Which indicators and what data are relevant for a SOC ? (By Julien Steunou, Provadys)

SOCs are under constant pressure to detect all possible forms of attack and all possible weak signals. As a result, they regularly find their detection systems at risk of drowning in a deluge of data far heavier than their tools and analysts are capable of processing effectively. To maintain genuine efficacy in detection and prevent the efforts made by teams of analysts from rapidly diluting, SOC governance must revolve around two axes:

1. Selection of relevant data

SOCs must process only sources and types of events that are relevant in relation to the feared events in the detection strategy. Modelling these feared events using methodological tools such as kill chains identifies information that may aid in detecting them and systems that are capable of generating or capturing this information at each step of an attack.

However, it is important and useful to record a maximum of events for purposes of investigation. In many organisations, SOCs spearhead and are responsible for log management projects. However, it is much more efficient to establish an interdepartmental log management project. This ensures that logs are collected, indexed and stored in a data lake for use by SOCs as well as other departments. Behavioural analysis solutions will likely eventually have an impact on the strategy for selecting relevant data as their efficacy is not bound to the same rules as traditional SIEM tools based on event correlation.

2. Enrichment of data for decision support

SOCs’ performance with respect to detection depends on a series of decisions made by a technology stack then by analysts. Automated data enrichment via external sources (threat intelligence) and internal sources (incident logs and CMDBs) is a very effective way to improve quality and speed in decision-making, in particular decision-making by teams of analysts. As a simple example, in the event of an alert that an email attachment is suspected to contain malware, many SOCs have a procedure for manual processing in which analysts extract the email attachment from the account and use different tools to process it manually. Today, advances in SOC coordination tools automate and enrich the alert and present the analyst with an alert where:

– the attachment to be investigated has been retrieved and screened by internal analysis tools (anti-malware engines, sandboxes, etc.), its hashes have been calculated and queried on platforms such as VirusTotal, and all results are displayed;

– the incident has been linked to similar incidents in the incident database;

– the technical markers present in the email and obtained by analysis of the attachment have been compared to the threat intelligence databases and the data in the data lake;

– the IPs have been geolocated and their reputation scores have been found;

– the incident has been linked to the directory and the CMDB to retrieve the essential information on the recipient and his or her position.

Many SOCs have simplistic dashboards with volumes of incidents detected per month by their own means and a breakdown by incident category. This is clearly inadequate. SOC governance must establish not only objectives in terms of detection of feared events but also an adapted framework for performance assessment.

Relevant indicators may be as follows:

– Breakdown of security incidents per detection channel, which would cover all security incidents identified in the period considered. This information, with clear identification of incidents detected by SOCs’ own means, must be issued and analysed by SOCs assuming non-detection of 100% of attacks.

– Positioning of detection in relation to the step in the kill chain, which would measure incidents detected during the phases of delivery, installation, establishment of command and control channels, lateral movement and so forth by incident type. This information goes beyond incident volumes and assesses the closure of adversaries’ window of attack.

– Assessment of the dates of occurrence of the incident, which would incite teams to identify the potential start date of compromise and deduce the time to detection.

– Attribution of the incident to an adversary group or at least to certain types of motivation. This attribution is particularly difficult to execute, but it is a strong marker of heightened maturity and quality of tactical intelligence.

– Percentage of incidents in which processing has followed an identified playbook, which would measure the quality of preparation and the efficacy of post-mortem analyses.

Obviously, feeding these indicators is often difficult or even impossible for some SOCs below a certain threshold of maturity. However, establishing them represents a challenge to SOCs and demonstrates their efficacy to management, even though certain incidents continue to occur without being detected by SOCs. Through these indicators SOCs form part of an overall cyber defence strategy in which incident analysis is used to improve security measures, capabilities of detecting a new occurrence and establishment of response strategies suited to mitigating impacts.