Why do companies perform weaker in Response?
As you can read in another blog post from earlier, SOCWISE developed a framework for measuring the maturity of Security Operations activities. We created the questionnaire in RSA Archer GRC tool, then filled it together with several organizations, then evaluated (semi-automatized) them.
Based on the framework result data, in this post we highlight the area where most interviewed organizations have serious challenges in reaching a good performance. Hereby you can read short suggestions how you can be more effective.
Lessons learned via Detect & Response Maturity Assessments and our advice
Weaknesses based on NIST CSF recommendation
In the assessment we compare actual performance to functions and capabilities defined in NIST Cyber Security Framework. Then we propose practical development steps and action items based on RSA ASOC characteristics to enable companies to reach better results.
NIST CSF defines 5 main capabilities in establishing a well performing cybersecurity team. We need certain capabilities to be able to:
- Identify what to protect and the priorities,
- Protect, by building the right defense architecture,
- Detect to recognize adversarial or unwanted cyber activities,
- Response adequately to those detected anomalies, to minimize harm on the network
- Recover as quickly and fully as possible to minimize damage caused by an incident
What we experienced after evaluating a series of results, that the Response capability is the CSF domain where most firm shows lack of preparedness.
Of course, the weaker areas alter by each company, but there are some incompletions which form a revealing pattern. In the followings we enlightened the most common ones.
- We observed that there are many who still not utilize the central SIEM to analyze network packet traffic.
- Although the event data is gathered from various sources, the aggregation and deduplication of collected packets, or more importantly the correlation and further analysis are not performed.
- To monitor network traffic usually logs are collected from different tools (usually IDS, IPS, FW or proxy tools), but we found that collecting from DMZ and server VLANs is rare.
- Where such a practice is in use, it is still a limitation that User Behavior analytics results and software whitelist logs, alerts are not fed into SIEM, so it is not obvious that they can follow activities going on at these checkpoints
- In spite that user behavior activities are monitored to detect potential cybersecurity events, detection rule set up for fraud type of VERIS categories was hardly observed
- We also missed third-party policy violation use cases to be applied
Naturally it’s very useful to be aware of the vulnerabilities of all our monitored assets and if there’s a suitable patch available. These information details shall also be fed into the SIEM for data enrichment purposes. However, we record that although most of these companies perform regular vulnerability assessments, the results are not used to enrich SIEM data – and thus they lose a useful tool to speed up their response process.
And finally, Red / Blue / Purple Team exercises are not performed regularly at most of these enterprises, so they also miss a huge potential to test and develop their Response-readiness against real adversaries.
Fighting weaknesses according the RSA ASOC framework
We usually advise mitigation actions using RSA ASOC (Advanced Security Operations Center) characteristics, which are based on internationally utilized and proven best practices. These characters tell us, that if the goal is to achieve an effective cyber defense, then we shall:
- align the business mechanisms with risk management processes
- have accurate information about our current assets to be protected
- create appropriate content (rules, use cases) among detection technics
- develop a well performing security operations team, which is entitled to respond in case of a cybersecurity incident
- forecast the threats based on solutions with sophisticated analytics capabilities
When creating the security capabilities, we need to build up defense processes with careful respect to relevant risks for the protected organization, the articulated needs of the company and the business requests.
In many cases we find that managing incidents are not considered to be consistent. We often suggest defining more accurately the relevant processes and applying regular control to check their proper usage.
To be effective in incident response it is also crucial to have an insight into the information assets, as well as into the systems which process, store and transfer them. We need to be aware what events occur within these systems too. The team which is responsible for cybersecurity incident identifying and response in many cases has no clear, unified view over all relevant events. Because of that the recognition of such incidents is partial or delayed at numerous systems. We often propose to harmonize operations by establishment of a consolidated monitoring team.
To maintain our detection and response effectiveness it is always important to have an up to date view over the vulnerabilities of our information processing systems. We also need a focused picture about the actual threat landscape and attacker trends. In the above cases we usually advise implementing consistent vulnerability and threat management processes. What is also great way to develop is to build up a performance measurement framework by which you can regularly tune your operations based on repeatable metrics.