Surviving the Deluge: Lifecycle Support for the SOC

For the last month, my corner of Northern California has endured record-breaking inundation from the skies, leading to mud slides, downed power lines, road closures, and, in my case at least, propane and power outages. It’s been hard to stay productive, stretching the resources of laptops, UPSes, mobile phones, wood piles, flashlights, candles, and great neighbors. After years of boycotting, I even went back on Facebook to monitor road status through our private group. These sacrifices drive home how simple and seamless our lives can be when systems work together, and how much havoc occurs when something basic fails you.

My real-world experience echoes the reality of modern security operations. Analysts scramble, juggle, and make do as they fight a flood of security alerts, threat intelligence, and news feeds. Architects see the reality of today’s flood and also look to the horizon with storms of sophisticated attacks, organized cyber-pirates, and uncertain economics. CISOs oversee all of this, trying to match limited resources to unlimited expectations.

How are these practitioners coping? According to a just-completed survey of IT decision-makers in 800 enterprises:

  • 71% maintain a security platform that integrates existing and new technologies so their current cybersecurity measures don’t open their organization to new risk.
  • 64% also prefer to acquire overlapping technologies across the stack.
  • 41% partner with third party security service providers, and
  • 37% leverage automated workflows to address lowest level threats.

These strategies form the backbone of an open, resilient security architecture.

  • The platform captures more value from existing investments and factors in issues that point products don’t address, such as overall visibility and operational efficiency
  • Overlapping (not necessarily duplicative defense in depth) technologies help minimize coverage gaps and bridge technology cycles
  • Third parties bootstrap best practice adoption and fill staffing and tools shortages
  • Automation clears away the knowable efficiently to help security systems and experts focus on the unknown and suspicious.

New Options for Operational Excellence

Security operations benefit enormously from this design model, and McAfee is investing to help you get there. Today we proudly announced an expansion of our integrated security operations solution, with its cornerstone the new release of McAfee Enterprise Security Manager 10. The redesigned user experience guides and facilitates investigations that explore data and intelligence from any source. Behind the scenes, the SIEM can ingest any type of threat intelligence and automatically correlate in investigations, and the analyst manages and explores these insights through an investigation workspace featuring multiple incident investigation panels on the same tab and a specialized incident management dashboard.

As part of the new user experience, analysts can directly pull down updated content packs for specific use cases on demand. With a few clicks, the analysts populate rules, visualizations, alarms, and dashboards for high-value basic and advanced use cases. These help analysts filter out the knowable to identify the risky and malicious. Content packs are a great way to perform core SIEM functions like monitoring and compliance, but they also make it easy to adopt the more advanced features that support proactive security operations. For example, packs can populate sophisticated, high-speed statistical, rule, risk, and historical correlations of behavior, context, and events. Building on these content packs, users can apply advanced correlations to customize precise and targeted filters, such as a series of specific events on a specific host within a specific time range.

An Ecosystem for Extensibility

Adding to our app catalog, new ESM-integrated partners expand our solutions for customers with more orchestration options, including an integration with Phantom, which won the RSA Innovation sandbox last year, as well as Ayehu and Demisto. These partners complement the native automation in our platform. [To see details on these and other partnerships, including the six user behavior analytics (UBA) partners we highlighted last fall, click here.]

The growing OpenDXL initiative further extends the security operations platform equation, with the release of new open source clients (www.github.com/opendxl). Simple (just a few lines of code) integrations with these clients will let security teams connect open source software, scripts, and in-house or legacy applications to each other, to commercial products, and to McAfee products. This approach fulfills the platform goals for efficient integration of software as well as automation. Analysts can integrate their preferred tools and scripts for tighter operation and automate hugely valuable functions such as: search and scan endpoints for IOCs and malware; query and set file and application reputations; and apply policies, tag systems, move groups and trigger actions for managed systems via the centralized control and policy management of McAfee ePolicy Orchestrator.

In addition to these community resources, independent software vendors supporting DXL have increased 60% since the 2016 RSA Conference. I’m especially pleased to see vendors like TrapX and CheckPoint publishing rich forms of threat intelligence (deception and IP/Domain/URL reputation, respectively) to improve the capabilities of other applications connected to the DXL communications fabric. As a real-time messaging fabric, DXL offers the ideal place for this exchange of data and service requests.

Services for the SOC

Finally, to help fulfill the need for third party service providers and expertise, McAfee’s Professional Services team has expanded its SOC lifecycle services with a new virtual SOC program. Foundstone Threat Researchers can supplement existing enterprise capabilities with analyst and threat hunter expertise, capacity, and 24/7 coverage. These services add on to emergency incident response, penetration testing, strategic program development, and education services that bring proven expertise to any enterprise.

All of these capabilities will help security operations teams expedite the detection and correction processes. And importantly, they will build in structural support for the long term—improving organizational agility to adapt to the deluge of new threats and requirements. An open and automation-centric design connects controls and operations to feed better protection back in to policies, processes and countermeasures in a threat defense lifecycle.

Leave a Comment

16 + 17 =