Rela8 Group eBook Threat Detection and Response

eBook | Threat Detection & Response: Lessons Learned

Detecting and responding to threats is the primary objective of your security operations program, but as our environments spill over into myriad SaaS tools and other cloud environments, are these detection and response programs able to keep up?

In order to operate a successful detection and response program across a modern hybrid environment, organisations need to first confront the challenges of visibility, fostering a security and awareness culture, and ever-increasing levels of alerts.

We brought together a number of CISOs, senior security engineers, and heads of information security to share their thoughts, ideas and experiences surrounding these challenges at a series of roundtables. This eBook captures the main points of these conversations.

Our experts highlighted 5 main challenges they experienced when navigating threat detection and response:

  • Effectively detecting threats
  • Managing visibility across the IT environment
  • Reducing the noise and prioritising security alerts
  • Effectively responding to threats
  • Getting the most out of your staff

Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.

Challenge 1: How can we effectively detect threats across increasingly complex environments?

With the proliferation of cloud services and remote working, it has never been harder for security teams to detect incoming threats. Modern attack surfaces are growing rapidly, and security teams are stretched thin. To effectively detect threats, security teams need to be making careful investments, not only in technology, but in their staff as well.

Solution: Invest in centralising your security operations into a single pane of glass

While security experts will be the first to recommend expanding the team and budget as a means of tackling threat detection, this is a challenge in itself. It is important to remember that more can be done with less with the right optimisation. For our experts, Managed Detection and Response (MDR) and Security Orchestration Automation and Response (SOAR) tools have proven invaluable when it comes to centralising alerts, signals, and other important information, thereby preventing SOC analysts from bouncing between tabs and logging in to multiple tools to obtain the context needed for each alert. Our experts were investing in centralised logging as a priority as by implementing a centralised security solution, security teams can get a clearer view across their environment, automate the data collection, and reduce mean time to response to the most pressing alerts.

The value of centralising information highlights the importance of system visibility when it comes to threat detection – as the saying goes, you can’t protect what you aren’t aware of. No amount of endpoint detection and response programs are going to help without first investing in visibility and asset management. Once an asset inventory has been established, organisations can identify where their assets are, who owns them, who can access them, and can set about protecting them.

Establishing visibility is an imperative for threat detection, but achieving total visibility is virtually impossible. While technology can drive visibility, it is important to connect it with the people on the other side of the equation.

Challenge 2: How do you manage visibility across your IT environment?

System visibility is a challenge for all but the most mature organisations out there for one simple reason – it is a responsibility that lies with the whole business, not just the IT team. Cloud Security Posture Management (CSPM) and other tooling exists to bear the technical load, but until your staff are aware of the role they play in maintaining visibility, risks will always fly under the radar.

Solution: People, process, and then technology

Good visibility starts with promoting and educating the users on the risks and best practices. IT and security teams should be regularly communicating with staff and working to build security into every process as standard. Don’t rely on the yearly tick box exercises, training and education should be specific and relevant to your staff. Bring other business leaders into security decision making and vice versa to establish a give and take with the other departments as opposed to being the department that shuts everything down – that’s how you get shadow IT. IT and security teams should always be doing something to drive a security culture within the business.

Even with the most rigorous education program, there is always a risk that things slip through the cracks, particularly with the popularisation of remote working. As a result, organisations have deployed secure managed devices, VPNs, identity and access management, as well as a raft of other techniques to protect their data. Human mistakes often compromise even the best threat detection and response programs, something that is often compounded when people try to hide or ignore the problem for fear of reprisal. The more you focus on teaching people what to do when they make a mistake and how to mitigate the risk, the more you will see progress. People have to feel empowered to understand and support security because they know and understand the business the best.

To identify where these risks remain outside of our visibility, our panel had seen success using 3rd party managed security services (MSS) as well as continuous red teaming to find vulnerabilities to be plugged. At the end of the day, total visibility is a virtual impossibility and the more you attempt to achieve total monitoring, the more likely it is that you’re not making smart investments. Instead, start with your most critical assets, prioritise their protection, and go from there.

Challenge 3: How do you reduce the noise to filter out actionable security alerts?

As more effort is made to detect threats and secure an expanding environment, unsurprisingly, security teams are finding themselves inundated with more and more alerts. A major consequence of this alert deluge is that while security teams are wasting their time closing ticket after ticket, major issues are going unnoticed for too long. All of this contributes to alert fatigue and SOC team burnout, in turn creating even greater risk.

Solution: Ask yourself, is it actionable? And can it be automated?

It was widely accepted by our panel that humans are no longer able to effectively respond to and manage security alerts. As a result, businesses need to be looking to either reduce the number of alerts or make it easier to respond to them. There is no way to stay on top of a large network with potentially millions of events without a significant capability to automate, identify patterns, and filter out noise.

Start by looking at threat intelligence. Where is your threat intelligence coming from? If it’s coming from users flagging and raising issues, your users need to understand what a threat is and how it is defined within the organisation. If it is coming from continuous red-teaming efforts and simulation software, what is being done with the findings? Curate and disseminate the findings to the security team and the wider business to bring them into the discussion on solutions. Use automated continuous monitoring to look at patterns and then identify anomalies that need to be made visible and escalated.

