Expert Advice on Prioritizing, Automating and Collaborating for Threat Detection and ResponseNoor Boulos
Drawing on their years of cybersecurity experience, initially as members in the U.S. Armed Forces – Air Force, Navy and Army, respectively – and then in the technology industry, these experts covered a lot of ground. You can watch the full webinar here. Following are a few of the highlights:
Organizations are spending more on cybersecurity than ever before but still struggle to keep pace. Why is it such a difficult challenge?
It comes down to operational effectiveness. Security teams are dealing with data overload and alert fatigue. As we look at the people, processes and technology required to keep up, we have to think about the human cost in addition to budget. It’s hard to know the right level of investment in solutions and people. But understanding if a technology requires a lot of configurations and integrations to work or whether it is plug and play is a key consideration.
This is no time for siloed solutions. Hold vendors accountable for ease of integration. Teams need the ability to quickly elevate events that have potential to cause material damage to the organization. Data isn’t enough. They also need context so they can focus on the top priorities and take action. Data contextualization and having the ability to detect and respond quickly requires integration so you can start to automate and keep pace.
Digging a little deeper, given the complexity of the threat landscape and the ecosystem teams operate in, what should be the most relevant factor behind data-driven automation?
This is where Extended Detection and Response (XDR) comes into play along with the ability to make data useful and actionable. You need to be able to collect institutional knowledge or context and combine that with threat data for situational awareness. And that situational awareness must be available to those in the SOC doing the work of incident management and investigation.
SOC operators are used to certain tools. Requiring them to use more tools introduces more complexity. What’s needed are tight integrations with tools they use day to day. This means vendors must provide robust APIs so customers have access to the data points and context within their existing technologies and can use that situational awareness within their workflows efficiently.
When you think about budgets, it’s not just the cost of a software license or subscription but also how much time it takes to contextualize data and take action. Integrations that are quick to set up and lightweight to maintain are key.
The Cisco XDR and ThreatQ integration is a great example. Users have access to contextualized data at their fingertips and investigate further to assess the severity of an event. If it’s high priority they can pivot to understand other associated attacks and get recommended mitigations all in a single console which saves them a lot of time. From there they can task out mitigations and respond to the appropriate teams.
What do SOC operators consider most valuable in their operational environment today? XDR platforms can be extremely rich, but they aren’t everything. Is it process, type of data they have access to, particular platforms, or integration?
It’s really a combination of all of the above. They need the ability to:
- Bring together data from different internal and external sources – what does the firewall know about this, your EDR solutions, email gateways, threat intel, etc. – and correlate and validate that data.
- Prioritize the attack based on the severity and also the importance of the asset to the organization.
- Map the attack to the MITRE ATT&CK framework to understand the expected progression and blast radius.
- Include all of this information in the investigation workflow.
- Have the playbooks available to mitigate risk.
- Automate as much of this as possible.
What are your thoughts about the hesitance to use automated response?
In the military they use pre-approved actions to enable automation and that’s how organizations should lean-in to automation. This is where the human aspect comes in. Put policies and procedures in place and then, with the right authorization level, people can make the decision to pull the trigger on the automated response.
As we talked about earlier, having situational awareness at their fingertips gives security staff the confidence they need to make that judgement call. When they are ready to commit to that decision, the downstream tasks should happen as expected.
With AI now top of mind, an additional aspect to consider is how technologies incorporate machine learning (ML) to drive additional value. The ThreatQ Platform leverages ML by including a feedback loop, so the technology continuously captures and stores data from the automated response for learning and improvement.
To learn more from these experts and to see how Cisco and the ThreatQ Platform can turn some of the challenges discussed into opportunities, watch the webinar.