In Part I of this blog series, I wrote about the tremendous growth MSSPs are going to experience through 2025 and the significance of uniformity, scale and affordability in the context of security solutions and platforms powering the SOC/MDR team. Next, we need to look at the solution through core problem-solving lens.
- Are threats being detected with appropriate supporting indicators?
- Does the platform generate too many noisy alerts?
- Is the solution focused on threat analysis versus log analysis?
- What is the level of human effort required to correlate events and indicators to ultimately identify real attacks?
EARLY DETECTION is Crucial for Preventing Major Incidents
As MSSPs cater to more customers, SOC analysts are subjected to increased load of events, alerts and incidents. While incident analysis and mitigation takes up a good chunk of the effort, often stretching into late working hours, the impact of a critical or major incident can be quite damaging for the customer and draining for the analysts. Hence, the underlying technology powering threat detection platform, leveraged by SOC, has a significant role to play.
- Information Enrichment and Analysis: Events filtered from various sources combined with network flow data must be analyzed and correlated in real-time by the platform to generate Threat Indicators. In parallel, Threat Intelligence data should be injected to confirm certain types of suspicious activities. Finally, behavioral analytics are applied to gauge deviations from a baseline while assigning appropriate confidence level.
2. Process First, Store Later: With most solutions focused on log aggregation and custom correlation, priority and objective goals for threat detection are laxed. Instead, by design, the threat detection platform should be able to first process, analyze and generate threat indicators at high speed and volume, followed by storage (hot or cold).
3. Built-in Correlation and Automation: Most traditional SOC is based on SIEM platforms that require analysts to script correlation rules and perform manual search-query operations, with the objective of hitting the right alerts. This approach not only ties up SOC Analysts for several hours each week, it adds ambiguity to threat discovery with trials and errors. On the contrary, automated correlation combined with AI based decision making works favorably towards early detection.
4. Reduce the Noise: In order to optimize time, effort and cost, MSSPs have to host their SOC on a platform that cuts the noise and focuses on the alerts that matter, the true positives. This would require a well coordinated method of analyzing user and entity (endpoints, servers, devices) centric threats, applying confidence levels and linking them together to arrive at the qualified alerts.
5. Variety of Threat Coverage: MSSPs have to be equipped with the services and solutions that cover a variety of threat scenarios across the customer base. When one customer may be faced with Ransomware Attack, another customer may be dealing with Trojan type Malware Attack and yet another may be grappling with Insider Threat. Hence, Threat Detection Platform used by the MSSP needs to take into account all these use cases, thereby facilitating early and assured detection.
Let us apply these criteria to Seceon’s aiMSSP platform which enables SOC to perform Managed Detection and Response by leveraging the Advanced SIEM (aiSIEM) and XDR (aiXDR) solutions.
✓ Security events, network flows and threat intelligence data are comingled and analyzed to generate threat indicators and identify suspicious activities. Additionally, vulnerability assessment data can be automatically pulled in from Seceon’s OpenVAS tool to add more substance to the findings.
✓ Big/Fast data processing architecture allows Seceon aiSIEM and aiXDR to analyze information through Machine Learning based UEBA and line up Threat Indicators efficiently before storing data. Implied focus being Threat Detection, SOC Analysts can keep their customers in good stead with considerably reduced Mean Time to Identify (MTTI).
✓ By adopting automation at its core and applying correlation around user and entities, Seceon’s aiMSSP platform removes any ambiguity from threat discovery process while saving hours and weeks worth of SOC Analyst effort. In addition to events and flows based correlation, Machine Learning takes a key role in determining anomalous behavior all throughout user and entity interactions.
✓ While noise reduction is a challenge most cybersecurity platforms face, Seceon has dealt with this rather interestingly. By implementing Dynamic Threat Model, various threat indicators are mapped into plausible threat/attack types while the trends are captured over time to raise amber (Major) or red (Critical) alert. Minor alerts are pushed to the back (concealed by default).
✓ Given the myriads of cyber attacks, and ever-increasing deception and trickery, Seceon’s solutions are iteratively amped up with newer threat models and revisions (updates) are instrumented on pre-existing threat models. Hence, a variety of threats are detected and remediated through Seceon’s aiMSSP platform – Ransomware Attack, Zero-Day Malware, Brute-Force Attack, DDoS Attack, Insider Threat, DNS Tunneling Attack, Web Exploit Attacks and many more.
To summarize, MSSPs should evaluate an Advanced Threat Detection and Remediation platform with the primary focus on early detection and the design artifacts that propel speed, accuracy and efficiency (productivity). Also, it is very important to consider the broad spectrum of threats that can be analyzed and visualized through a single pane of glass. Lastly, the solution needs to empower SOC Analysts to conduct deep threat hunting and generate reports (Security Posture, Compliance, Operational, Investigative) on a periodic basis.
Check out Seceon aiMSSP and the solutions driving the SOC teams worldwide – aiXDR and aiSIEM.
To learn more click on the links below:
Santanu (Shaan) Bagchi has 20+ years of experience in Software Industry, leading through Product Management, Pre-Sales/Solutions Architecture, Consulting and Product Marketing roles for Product Vendors, MSSPs and System Integrators in North America. As someone who has expertise in multiple tracks of Cyber Security – Advanced SIEM, Data Loss Prevention, Endpoint Security, Vulnerability Management, Threat Intelligence and Identity and Access Management – he brings versatile perspective to product innovation and customer centric solutions. Before joining Seceon, he worked as Practice Director (Cybersecurity and Risk Services) for Wipro. Previously, he held Product Management positions at Secureworks (MSSP), Novell (Virtualization and IaaS), Digital Guardian (DLP) and Hitachi Data Systems (Cloud Storage-aaS).
Shaan received MBA degree from Babson College (Wellesley, MA) and Bachelor of Engineering from IIEST (formerly Bengal Engineering College, India).