Connect with us

Hi, what are you looking for?

Technology

How technology vendors can best serve network incident responders

BassamKhan


Join today’s leading executives online at the Data Summit on March 9th. Register here.

This article was contributed by Bassam Khan, VP of product and technical marketing engineering at Gigamon.

As an increasing number of organizations suffer from cyberattacks, it’s evident that incident response during an active breach is incredibly stressful. Therefore, vendors need to level up their game to help customers with data, tools, focus, and expertise — especially at a time when they’re needed most. In a world where public breaches are a concern for most large organizations, technology vendors must take the time to listen and understand their challenges to guide them in finding the right solution. Vendors have access to the most advanced cloud compute, storage, and search technologies, visibility into attacks across many customers, and knowledge of effective defense practices. However, SOC teams rarely benefit from these resources.

Lack of data: historical lookback and vendors

It’s a well-known fact that threats linger for a long time before detection — 280 days according to IBM research. Then why do SaaS NDR vendors offer only 30, 60, or maybe even 90 days of lookback? The cloud offers virtually unlimited storage, so shouldn’t historical lookback at least match how long threats linger?

A case in point:

  • February 20, 2020: SUNBURST attack was compiled and deployed via SolarWinds Orion Platform DLL.
  • December 8, 2020: First discovery of SUNBURST attack.
  • December 8, 2020 to present: 18,000 government entities and Fortune 500 companies are investigating the impact and responding to attacks.
BassamKhan

On the days after December 8th, 2020, security teams scrambled to examine historical data to see if any of the indicators of compromise had crossed their network. However, teams were challenged by lack of network visibility, where available metadata often spanned only a few days. The lucky ones had a month of data, or 90 days at best. None of that allowed them to investigate back to the SUNBURST attack that was first deployed in February 2020 to understand the exact behaviors of the attackers in their network and the level of risk presented to the organization.

This makes us wonder why we have cloud computing with virtually unlimited storage, yet vendors aren’t addressing these challenges for their customers.

Lack of time

If you have ever been part of a security team during an incident, you understand the race against time. Every second counts. This isn’t melodrama; it’s a pressure cooker. It’s also one of the reasons for security analyst burnout.

Advertisement. Scroll to continue reading.

Take for instance modern ransomware. From the time of first discovery of the presence of an attacker in the network, it is a race to mitigate their actions before you fall victim to costly ransom payoffs, encrypted critical data impacting operations, double extortion for exfiltrated data, and relentless media coverage with everyone offering an opinion on what you should do and your actions.

And yet, security vendors rarely focus on providing tools that speed investigations. They are hooked on being able to “detect” and leave the rest up to the security team. Again, why? Vendors have virtually unlimited compute power, yet most don’t offer this basic value. With current NDR tools, investigators are forced to search for events one at a time. Why can’t they search in parallel? Why can’t multiple team members all be working together sharing searches, sharing results, and collaborating? Further, why don’t the solutions offer threat-specific playbooks with “here’s the ‘thesis’ you should verify,” or worse, suggesting you use a different product to investigate and start much of the work over again there.

The cloud compute capabilities exist but vendors aren’t putting them to work for their customers.

Lack of focus

Do you remember the promise of SaaS-based security tools? Move your security solutions from on-prem to the cloud, and you’ll never have to maintain your solution – you get all the benefits of cloud computing. Well, the promise feels like it has fallen a bit flat, hasn’t it?

True, your SaaS security products are getting the latest updates in a timely fashion – but as we shared earlier, you aren’t receiving the benefits of cloud computing with unlimited storage and compute power. What’s worse is that with the use of machine learning, many of the “technology advancements” now require your staff to perform never-ending detection tuning and FP reduction efforts. In other words, vendors have passed the buck to your team to get high-fidelity findings, often benefiting them as much as you!

Vendors must step forward and eliminate these distractions. Some vendors are embracing the notion of “guided SaaS” where the solution is owned and operated by your team, but software updates, detection/false-positive tuning, system maintenance, and health checks are all performed by the vendor so that you can focus on “Job 1” — threat management. I applaud this approach and hope other vendors will step forward and include this in their offering, instead of just charging professional services fees for something they should have done in the first place.

Lack of guidance

We’ve established that lack of focus, data, and time are three big challenges facing security teams. The fourth barrier to fast response is threat-specific knowledge. Incident responders need to know the tactics, techniques, procedures (TTPs), and intents of an adversary to be able to respond comprehensively with certainty. Again, vendors do a poor job of aiding their customers here, forcing security practitioners to perform their own research on TTPs and information on the adversary’s intent so they can determine on their own how to respond.

NDR vendors sit on a goldmine of knowledge about threat actor TTPs and intent, but they don’t share their knowledge with their customers. Vendors’ threat research gathers a lot of actionable intelligence on an effective response for any given threat, but they don’t have mechanisms to share that information.

Some vendors offer add-on expertise, but the shared information is almost always about their product, not how to respond to a specific incident. Why don’t NDR vendors help their customers in their biggest time of need, sharing expertise gained from cross-deployment knowledge, crowdsourced data, and threat research? And not in vendor-speak, but as one incident responder would help another?

Advertisement. Scroll to continue reading.

A challenge to vendors: Raise the bar of success

We must do better. We must empathize and innovate to eliminate the true challenges facing security teams. May 2022 begin, and continue, with truly listening to customers.

BassamKhan2

Bassam Khan is the VP of product and technical marketing engineering at Gigamon.

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.

If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing an article of your own!

Read More From DataDecisionMakers



Source link

Click to comment

Leave a Reply

Latest

Top Stories

Crypto derivatives exchange and nonfungible token (NFT) platform FTX is reportedly in the market for brokerage start-ups as part of its recently announced plans...

Loan And Finance

MS&AD Insurance Group Holdings, the parent firm of MS Amlin, has revealed its business results for the year ended March 31, 2022....

Top Stories

It’s been two weeks since the shock of the TerraUSD (UST) depegging, but the long waves of this event are still coming in. The...

Online Business Success

International Monetary Fund — Reuters KARACHI: Pakistan and the IMF are likely to go above and beyond to complete the seventh review under the...

Top Stories

Bitcoin (BTC) is off to a better start than most this week as bulls avoid serious losses into the weekly close. Still heavily tied...

Online Business Success

With Pakistan’s foreign exchange reserves depleting to alarming levels, the rupee plunging to new lows, and a delay in the IMF programme, Pakistan’s default...

Advertisement

You May Also Like

Uncategorized

Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...

Advertisement