Previous strategies in MITRE’s 11 Strategies of a World-class Cybersecurity Operations Center stressed the importance of collecting the right data — both threat intelligence (external) and log/sensor data (internal) — from the right tools.
While MITRE concedes that every tool and piece of data can add value, it also states that integration is crucial to deriving the most value. Thus, SOCs should look to bring all tools and data together into a single architecture that supports analyst workflow.
CHALLENGE: SOCs bring vast amounts of disparate data together into an information architecture. Analysts need to be able to quickly evaluate the data, turn the data into information, and use the information to fulfill their mission.
There is no one-size-fits-all workflow management solution. Depending on size and maturity, an organization may turn to:MITRE discusses at length the abilities, benefits, and shortcomings of several tools, but also states that “reducing the number of panes of glass and providing integration between them is the best strategy with an emphasis on automation and integration for repeated tasks, escalation, and incident handling.”
The goal is to provide analysts with information they can use immediately and effectively, without distracting or exhausting them, without requiring extensive training — and without busting budgets.
SOARs can integrate with a variety of disparate systems to collect threat data and automate repeatable processes. SIEMs can be used for threat detection and hunting, incident analysis, workflow and escalation, configuration monitoring, and more. Both are used as aggregation points for different tools and platforms.
So, why not choose one of these as the single pane of glass?
To begin, some traditional SIEMs have failed to deliver on their promises to increase visibility, enable the detection of security events, and support incident response. They don’t ingest all the data you need in a cost-effective, actionable, or timely way. Moreover, as MITRE points out, “Some SOCs struggle to realize the value proposition of SIEM, in large part due to their complexity, as effective correlation rule writing and upkeep can be resource consuming.”
For SOARS, it’s much the same story. Though they can integrate with other tools, it’s not easy to do so. Integration requires technical expertise to implement and manage. Plus, SOARs orchestrate a response. They don’t detect threats or determine where the greatest security risks to the business are.
Bottom line, SOARs and SIEMs require a deft, often cost-prohibitive touch to reap maximum benefits.
Despite shortcomings of certain solutions, the notion of an aggregation point remains important — because perspective and visibility matter, visibility across all digital operations. And if fewer panes are better, wouldn’t that single pane of glass across security and digital operations still be the best option?
As illustrated below, Resolution Intelligence Cloud sits at the apex of aggregation points. Not only does it glue everything together, but it also sifts through, correlate, and contextualizes all telemetry data, at petabyte scale and Google speed. Resolution Intelligence Cloud dramatically reduces alert noise, presenting actionable insight and evidence based on real-time analytics of both security and operations data as well as asset and user data.
With it, SOCs gain a complete operational picture (COP) and thus, the situational awareness needed to identify true threats and drive the right action based on business risk.
Using the platform, SOC teams can leverage the unique capabilities and strengths of each security tool without needing to continually pivot between tools. They can directly dig deeper into alerts to investigate further and as necessary, establish war rooms. In a war room, they can instantly collaborate (or escalate) with key stakeholders — including digital operations and business stakeholders — to decide the best course of action (incident handling) for high-priority alerts.
Most security tools offer neither petabyte scale nor long-term telemetry retention — and most that do charge you for all that data and availability. But to find threats, SOCs need scale, data over time, and speed — especially since the average time to identify and contain a data breach is 277 days. (To put that into perspective, the average gestation period for a human is 266 days.)
Historical hot data allows them to retrace an attacker’s steps to understand exactly what happened with an incident. For instance, how attackers gained access to the network, where they went, and what they may have exfiltrated, damaged, or deleted. If stored telemetry data is limited, SOCs may never learn exactly how an incident started — or worse, may miss threats or incidents altogether, especially those with long dwell times. Either way, insufficient data limits their ability to forecast threats and prevent future incidents.
Resolution Intelligence Cloud ingests and analyzes petabytes of data at speed, uses machine learning and behavioral analytics to find potential incidents and actual incidents called ActOns. The platform also prioritizes ActOns based on likelihood, business impact, and confidence so SOC analysts know where to focus. Plus, it automates level-1 and level-2 tasks.
Resolution Cloud Intelligence puts MITRE’s “best strategy” into action by:
In short, the platform helps meet the aforementioned goal, providing analysts with information they can use immediately and effectively. Without distracting or exhausting them. Without requiring extensive training. And without busting budgets.