Signs of an Inadequate Security Operations Center

The security challenges faced by organizations are critical, and the ability to detect and navigate these challenges can determine a business’ survival. This means the role of a Security Operations Center (SOC) has never been more crucial than it is today, and an effective SOC stands at the forefront of an organization’s cybersecurity defense. Whether you have established an in-house SOC or you partner with a Managed Security Service Provider (MSSP), it is vital to recognize that not all SOCs are created equal. Some inadvertently fall short in delivering the necessary protection protocols to properly safeguard sensitive data and systems.

As we have seen in recent big company hacks, money and large budgets alone cannot buy security. Just because you’re paying a lot for your SOC does not guarantee it is effective. There are several indications of an inferior SOC, and it’s essential to watch for these telltale signs to ensure your organization remains well-protected. Taking the time to assess your SOC and look for gaps in effectiveness and integration can make a significant difference. This process also allows organizations to realign operations, make informed technology choices, and select a service partner that can transform operations into a robust and secure environment, aligned with the top-level mission.

Awash in Signals

SOCs face a myriad of challenges and problems that can impact their ability to effectively detect, respond to, and mitigate security incidents. To describe these challenges as complex would be an understatement, however there are several key signs that should raise red flags:

1. Unclear Focus

SOCs should undergo a measurable, continually improving range of clear, meaningful behavior incentives. When a SOC prioritizes behaviors that do not directly contribute to security effectiveness, it’s a sign the team’s focus may be misguided. Attributes of this condition include:

  • Ticket Quantity Over Quality: Some SOC environments gauge performance based on the number of tickets opened and resolved. While ticket volume is an important metric, it should not overshadow the quality and thoroughness of incident detection, response, and resolution.
  • Alert Fatigue: SOC analysts may find themselves inundated with alerts that are poorly tuned or irrelevant to real threats. If analysts are chasing false positives or dealing with an excessive number of low-priority alerts, it indicates an inefficient SOC.
  • Compliance Over Security: An inferior SOC may prioritize meeting compliance requirements at the expense of robust security. While compliance is essential, it cannot be the sole focus; it may not cover all potential threats and vulnerabilities.
  • Focus on Alerting vs. Resolution and Root Cause: Ineffective SOCs often prioritize alerts and incident notification at the expense of comprehensive resolution and addressing root causes. While timely alerts are crucial, a myopic focus on alerting can lead to a reactive approach. A proficient SOC should not only detect incidents, but swiftly move towards resolution and identifying the root causes behind breaches. The ability to resolve threats and address underlying vulnerabilities is fundamental in minimizing the impact of security incidents and preventing their recurrence. Without a concerted effort to shift from alert-centric operations to a resolution-driven mindset, an SOC may find itself repeatedly grappling with the same issues, leaving the organization exposed to persistent risks.

2. Depth of Expertise

Most traditional SOCs adhere to the traditional Managed Detection and Response (MDR) framework. While MDR services encompass specific steps needed to address security concerns, such as identifying which alerts require the most attention, sandboxing, malware analysis, and troubleshooting security vulnerabilities, they often fall short in the most critical aspect – “responding” to the threat and mitigating the underlying vulnerability. A modern SOC should possess the following capabilities:

  • Ability to Remediate Infrastructure: The ability to dive deep into infrastructure and patch systems is essential. Threats often linger within networks and systems for extended periods, requiring strong IT expertise that many SOCs lack. This capability may involve deep networking knowledge or close collaboration with the Network Operations Center (NOC). Without these capabilities, issues may take an unnecessarily long time to resolve, burdening IT teams further.
  • Recovery Capability: The SOC should be able to invoke a recovery plan from a well-established Disaster Recovery or Managed Backup program, depending on the organization’s Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). Without these skills, timely and graceful recovery in the event of a breach may be unattainable.

3. Gaps in 24/7 Coverage

Security controls that are not operational around the clock are a significant concern. This can lead to vulnerabilities going undetected for extended periods. Key indicators to watch for include:

  • Scheduled Downtime: If security controls are routinely taken offline for maintenance, it should be done strategically and with minimal impact. Prolonged downtime can leave the organization vulnerable.
  • Outdated Signatures and Rules: Neglecting to update and maintain security control signatures and rules can result in these controls missing newer threats and attacks.
  • Inadequate Resource Allocation: A lack of sufficient resources, such as personnel or technology, can lead to intermittent monitoring and control failures.

