Home Tags CISM


Whether it's due to lack of attention, poor capital planning or alert fatigue, there are lots of reasons why an SOC can become unhealthy. Here's how to make it better. Congratulations, you’re the new CISO! Whether you have served in the role previously or it’s new to you, you’ll be asked to observe your new organization, to develop a 100-day plan, to evaluate people, processes, and technology, and of course you’ll need to tell the CEO where you would attack the organization and how you will protect against that.
It’s a daunting and exciting task to be the new CISO.  There is so much to observe, learn, and then you have to formulate a plan of action. You are inundated with learning the new organization from the CISO’s chair.

Finally, the day comes when you tour the Security Operations Center. You are looking forward to this, because it’s operational; it’s where you fight the adversary—hackers with various forms of capabilities, motives, and sponsorship.  Of course you want to see the chess match in action between your cyber analysts and threat actors. You look around: it looks like a SOC (analysts at monitors), and then your SOC Director briefs you on manpower, processes, technology, annual budget, measures and metrics.

As the briefing continues your smile transitions to furrowed eye brows.

As you investigate, and question, and seek to understand, you can see what has happened, your SOC is sick. You have seen the symptoms before and you know the diagnosis, it’s SOC-atrophy.   SOC-atrophy: An omissive noun. 1. When your technology has remained dormant too long. 2. Unrefreshed cyber technology. 3.

The absence of intelligence and heuristics. 4. Plagued by false positives.
Your SOC became sick for several reasons. The technology you have is antiquated and completely signature-based, best suited for static threats, not advanced threats. While signature-based solutions have a role, it’s a secondary protection role. The organization failed to keep up with technology and the evolving threat.

For years, the organization has relied on incremental funding.

This budget strategy has a typical result; a disparate mix of capabilities purchased individually as security silos without consideration for how the capabilities will work together.

The tools don’t work together.  It’s an integration nightmare! But SOC-atrophy is not a technology problemAs you sit down with your analysts, you observe that each analyst must be knowledgeable about several different tools and that they spend a lot of time collecting data and alerts. You observe the waterfall of alerts overflowing your analysts with data -- mostly false positives.

The analysts have alert fatigue; they just can’t keep up. The bottom line: the organization didn’t see the evolution of the threat, didn’t keep up with technology, and has not figured out how to use threat intelligence, much less integrate intelligence as a key enabler.

The old technology in your SOC was the right decision for a different time, but not for today.  Capital planning for cyber investment has also been a challenge.

Typically SOCs are developed and funded piecemeal, a silo of capability at a time.

This has a cause and effect, the tools are hard to integrate or don’t integrate at all, which in turn make it virtually impossible for an analyst to perform. Whether it has been lack of attention, inadequate measurement of effectiveness, poor capital planning, or alert fatigue, there are several ways for a SOC to become sick. Your goal now is to bring it back to a healthy state. Here are five strategies to overcome SOC-atrophy. Research to understand all SOC investments. You need to analyze the costs of each tool, effectiveness, and cost, and then prioritize the value of what you have. You will want to keep the best value, and get rid of the lower value, higher cost, solutions.

This is your available trade space. Perform a SOC-focused assessment.

This will gauge operational effectiveness and highlight gaps. Knowing your current health is a relatively low-cost endeavor and helps you in building a business case for investments to close the gaps. Study the threat landscape.

From CEO to cyber analysts, your organization needs to clearly understand the threat landscape and how the threat is escalating.

This understanding will help you focus on the technology, expertise, and intelligence you need to protect your organization. Resist the urge to fund your tools piecemeal. Develop the business case for an integrated platform with the ability to visualize web, email, file servers, endpoints, mobile, and SIEM, in one picture, enabling the ability to detect and remediate threats earlier in the kill chain.

The board needs to understand the business case for an integrated platform. Encourage cross-organizational collaboration. It’s critical to build partnerships for vetting the business case and gaining consensus on your SOC plans.
Spending quality time with your fellow IT executives and other business leaders to discuss -- at a strategic level -- what you are working on, your timeline, and your forthcoming proposal.

There is no greater feeling than going into a board meeting with many of the members clearly in your corner. Related Content:  Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business.

Click to register.
Lance Dubsky, CISSP, CISM, is Chief Security Strategist, Americas, at FireEye and has over two decades of experience planning, building and implementing large information security programs.

Before joining FireEye, he served as the Chief Information Security Officer at two ...
View Full Bio More Insights
Detects Ransomware, Spear Phishing, APTs and Other Tier-1 Threats FasterMay 17, 2016— LogRhythm, The Security Intelligence Company, today announced immediate availability of Network Monitor 3.

