Security Experts:

From Chasing Alerts to Hunting Threats: What Makes an Effective SOC is Evolving

Whether you call it a SOC, a CSOC, a Cyber Defense Center, or something else, security operation centers have the same fundamental mission – to help organizations detect, analyze, respond to, report on, and prevent cyber security incidents. But what it takes to do that effectively has changed in this ever-evolving threat landscape, putting an even greater burden on analysts and the technologies they rely upon.

Many SOCs take a reactive approach and provide a set of standard services that include log management, real-time monitoring, and incident response and investigation. They use traditional SIEMs that gather log data from internal sources, conduct correlations, and run simple, real-time, rules-based analytics to detect known threats. When an alert is triggered, they investigate. For a while this level of service was sufficient. But as attacks have become more sophisticated it is evident that a lot of malicious activity occurs below the radar without generating obvious log data – think zero-days and targeted malware. This means that traditional attack detection has become less successful.

As the number of successful breaches continues to rise and attackers remain active and undetected for weeks, months, or even longer, it’s no longer enough to investigate alerts. Knowing it is impossible to detect and block every attack, SOC analysts now must also take a proactive approach to protect company assets, seeking out active threats and breached systems. Threat hunting focuses on proactively finding threats that get inside the network. It requires deep inspection of potentially breached systems and looking across wide ranges of historical data to find malicious activity not identified by traditional alerting mechanisms.

Engaging in threat hunting

Threat hunting campaigns involve a wide range of tools and skills. If you find evidence of a possible breach, you can investigate that system to determine what happened, how it happened, and other systems that also may have been affected so that you can contain and remediate the attack. Unfortunately, manual hunting campaigns can require a huge amount of effort with a limited chance of finding anything. While it can be very satisfying to find something that had been missed, without the proper technology to do something about it, it can be time and money wasted.

Thankfully, advances in security analytics technology and threat intelligence are helping to make the best use of limited analyst resources for more effective campaigns. There are two ways these technologies can help: by focusing hunts on assets that are more likely to have been breached, and by reevaluating past events in light of the latest threat intelligence. 

Hunting for breached systems

As most SOC analysts know, in many cases you will hear about attacks by word-of-mouth from a normal user reporting ‘something looks weird,’ rather than through a SIEM alert. Advanced attacks frequently avoid setting off the obvious alarms, but they will likely still leave evidence that something is amiss. Breached systems just don’t behave like they used to. But relying on people to identify unusual activity isn’t adequate and doesn’t scale in today’s threat landscape.

That’s where advanced analytics come in. Proactively finding and thoroughly investigating a potentially breached system takes time, effort, and skill – all at a premium in most organizations. Advanced analytics can help identify where to hunt, based on finding anomalies that may indicate a breach. Systems that suddenly deviate from their normal baselines may be running new unknown processes, sending out large amounts of information to untrusted networks, or communicating with geographies that outside of typical business practices. Each of these anomalies may be innocent or may point to a potentially compromised system. To find such anomalies, most successful hunting campaigns start with a combination of analytics working together:  statistical analytics to identify outliers and machine learning algorithms to evaluate those outliers to see if they resemble something that is known to be bad. Based on this analysis, systems that indicate a higher probability of being breached can then be thoroughly investigated.

Reevaluating the past

Threat hunting also includes looking for threats you might have missed by examining your historical data. To overcome the limitations of traditional SIEMs, threat hunting uses newer platforms based on big data to collect, manage, and analyze massive volumes of data from a variety of internal and external sources over long periods of time. Where real-time analytics may have missed something the first time around, big data systems can be used to examine the potential huge backlog of logs and other data sources available to you. This has the advantage of hindsight, providing you with the ability to reevaluate data by reapplying analytics using the latest threat intelligence. For example, potentially malicious connections to a command-and-control infrastructure may have gone unnoticed given the information available at the time. With updated threat intelligence run against historical metadata about its network communications, an analyst may be able to retrospectively identify an attack.

Whether you’re proactively looking for breached systems or reevaluating past events, the goal is to increase your odds for a successful hunting campaign. Big data platforms; real-time global threat intelligence; and a complement of rules-based, statistical, and machine-learning analytics all help lighten the burden on analysts. These technologies must work together and incorporate analysts’ insight and knowledge of their environment for a much more fruitful hunting expedition. With the ability to shift from chasing alerts to hunting threats, SOCs can evolve to be more proactive – and effective – in the face of advanced attacks.

view counter
Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.