4. Stagnation in Operations

A robust SOC should continually strive for operational improvements. Any sign of stagnation or a lack of active efforts to enhance processes should raise concerns. When you encounter this, you may observe:

  • Repetitive Incidents: If the same types of security incidents persist without effective mitigation or proactive preventative measures, it suggests a lack of operational learning and improvement.
  • Manual and Time-Consuming Tasks: Inefficient processes that rely heavily on manual tasks can be a red flag. An advanced SOC should leverage automation, AI and machine learning to streamline operations and respond more effectively to threats.
  • Lack of Training and Skill Development: An inferior SOC may not invest in ongoing training and skill development for analysts. This can result in outdated knowledge and ineffective response to emerging threats.

Always Evaluating and Improving

A security operations center should always strive to remain on the cutting edge of security, however for many this is not reality. Recognizing the signs of an inadequate SOC operation is crucial for maintaining a robust cybersecurity posture. Ensuring critical SOC initiatives, maintaining focus, continual improvement, and regular gap assessments are essential steps in guaranteeing the effectiveness and efficiency of your Security Operations Center. Organizations should regularly evaluate their SOC’s performance and make necessary adjustments to ensure the highest level of protection against evolving cyber threats.

This article was originally published in Forbes, please follow me on LinkedIn.

Enterprise SOCs: How They Work and Why Most Are Insufficient

In the realm of cybersecurity, the concept of a Security Operations Center (SOC) serves as a bastion against the relentless tide of cyber threats. However, delving deeper into the intricacies of how a SOC operates reveals that the notion of an enterprise SOC can sometimes be misleading, akin to a company attempting to run its own power plant in an era of renewable energy, or building their own data center amidst an abundance of cloud services. As we peel back the layers of SOC operations, it becomes evident that enterprise-launched SOCs can quickly prove insufficient in the face of today’s cyberthreats.

Decoding the Inner Workings and Challenges of a SOC

A SOC is the vigilant guardian standing between an organization’s sensitive data and the multitude of cyber adversaries seeking to breach its defenses. Its arsenal is comprised of a concoction of technological marvels, including Artificial Intelligence (AI), log analysis, and real-time threat detection mechanisms. To build and maintain an effective SOC, organizations invest in a spectrum of expertise from cybersecurity analysts to incident response teams. All of this sounds great; you want a well-structured SOC to act as your organization’s digital sentry, shield, and sword.

Realities begin to hit when significant challenges emerge for SOC environments, though. These challenges include:

  • Overwhelming Alert Volumes: The rapidly evolving threat landscape results in an avalanche of alerts from various security tools. Amidst this influx, critical alerts may become lost or buried beneath a sea of false positives or low-priority notifications.
  • Visibility Gaps: The lack of comprehensive visibility into an organization’s entire digital ecosystem leaves blind spots ripe for exploitation. Attackers then exploit these gaps.
  • Sophisticated Threats: Cybercriminals are adept at crafting attacks that evade conventional security measures. Advanced malware, zero-day vulnerabilities, and sophisticated social engineering techniques evade detection and call for heightened vigilance.
  • Alert Fatigue: Overburdened analysts grappling with a barrage of alerts can experience alert fatigue—a condition where the volume of alerts diminishes their ability to discern genuine threats from false positives.
  • Ineffective Contextualization: Isolated alerts provide limited context, making it challenging for analysts to gauge the severity and scope of an incident. This lack of contextualization hampers timely and accurate decision-making.
  • Legacy Solutions: Some SOCs rely on legacy technologies that lack the agility and sophistication needed to combat today’s modern threats. These outdated solutions struggle to keep pace with rapidly evolving attack techniques.

The flaws of an enterprise SOC begin to emerge with one subtle yet impactful component that can break everything in one cyber event: Why are you doing this anyway?

The Limited Lens of an Enterprise SOC

An enterprise SOC, no matter how robust, can only glimpse the threats present in its own digital kingdom. If Coca-Cola were to launch a SOC (and they might have), for example, that SOC has no insights into the flow of threats across the entire spectrum of the digital realm. Threat feeds are, at best, a backfill. This isolated perspective hinders a comprehensive understanding of the evolving threat landscape. Coca-Cola’s SOC probably knows a lot about threats to the food and beverage industry, but they are myopic by nature when it comes to the complex landscape of threats affecting organizations at large.

