Get prepared for the worst outcome while keeping up with the ever-changing business priorities
Narrow your scope, rationalize threats, and understand false positives relative to your business and make sure to know your adversaries, are just a few of the takeaways Matt Johnston, Senior Manager Security Operations, at Rubrik discussed with Jade Catalano, Director of Product Marketing, Anvilogic in the recent webinar, “Build Your Security Operations for the Long Haul Proactive Security Starts with Detection.”
Johnston has been in the security game for 21 years. In his time, he has seen things change a lot, whether it’s how to determine the right priorities based on unique environments and the always-changing threat landscapes, dealing with false positives and alert fatigue, or how to understand your adversaries.
He also talked about how SIEMs didn’t necessarily let security professionals/industry down. More so, we let ourselves down by how we allow/ed the SIEM to start to take on roles it wasn’t meant to do. Along with discussing how to simplify security instead of adding complexity and one of our favorites for obvious reasons, how great he finds the Anvilogic platform - no topic was off the table.
You Don’t Need to Solve for Everything
As a security practitioner, Johnston understands that it can feel like you need to solve for everything and detect all the things. The false positives are coming at you and the feeling of needing to solve for all of them, i.e., alert fatigue. Johnston’s advice on this is not to try to solve everything. Instead, narrow your scope in response to your adversaries’ behaviors and business needs.
It is because of this idea he finds the Anvilogic platform so valuable. Unlike the current and even “next-gen” SIEM’s today, which he understands many feel “failed us.” In his opinion, “we failed ourselves by not doing the due diligence of resourcing the solutions and using them in the right and thorough way.” He feels that the Anvilogic platform can help with this gap.
“The Anvilogic platform helps accelerate our critical threat detection based on our data sources and predefined assessment unique to our business needs and threat landscape.”
He appreciates the library of use cases and the list of recommendations, Anvilogic provides, relevant to your business and ready-to-deploy within minutes. Anvilogic detections enable security operations/security operations centers (SOCs) to have quicker, more mature, systematic, and precise detection scenarios based on sequences and behavioral patterns of an attack, not just an IOC. Taking this approach can help to enable the majority of the framework to be covered from an alert perspective by taking the “content and recommendations out of the box,” which he appreciates.
Start viewing false positives as an essential piece of the puzzle and using them as tools
Unlike a lot of people, Johnston “loves false positives”, he loves them because false positives can become incredibly useful when you don’t consider them the end-all-be-all of what is going on in an environment. Leveraging false positives more like a “witness” to something that may or may not happen within an environment. Using the false positive (“witness”) to see a sequence of threat behaviors and create a narrative helps make it easier to determine how to best go after it relative to the business.
The need to better understand our adversaries has changed
In order to gain better knowledge to hunt for our adversaries, it takes time, practice, years of learning, and the ability to evolve. Adversaries have gotten excellent at “hiding in the noise and living off the land using common tools and resources within our environments against us. The game has shifted and the right way to think about this is where are we at today and how is it subject to change in the future and making sure we’re able to look for those behaviors.” This is why it is possible to view false positives as just a “data source”. Then it’s up to the team to be able to determine from that IDS and the perspective of the environment the false positives can answer questions needed for different use case scenarios and to plan for how adversaries could pose a threat.
What is Missing?
Those being tasked with the question of “what are the gaps and what are we missing?”, Johnston believes this is where the Anvilogic platform can help. By using the data and information unique to each environment, threat landscape, and priorities can help to determine data needs, data types, normalization, recommendations, and more to show what is missing. Using Anvilogic helps to make it easier for security practitioners to point to the information and confidently say they can improve the capabilities, and so “the platform, feeds the strategy.”
Although there was a lot of ideas discussed, wrapping it all up with three main points would be:
- Focus on who your adversary is and determine priorities from there that align with the business objectives
- Don’t try to solve all the things, because it is an impossible mission
- Know who you are as an organization and ask yourself: What are our nuances? What’s the company culture and value and how security strategy is integrated What things are you going to allow that you may have to solve as a security function, that you might not be prepared for? How are you aligning your security mission to the overall company mission? Can the company view and depend on security as an enabler of the overall mission? (Goes back to #1- understanding your adversaries)
As always, we appreciate talking “security shop” with our awesome customers and know there is never enough time and so many other topics to cover.
You can check out the webinar, and please continue to follow for more webinar chats.
If you’re interested in learning more about how the Anvilogic Platform can help your organization with the latest threats and vulnerabilities, like Log4j CVE-2021-44228