Tying Together The SOC Visibility Triad for Improved Threat Hunting

The SOC Visibility Triad has emerged as a concept over the last few years. The SOC triad consists of EDR and NDR solution running at the endpoint and network respectively, and pulling their alert feeds into the SOC(the third leg of the triad) for improved threat detection and hunting.

We have been working with customers to help them detect adversarial behaviors by correlating these alerts with their alert and log feeds.  Bringing in the EDR and NDR alerts into the SIEM provides rich context for threat hunting.  A common theme that we have observed in SOC's  is the application of consistent  data normalization and enrichment to these feeds which enables rapid development and deployment of automated detection and threat hunting content.

The Drivers

Traditional prevention technologies whether at the endpoint, the network or at the cloud are evolving into detection and response technologies. At the endpoint, tradition anti-malware is evolving into EDR (endpoint detection and response) solutions; at the network, traditional IDS/IPS are evolving into Network Detection and Response(NDR) solutions; further some vendors are integrating EDR and NDR solutions into an XDR solution.

What is driving the solution of these technologies? Adversary sophistication and their ability to deploy new variations of known exploits have been successful in getting around traditional prevention technologies are key drivers for these solution categories.

Analyst are noticing it; Gartner called out this out as a top trend for 2020. This trend bleeds into another trend we are have observed where Enterprise SOC's adopt multiple SIEM/s and data lakes for log and alert aggregation and correlation

EDR/NDR/XDR Configuration and Alert Management

These solutions are characterized by their deployment of a dynamic collection of signature, behavioral and statistical techniques to detect malicious behavior.  Care and feeding for these tools involve:

1. Detection policy configuration. Product admins have a choice to select which out of the box detection content they want turned on or off, and even author and deploy new detections into these solutions. 
2. Alert Investigation and Triage. Because alerts generated by these detections are not always known bad behaviors, this detection are lower fidelity than detections for known bad behaviors. These lower fidelity alerts  require action by the security ops team - 
1. investigate the alert and  mark it as a false positive or promote it to an incident for remediation and containment. 
2. In some cases, these solutions come with a managed services component where the vendor offers a service to investigate alerts and resolve them. 

SOC Use Cases: Threat Hunting and Automated Detection

So how are Security Operation Centers(SOC) effectively using the alerts generated by these EDR/MDR/XDR solutions? In our engagements with enterprise SOC's, we see these patterns emerging for making best use of these alerts.

1. Basic investigation and response. Alerts, often in isolation, are ingested, and investigated. 
2. Threat investigation. These alerts could be indicative of a campaign by an adversary, and the SOC investigates these alerts across EDR, NDR and XDR solutions, and combine them with other security product alerts, and correlations from raw logs to detect adversary tactics, techniques and procedures. A core foundational requirement is standardized data models that includes data normalization and standardized enrichment. This can be through:
1. Ad hoc threat hunting. Experienced threat hunters look at the set of alerts coming form these solutions and other security products, and looks for patterns of adversary behavior. The wider the aperture for analysis, the higher is the fidelity of threat hunting detections. This requires highly skilled personnel and knowledge of behaviors that malicious actors are known to use. 
2. Standardized detection and hunt procedures.  This requires data normalization and enrichment, and detection content  that can be applied to these alerts for detecting adversary behavior.  Alerts from a wide variety of sources are combined to obtain high fidelity detection for adversary behaviors. This environment has higher levels of automation and repeatability than ad-hoc threat hinting. 

SIEM Enablers: Data and Content 

Mature SOC's adopt standardized detection and hunt procedures on the alert stream being ingested and normalized for EDR/NDR/XDR technologies, and combing them with alerts from their other security products, and raw log streams. There are two foundational capabilities that must be in place for this to be successful:

1. Data normalization and enrichment. If all of your alerts are stored in a normalized format, threat hunting and automated detection queries development and usage is simplified.
2. Customized detection content that can hunt for those adversaries that are targeting you and your verticals. 

At Anvilogic, we offer a SOC content platform that has a wide variety of data parsers, normalizer and enrichments that you can quickly adopt, and a wide set of behavioral detections that you can assemble to create your unique adversary detection content that would use to hunt for adversary behaviors against your alert and log sources.

The Emergence of Security-Oriented Silos: A Perspective on Gartner’s 2020 Security & Risk Trends – Part 1 (of 2)

This Gartner post was published in June, after COVID 19 struck the world, and therefore the perspective of a new world is already factored into the posting. Response to COVID 19-related changes in work habits have driven cyber-security priorities since March 2019. But there is an uber trend that has been happening for a few years now and I expect will emerge as a high priority element in cyber-security planning at the CISO level – the emergence of several silos of security threat detection and analytics, run by different domain experts, for different workloads.

This is captured in trend #4 in Gartner’s post, about how enterprise-level (centralized) Chief Security Officers are arising in order to merge security-oriented silos. I fully agree with this, and we, at Anvilogic, have started to see this ourselves as we engage with Fortune 1000 companies, and I started seeing these signs of silos emerging a few years back while at Splunk. 

Let’s try and understand why this is happening, and how we must embrace and optimize operations to accommodate this phenomenon.

Why is it happening?

As enterprises grow larger in operations, varying workforce habits, and new application workloads, security organizations tend to get decentralized and clusters of expertise governing their own areas arise. This is, in general, a good thing because those specific application/area owners know their environments best and therefore allowing them to govern those areas for security vulnerabilities and attacks is the most viable strategy in the long haul. This is not akin to how the server world got disrupted with VMware’s virtual machines, and the business application world got disrupted with companies like SalesForce and the infrastructure world got disrupted with AWS – the commonality in all this is there ceased to be one central IT organization servicing the needs of server groups, business application areas and infrastructure project areas, in favor of domain experts producing the necessary value elements for the business to operate with a ‘best-of-breed’ approach. Similarly, we are seeing this forward-progress trend starting in cyber-security with the advent of subject matter expertise in respective areas operating to deliver value for the areas they know best and own. Enterprises are considering Microsoft Sentinel to address Cloud AD and Azure security needs, Google Chronicle for GCP workloads, XDR technologies for end-point and related detection & response and so on. This is in addition to multiple (at least two) SIEMs many enterprises are already operating today. As a result, there is a growing separation of data, analytics and detection in the enterprise, and this goes beyond the capacity and governance reach of a traditional SOC. This trend must continue for the betterment of overall security posture of enterprises. However, the downside which we have not yet addressed, but we must, is bringing the knowledge of these disparate silos together and provide a centralized view of the cyber-security posture of the enterprise. This is true next-gen value but we are not there yet.

How do we deal with it?

As mentioned above, we have not yet addressed how to bring concerted & correlated value from across these silos to address overall enterprise cyber-security and maturity. But it is important we look at the role of a SOC and consider the value of domain expert-run security methods carefully, and embrace the next-gen cyber-security operations of an enterprise which shall be run by security domain experts rather than the traditional IT/developer persona. This certainly means the end of a traditional, central SIEM as we know it, and augmentation of the security infrastructure with a federated, content platform which operates as a fabric across all security silos – this is the ONLY way to embrace the next generation of enterprise security. We shall address this further in an upcoming blog post soon – watch this space!

In the meantime, look out for our CTO’s post on the related trend, #1 in Gartner’s posting, about how XDR technology is gaining traction in enterprises.