Service-Based Collective Security

Today’s cyber threats transcend company borders, necessitating more collective defensive capabilities than before. The digital landscape is brimming with cunning, malicious adversaries who are constantly evolving their tactics. Today’s cybercriminals seem to care more about attack opportunities than specializing in specific targets, and this interconnectedness of threats necessitates an equally interconnected defense mechanism.

Service-based SOCs wield the power of detection and protection for thousands of clients. They have assembled teams of seasoned cybersecurity professionals, implemented the best monitoring practices, incorporated cutting-edge technologies, and achieved scalability, flexibility, cost-efficiency, collaboration, and more. This reduces the burden for organizations, allowing them to focus on their core business competencies and what they were created to do. Going back to the Cola-Cola example, it allows them to focus on making and selling soft drinks.

Within the service-based SOC model, the intelligence gleaned from a single incident has immense value. Knowledge from a single event ripples across the entire network and all clients, allowing the service-based SOC to better fortify others against similar threats. By pooling resources, expertise, and insights, organizations can elevate their defense capabilities through security services that utilize a breadth of telemetric data from various sources.

It is time to challenge the notion of siloed defenses, often represented through the enterprise SOC. More importantly, it is time for organizations to break free from the idea of building their own.

This article was originally published in Forbes, please follow me on LinkedIn.

Anatomy of a Comprehensive Security Response

The frontlines of current cyber threat conditions are an interesting combination of rogue threat actors, state-sponsored groups, and Advanced Persistent Threats (APTs). Their intrusions are characterized by stealth, patience, and slow burn endeavors that are well-funded towards their missions. Namely, these threats are focused on evading detection, reconnaissance, and weaponization in a specialized sequence of escalated changes. Even with multiple layers of technical protection, activities still occur on the most privileged networks. This is an account of how a recent incident in a protected environment was uncovered through diligence and forensic review.  

If you could visualize a successful cyberattack in review, you would see that the journey is a lot like skipping across stones in a river. Here, we are going to dissect such an attack.  The object of cybersecurity protections is to review every stone and successfully stop attacks at every possible point. Uncovering threats can rely on automated detection, artificial intelligence, and alerting to varying degrees. However, information uncovered from these scenarios requires analysis and a threat disposition by actual trained and qualified human beings. 

Anatomy of the Incident 

Let us dissect an actual security incident, so we can gain an appreciation of what it takes to mitigate these millions of incidents that happen every day.  

  • In the pre-dawn hours of a recent morning, the Ntirety Security Operations Center (SOC) received the first of series of behavioral threat alerts for an endpoint system within a client’s environment.  
  • The alert triggered a disposition of a potential network ransom event. 
  • An immediate investigation into this system was launched where it was discovered that a portion of the files on the system were encrypted. 
  • The investigation further showed that the operating system was functional, with no observable impact. 
  • Tier 2 SOC personnel initiated an immediate network containment action to isolate the threat and prevent any possible further lateral movement. 
  • Tier 2 SOC personnel continued to scan logs and immediate network connections for signs of further propagation. As the investigation continued, these findings were negative.  
  • The SOC initiated a Root Cause Analysis and determined that the initial Point of Entry for this ransomware attack initiated from an unpatched, externally facing server that DID NOT have standard security products installed 
  • This server was scheduled for decommissioning. Further, an administrator account for this system had been exploited and had been using a weak, 8-character password that had no history of updates. 
  • The affected server was completely compromised, with evidence of complete system encryption.  
  • A ransomware note and additional tracking evidence showed the attack was most likely Crylock ransomware, a new variant of Cryakl ransomware.  
  • Further investigation uncovered that the attacker(s) were able to log in and install software to maintain remote persistence on the server.  
  • System and Security event logs were unable to be recovered, indicating the logs were scrubbed. 

With the successful compromise in place, the attack attempted to escalate, moving laterally to the endpoint system where our detection tools were able to catch it before any further damage could be done.  

As an epilogue, the customer received guidance and recommendations towards decommissioning the server as soon as possible, wiping and imaging the affected workstation, network isolation, strong password enforcement practices, and installation of our advanced security tools throughout all systems in their environment.  