Sifting through the noise and determining what is a real threat is seen as the biggest problem for security teams. Lots of time is spent building out content rules and trying to enrich the data to make the lives of the security team easier. Don’t underestimate the value of 3rd parties when it comes to lightening the load. MSS and MDR partners can help massively reduce the toll of analysis. By offloading the burden of endless alerts onto 3rd parties or automation, security experts can instead spend their time on higher level issues, giving them space to prioritise improvements and vulnerability finding.

By prioritising alerts around critical assets, businesses can reduce the noise coming in around everything else. Machine learning and automation can be effectively leveraged to filter out the alerts that can be safely ignored, or even removed altogether. When organising and prioritising alerts, security teams need to be asking themselves that if the response to this alert will always be ignoring it, can it be removed altogether? Or if something can be done in response to an alert, can it be automated?

Challenge 4: How do you quickly and effectively respond to threats once detected?

Detection and response are 2 sides of the same coin. With new types of threat emerging all the time, Log4j being a prime example, knowing how to respond effectively is the next challenge. Organisations need to worry not only about the existing vulnerabilities in their systems but also be constantly vigilant of the evolving threat landscape.

Solution: Understand the enemy and ensure there is always a playbook

Staying on top of threats is simply not possible if your security teams are already swimming in alerts. Again, our panel were quick to emphasise the importance of consolidating your alert system. Alerts shouldn’t exist if there isn’t a playbook response for it. Even better if you are able to deploy granular controls and automation to remediate alerts before they reach the SOC.

For the assets and alerts you want to keep an eye on, work to understand your vulnerabilities and how they might be exploited by adversaries. Look at what is most important to the business, be it availability, source code, or other confidential data, and then tie this to attack techniques and risks. The MITRE att&ck framework is well known and respected by the industry, tie it into your risk management tools. Once you understand where and how an adversary might strike, you can start working on countermeasures.

Another valuable resource highlighted by our experts is Atomic Red Team, a free open-source library of tests organisations can use to simulate adversarial activity in their environment. Businesses should be using resources like this to continuously test their systems against attack at every stage, not just penetration.

If you reach a point where you feel confident you can respond to threats, let Log4j serve as a reminder – you are never 100% prepared. Don’t let entropy reign, make time to regularly assess and monitor your rules, systems, and defences because you never know what is around the corner. Don’t let detection and response be the reason you don’t invest in recovery.

Challenge 5: How do you create an environment that will allow you to get the most out of your staff?

While security experts might wish they could offload the burden of security onto machine learning and automation, humans are and will continue to be a vital part of cyber security for the foreseeable future. From the users propping up shadow IT projects and clicking on phishing links, to the burnt-out SOC analysts who glaze over critical alerts as false positives, it is vital that everything is done to create an environment that gets the best out of your staff.

Solution: Engage them and invest in them

If the human element of cyber security is to be seen as a weakness, what can the business be doing to reinforce it? Consider how security can be made easier and more palatable to the users and give them the support to understand their responsibilities. Playbooks continue to play an important role in providing staff with understandable and documented procedures, as well as making it easier to train and on-board new staff.

Making life easier for our staff also has massive benefits for retention and minimises losses during staff handover and recruitment. It is no secret that the security industry has a burnout and retention problem, this is in large part due to staff so often wasting away dealing with false positives and other monotonous alerts. By offloading the tedium to automation or an MDR, staff can spend more time doing the more important and engaging work they actually want to be doing. Our experts had also found that job rotations helped to keep their staff engaged as well as giving them opportunities to develop themselves.

There is a need for experienced threat detection team members but keeping hold of them can prove difficult. Employees feel cared for when you can demonstrate that you understand their challenges and are taking steps to help, this starts from the interview process. At the point of hiring businesses need to demonstrate a clear career trajectory, willingness to promote from within, and emphasise commitment to their development. Staff who know what they are working towards are less likely to seek better opportunities elsewhere.

HR are often blamed for restrictive job descriptions and interview processes. Security teams should be creating their own job descriptions, or at least working closely with HR to prevent them insisting you need 10 years of experience in 2-year-old tech. In this regard don’t be afraid to hire less experienced staff and allow your experts to take on more senior mentorship roles.

In conclusion…

With IT environments spilling over into the cloud and beyond, we have made it harder than ever for our security teams to effectively manage threat detection and response. The more tools a business gets, the more alerts and with more alerts comes a greater risk of something slipping through the net. In order to mitigate these risks, there is a critical need for both scalability and visibility in detection and response.

Centralising threat detection and response efforts will go a long way to streamlining the efforts of your SOC team as well as establishing a central asset inventory. With that, organisations can look to leverage automation and machine learning to decrease time to detect threats, filter out background noise, and alleviate alert fatigue. One thing our experts all agreed on is that reducing noise to more accurately pinpoint when there is actually a problem is what makes the biggest impact on detection.

Finally, it is important to remember that technology alone won’t be enough. Tools don’t understand the business context of security risk and humans’ ability to think critically and analyse findings is something that machine learning tools will never be able to replace. As such, investing in your staff is a key piece of the puzzle. Promote a cultural landscape of security and constantly reinforce the importance of security as everyone’s responsibility. The SOC team may be the heroes of the day, but only with a whole business approach can a detection and response program be effective.

Leave a Reply