Automation for detection (not prevention) in a SOC will be our savior.
The world must steadily move more towards better detection techniques and technologies rather than investing more in “prevention” since the recent rate of sophisticated attacks have proven that no matter how robust we think prevention investments are, enterprises are going to be constantly breached. Security practitioners have started to realize that breaches are not only continuing to happen but also the time to detect (dwell time) them has been increasing. The latest SolarWinds-related compromise not only further proved this but also showed how much more sophisticated attack techniques are becoming – the key to success is better detection with agility.
However, more detection signals are not what are needed. The signals are already there, but the right stories are not getting created from the signals. If the right signals were being compiled into stories or ‘scenarios’, automatically, then as an example, APT29-related techniques could be detected continuously such that even if subtle techniques or sub-techniques were changed for a particular attack campaign, the overall scenario would still tell the story of a potential breach and help reduce the time to detect the attack. This is the importance of continuous coverage (vis-à-vis the MITRE ATT&CK framework, for example) and the criticality of building attack pattern-detection scenarios from various signals consistently.
So why has not been achieved already?
The theory of better detection is not new. But SOCs are constantly performing mundane, and sometimes difficult, manual operations to understand the landscape, set priorities, design use cases, on-board data sources, implement said use cases, and enrich alerts for threat hunters and incident responders. These are heavily manual today and involve many personnel – consulting services and/or FTEs. SIEMs and other tools in a SOC provide the substrate but do NOT automate manual operations. SOC teams are constantly deluged in backlogs of use cases, and the art + science of building out use cases is painstaking, and requires programming and tool skills, coordination, multi-team handoffs, manual enrichment, and fatigue-inducing eyeballing in the name of threat hunting. Automation and richness of experience is what is missing in today’s SOC, and the lack of automation stands in the way of achieving better detection – security domain experts must be empowered to run detections automatically without the burden of inordinate hours of programming or operating tools or performing data normalizations, and not having modular or repeatable use case capability. Hence, automation is key to bringing agility and freeing up security experts’ time to be more efficacious in their operations by allowing them to focus on the ‘scenarios’ to reveal attack patterns.
Prevention is a pipe dream – it was never a possibility to achieve a respectable level of prevention in an enterprise, and recent attacks have proven that an enterprise cannot continue to invest mainly in prevention technologies and processes, rather much more innovation in the form of automation of detection and depth in detection must be implemented, and SOC teams must be able to navigate evolving detection scenarios with agility, while providing
1) threat hunting teams, rich attack/compromise indicators with context across stages of the attack, and
2) response teams, the best enriched and most actionable alerts for triage, investigation and resolution.
AI-assisted automated detection is the future, without which SOCs will fail to protect enterprises and will continue to flounder when compromised, similar to what happened during the sophisticated SolarWinds attack which pervaded the best of environments for over 6 months. We will discuss more about AI-assisted automated detection in our blog soon.
For an in-depth example of automated detection engineering and resulting richness in threat hunting & response experience, using the latest SolarWinds attack as context, read: https://anvilogic.medium.com/solarwinds-supply-chain-compromise-is-it-impossible-to-detect-d6a98d46c007.