This latest version of the industry’s leading network monitoring, analytics and forensics solution empowers organisations to detect, investigate and neutralise today’s most advanced and concerning threats such as ransomware, spear phishing and APTs faster and with greater precision than ever before. LogRhythm logoLeading the list of new innovations introduced in Network Monitor 3 is Deep Packet Analytics (DPA).

DPA performs real-time, automated, machine analytics on all network traffic, applying behavioural and statistical analysis to rich data sets produced by Network Monitor’s Full Packet Capture and Layer 7 SmartFlow™ features.

The result is unprecedented speed and precision in detecting advanced threats traversing enterprise networks.

This lowers the risk of high-impact breaches and improves efficiency and effectiveness of information security staff. “When an attack hits, the tools we use need to have broad capabilities, be highly intuitive with a practical interface, and enable us to be efficient and precise in our response,” said Jack Callaghan, senior security engineer, CISSP CISM CIPP, Pulte Mortgage. “That’s exactly why we selected LogRhythm’s Network Monitor solution and Security Intelligence Platform over the competition and have made it core to our information security arsenal.” “Most organisations are blind to a growing number of advanced threats crossing their network today,” said Chris Petersen, CTO/Co-Founder at LogRhythm. “Deeper visibility into suspicious network activity, coupled with powerful analytics and more efficient incident response is what’s needed to detect and mitigate these threats before they can have a material impact.

That’s exactly what Network Monitor 3 is providing to our customers.”Beyond accelerating the detection of advanced threats, Network Monitor’s DPA also automates incident response investigations by enabling responders to create custom analytics rules that can inspect full packet streams in real time.

Additionally, DPA enhances Network Monitor’s SmartCapture™ policies to trigger packet capture on traffic that is aligned with concerning network activities including known indicators of compromise (IOC). Other network monitoring and analytic platforms require the capture and storage of all packets regardless of their association with suspicious activity.

Additional innovations introduced in Network Monitor 3 include: Enhanced data visualisations – Built on Elasticsearch’s Kibana Big Data plug-in, Network Monitor 3 delivers new, highly intuitive and practical presentations of massive data sets, accelerating threat detection and incident responseExtended Application Identification to over 2,700 – Growing the # of applications Network Monitor can identify in real-time by over 1,000 since the release of Network Monitor 2Increased speed and efficiency of packet capture viewing – Leveraging the REST API, Network Monitor 3 provides programmatic access to packet data for the LogRhythm Security Intelligence Platform or any 3rd party applicationExtended capabilities for extracting files, images and other content from full packet captures – Facilitating more rapid incident analysis and response “Detecting threats that are latent in your network requires intelligence that is derived from real-time analysis of network traffic”, says Eric Ogren, senior analyst at 451 Research. “We find identifying applications, correlating historical user and machine activity and analysing network packets for anomalies, to be fundamental to behavioural analytics, which is rapidly becoming a critical element of enterprise security strategies. LogRhythm’s Deep Packet Analytics and Security Intelligence Platform form a combination that can help security teams detect threats before significant damage occurs.”LogRhythm Network Monitor 3 is available for purchase today as a standalone solution or as a fully integrated component of the LogRhythm’s Security Intelligence Platform.

To view LogRhythm’s Network Monitor 3 features & capabilities, click here. (https://www.youtube.com/watch?v=-oALDKcjCnA) ###About LogRhythmLogRhythm, a leader in security intelligence and analytics, empowers organisations around the globe to rapidly detect, respond to and neutralise damaging cyber threats.

The company’s patented and award-winning platform uniquely unifies next-generation SIEM, log management, network and endpoint forensics, and advanced security analytics.
In addition to protecting customers from the risks associated with cyber threats, LogRhythm provides unparalleled compliance automation and assurance, and enhanced IT intelligence.LogRhythm is consistently recognised as a market leader.

The company has been positioned as a Leader in Gartner’s SIEM Magic Quadrant report for four consecutive years, named a ‘Champion’ in Info-Tech Research Group’s 2014-15 SIEM Vendor Landscape report, received SC Labs ‘Recommended’ 5-Star rating for SIEM and UTM for 2016 and earned Frost & Sullivan’s 2015 Global Security Information and Event Management (SIEM) Enabling Technology Leadership Award. LogRhythm is headquartered in Boulder, Colorado, with operations throughout North and South America, Europe and the Asia Pacific region.Media ContactsHannah Townsend or Savannah O’HareFinn PartnersLogRhythm@finnpartners.com+44 20 3217 7060