contextual data and much more. But by working together to understand these challenges – and by arming ourselves with knowledge and the right questions – our industry can continue to evolve and deliver better security operations for our organizations.