More and more companies are seeing the need for their SOCs to develop incident response and threat hunting capabilities. However, many are uncertain how to build it in a low-risk, efficient, and high-fidelity way. In particular, the conventional wisdom of “just get a SIEM” rings hollow and the current wave of hype around EDR can make it hard to cut through the noise.
In our white paper, The Right Roles for SIEM and EDR, we explore the complementary and interdependent uses of SIEM, SOAR, and EDR technologies. By using these tools in conjunction with clearly defined roles, security operations teams can reduce costs, improve security, and assist human intelligence in a repeatable, reliable way.
When building security operations, it’s tempting to rely on a single data repository to address a wide array of use cases. However, as the job of security evolves and requires us to stay ahead of an intelligent, dedicated, and motivated opponent, many tasks in the SOC require tools that empower human defenders to outmatch these sophisticated adversaries.
To fully understand the capability requirements of security operations, we first need to define the two kinds of chaotic systems: first order and second order.
First order chaotic systems do not respond to predictions or intervention. Weather is an example of a first order chaotic system. It will continue to be sunny or rainy or snowy, no matter what actions you or other humans take.
Second order chaotic systems can respond to predictions or intervention. Criminal activity is an example of a second order chaotic system. By deploying officers and assets to various high-activity locations, law enforcement can affect drug deals, robberies, and smuggling operations.
Corporate risk is typically considered to be a first order chaotic system. The exception to this is when competitors and saboteurs target a corporate asset or brand. Similarly, security operates with an emphasis on second order chaos-related risk. In security, there is an intelligent, dedicated, and motivated opponent. The risk created by this type of opponent requires a different set of capabilities and different set of tools than previously used.
Security is about reducing a theoretical and unrealized exposure representing our vulnerability. Firewalls, authentication, and patch management reduce this theoretical risk by decreasing the likelihood of an incident. This category of risk falls under the umbrella of IT security risk, and is necessary to tackle in order to prevent known threats. It matters much in the same way that surgical hygiene matters, in that the necessary tools must be present and processes must be conducted correctly for the underlying task to move forward safely.
Security with an active, intelligent opponent, on the other hand, falls under the classification of cyber. This second order chaotic system responds to our activity and demands moves and countermoves. This involves derivative risk, measuring efficiency, and finding ways of turning the art of cyber into a proper science. Oftentimes, this requires the ability to drill down into aspects of the environment with a more detailed and focused approach, and to do so as quickly as possible.
This is where the divide becomes the most apparent for SIEM and EDR. SIEM is ideal for IT security risk, while EDR excels at empowering defenders to address cyber risk use cases. But where is the line, and how do you build an effective system to address both?
To learn about how to build better security operations by integrating SIEM, EDR, and SOAR, download our white paper, The Right Roles for SIEM and EDR.