The Comprehensive Response 

Client environments have all kinds of interesting facets to them that can affect overall security. Sometimes there is a bit of baggage, such as a legacy operating system or application that has no available updates or is tied down to legacy by means of licensing, contract, or a functional gap. That legacy OS was the first problem. Missing security tools were the next issue.  

From there, we have an unpatched public-facing system, weak and unmanaged privileged passwords, and an open network hop that allowed the attempt to laterally propagate. You can call that an unfortunate mix of vulnerabilities that could have led to a major problem.  

However, comprehensive practices came through in the detection of anomalous events at the first point possible. Our SOC sprang into action, according to plans, and we were able to fully ascertain this situation and prevent any further incidents. You can see how one unprotected system the potential for significant impact has, but by layering detection and response throughout the environment, we can mitigate the unknown.  

The goals of the Ntirety SOC and application of comprehensive security principles have common targets. We are focused on minimizing the impact of incidents and breaches on our client organizations. To minimize impact, we are focused on responding to incidents quickly and reducing the time it takes to detect and enact our responses. By effectively remediating security conditions and maintaining security baselines throughout our client environments, we work towards preventing major incidents from occurring.  

Detection, analysis, investigation, and remediation are some of the milestone capabilities of our comprehensive defensive systems. In the current and future climate of threat conditions, this is the best available path to uncovering the unknown, to reveal hidden threats and adversarial activities, and to identify attacks before they scale.  

The New Normal for Cybersecurity

Cybersecurity seems to be making news headlines more and more recently. Hackers are becoming more widespread and more efficient with ransomware attacks up 105% from 2020 to 2021 according to the 2022 Cyber Threat Report. With new virtual realms such as the Metaverse close within our reach, it is crucial that proper protocols are set in place. 

For a Security Operations Center (SOC), monitoring customer infrastructure activity and quickly mitigating cyber threats is always a top priority, but it is especially important right now as conflict continues between Russia and Ukraine. Current Advanced Persistent Threats (APTs) and destructive malware includes: 

  1. Disinformation, defacements, Distributed Denial of Service (DDoS) 
  2. Destructive Wiper Communities  
  3. WhisperGate 
  4. HermeticWiper 
  5. IsaacWiper 

 All of the attacks are initiated to spread propaganda or disrupt normal operations for businesses and individuals. The Destructive Wiper Communities are different destructive malware with the intention to erase computer hardware and delete data and programs having crippling results for these businesses.  

 Following the initial attacks on Ukraine, cyberthreats were heightened globally by over 800%. While the Ntirety SOC team have not seen any targeting of Ntirety customers, we know that this could change at any moment, so we remain vigilant. We are continuing to take steps to enhance cybersecurity postures and increase monitoring for cyber threats.  

 Many data breaches can be tracked back to the tiniest flaws such as a weak or stolen password. As cybercriminal groups grow, it can be difficult for security teams to seal the cracks and fix the bugs fast enough. Protecting your business should be an ongoing effort, as there will always be cyberthreats. It is important to have all the right tools and technologies in place working together. 

 Cyber attackers look for access into endpoints- these endpoints are easily readable, readily available, and easy to access. As remote work has become increasingly more common, these endpoints, which were once located in relatively secure buildings, have moved outside of the four walls of an office. From these endpoints, cybercriminals will steal data and take down critical applications. Malicious attacks can include: 

  • Phishing: Users surrender personal information by responding to fake official emails or links to fake websites 
  • Malware: “Malicious software” designed to damage or control IT systems (Example: Ransomware) 
  • Man-in-the-middle attacks: Hackers insert themselves between your computer and the web server 
  • DDoS: “Distributed Denial of Service” A network of computers overload a server with data, shutting it down 
  • Internet of Things & Edge Processing: Rogue data thefts; user error (not encrypting) 
  • SQL Injection Attack: Corrupts data to make a server divulge potentially sensitive information 
  • Cross-Site Scripting: Injects malicious code into a website to target the visitor’s browser 

Attackers are continuing to evolve their game and crowdsource their efforts. They can find vulnerabilities and exploit weak points within cyber infrastructures. With the help of Ntirety’s SOC your business will have eyes on your cyber infrastructure 24x7x365. For more information watch our recent webinar here and stay tuned for the next blog in this series.