More and more companies are seeing the need for their SOCs to develop incident response and threat hunting capabilities. However, many are uncertain how to build it in a low-risk, efficient, and high-fidelity way. In particular, the conventional wisdom of “just get a SIEM” rings hollow and the current wave of hype around EDR can make it hard to cut through the noise.
In our white paper, The Right Roles for SIEM and EDR, we explore the complementary and interdependent uses of SIEM, SOAR, and EDR technologies. By using these tools in conjunction with clearly defined roles, security operations teams can reduce costs, improve security, and assist human intelligence in a repeatable, reliable way.
When building security operations, it’s tempting to rely on a single data repository to address a wide array of use cases. However, as the job of security evolves and requires us to stay ahead of an intelligent, dedicated, and motivated opponent, many tasks in the SOC require tools that empower human defenders to outmatch these sophisticated adversaries.
To fully understand the capability requirements of security operations, we first need to define the two kinds of chaotic systems: first order and second order.
First order chaotic systems do not respond to predictions or intervention. Weather is an example of a first order chaotic system. It will continue to be sunny or rainy or snowy, no matter what actions you or other humans take.
Second order chaotic systems can respond to predictions or intervention. Criminal activity is an example of a second order chaotic system. By deploying officers and assets to various high-activity locations, law enforcement can affect drug deals, robberies, and smuggling operations.
Corporate risk is typically considered to be a first order chaotic system. The exception to this is when competitors and saboteurs target a corporate asset or brand. Similarly, security operates with an emphasis on second order chaos-related risk. In security, there is an intelligent, dedicated, and motivated opponent. The risk created by this type of opponent requires a different set of capabilities and different set of tools than previously used.
Security is about reducing a theoretical and unrealized exposure representing our vulnerability. Firewalls, authentication, and patch management reduce this theoretical risk by decreasing the likelihood of an incident. This category of risk falls under the umbrella of IT security risk, and is necessary to tackle in order to prevent known threats. It matters much in the same way that surgical hygiene matters, in that the necessary tools must be present and processes must be conducted correctly for the underlying task to move forward safely.
Security with an active, intelligent opponent, on the other hand, falls under the classification of cyber. This second order chaotic system responds to our activity and demands moves and countermoves. This involves derivative risk, measuring efficiency, and finding ways of turning the art of cyber into a proper science. Oftentimes, this requires the ability to drill down into aspects of the environment with a more detailed and focused approach, and to do so as quickly as possible.
This is where the divide becomes the most apparent for SIEM and EDR. SIEM is ideal for IT security risk, while EDR excels at empowering defenders to address cyber risk use cases. But where is the line, and how do you build an effective system to address both?
To learn about how to build better security operations by integrating SIEM, EDR, and SOAR, download our white paper, The Right Roles for SIEM and EDR.
Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.
All Posts by Sam Curry
Attackers exploit gaps in visibility and hide in the network seams while security teams struggle to get actionable intelligence from a complex security stack. So where can security teams turn to reduce alert fatigue and increased operational efficacy and efficiency?
XDR provides security teams with comprehensive visibility across the kill chain, all without requiring security analysts and incident response teams to manually investigate a flood of individual alerts. XDR allows security trams to move detection further to the left in the kill chain to reduce dwell time and disrupt attacks earlier in the attack sequence...
