How to Harden Defenses With Security Analytics in Security Operation Centers (SOC)

Your machine data has a record of all of the activity that takes place across your infrastructure. It’s become the single most valuable asset in the enterprise, as the secrets to business optimization lie within the scores of microtransactions, including the ability to detect, investigate and respond to threats. And let’s be real: the stakes are high. Some of the largest, most profitable companies in the world have been brought to their knees by malware that might have been detected with better tools.

How to Harden Defenses With Security Analytics in Security Operation Centers (SOC). Image: ShutterStock
How to Harden Defenses With Security Analytics in Security Operation Centers (SOC). Image: ShutterStock

Bottom line? It’s time to step up your security game. If you don’t have actionable insights to detect and respond to emerging and current threats, you’re not reaping the rewards of modern security information event management (SIEM) technology. Find out what you (and your SIEM) are missing and how to harden your defenses.

Read on this article and discover how to:

  • Strengthen your defenses with real-time monitoring, user behavior analytics, security orchestration, automation and response (SOAR).
  • Maintain and evolve SOC rules to better detect and respond to the changing threat landscape.
  • Execute best practices for investigations, and automate effective response actions based on recommended guidance.

Content Summary

The Elephant in the Room: Alert Fatigue The Nirvana Solution: The Analytics-based Approach Enter Splunk Rubber, Meet Road Let’s Face It: You Need More Days Off

The answer lies in security information and event management (SIEM) technology, which was developed to mine, aggregate, analyze and act on insights generated by systems, devices, and interactions. Two and a half quintillion bytes of this type of data is now produced daily, which makes it impossible for humans to sort, filter, visualize and analyze it. Even if you can spot some obvious trends, it may be nearly impossible to give context to or correlate them with other events, which is necessary to detect active threats. SIEM technology makes easy work of analyzing all this data, offering real-time monitoring, correlation, pattern recognition, alerting and automated investigation and response.

The Elephant in the Room: Alert Fatigue

Without a SIEM, security operation centers (SOCs) have to use a combination of tools that typically can’t communicate with one another. This causes the SOC analyst to receive too many alerts from disparate systems, including a high number of false positives. Without additional context, it’s almost impossible to identify suspicious events. To make matters worse, when the analyst is successful in uncovering an attack, remediation requires a number of steps across an equally large number of tools and systems.

There’s another factor at play as well. Without SIEM, SOC personnel rely on incomplete data sets and backward-looking, temporary indicators of compromise (IOCs). By the time they’re aware of the IOCs, it’s probably too late — the attackers have changed IP addresses, spoofed a new geographical location, etc.

The bottom line is that it’s a hot mess — one that leaves all too many organizations vulnerable to attack.

The Nirvana Solution: The Analytics-based Approach

Because a SIEM can analyze data in real-time, it encourages a new, forward-looking approach.

Take phishing, for starters, which is almost always initiated via email. There’s a wide range of phishing tactics: spearphishing (targeted phishing), whaling (impersonating an important person to target a high-value prospect), filter evasion (using images or hidden text to escape detection by email filters), email spoofing and more. This variation adds complexity to the equation.

Imagine a scenario where you become aware of phishing attacks perpetrated by a group of crypto miners. Maybe you get some IOCs, like domain names and email addresses.

Without a SIEM, you’d have to look for suspicious events that met a specific set of criteria (your IOCs). But if IOCs were all you had to detect malicious activity, your efforts would be in vain. It’s unlikely they’d reuse the same domains or email addresses since that would be an invitation to be caught. So what would you do next? You can’t read through a gazillion email addresses to try to discern which one might be spoofed, or screen for every suspicious attachment.

Now, let’s take a look at how an analytics-based approach, enabled by a SIEM solution, might work in the same situation. You’d start by thinking about the “how” of the attacks rather than the “what” (i.e., the specific emails or file names involved). The aim would be to identify activities that, by themselves, might not indicate there’s a problem, but which present a concern when discovered in concert with other events or behaviors.

Let’s assume that the email has passed through your initial defenses. By itself, that’s not too concerning. There are plenty of reasons why an unusual email might arrive in your environment. But what if your SIEM solution was able to match the email’s characteristics with the facts that 1. this email sender had never been seen before, 2. multiple people in the organization — all in the same department — received the email, 3. many of the recipients visited the same URL (one that has been classified as malicious) and 4. there was an endpoint event involving suspicious process execution on one of these user’s machines? Now it’s getting interesting. To take it one step further, imagine you could investigate more deeply (without manual intervention) and, if the event does appear suspicious, automatically quarantine the file attachment and block the URL.

Finally, imagine that instead of getting dozens (or hundreds) of alerts, you received only ONE, augmented by the detail above? Think your analysts might be able to take a few more lunch breaks? You know it.

Enter Splunk

Splunk for Security is an end-to-end SIEM solution that provides you with real-time monitoring, user behavior analysis, security orchestration, automation and response (SOAR).

The following are its components:

Prerequisite — Splunk Enterprise: The granddaddy of them all. Splunk Enterprise ingests and analyzes machine data across your environment. It doesn’t matter if the data is structured or unstructured, streaming or static. It can come from both your on-premises servers and from the cloud. No matter where it comes from or the form it takes, Splunk can handle it.

Splunk Enterprise Security (ES): This premium solution is designed to provide end-to-end visibility into your security posture. It also offers frequent content updates (via a free app called Enterprise Security Content Updates, or ESCU), which include security analytics guides authored by Splunk’s security research team. These guides provide context and background on common attack techniques, as well as out-of-the-box (OOTB) searches that help you detect, investigate and give context to evidence of suspicious behavior. Each guide is mapped to the MITRE ATT&CK framework, Lockheed Martin Cyber Kill Chain and CIS controls.

Splunk User Behavior Analytics (UBA): This premium app uses machine learning to monitor your user entities — helping you discover abnormalities and unknown threats that traditional security tools miss.

Splunk Phantom: SOAR is the final piece of your security workflow. Splunk Phantom can execute a series of actions — from detonating files to quarantining devices — across your security infrastructure in seconds (versus hours, if performed manually). You can codify your workflows into automated Phantom playbooks using a visual editor or the integrated Python development environment.

Rubber, Meet Road

Splunk for Security (see the sidebar above to review the product portfolio’s components) provides continuous visibility and real-time monitoring across the enterprise. Machine learning (ML) capabilities, user behavior analytics, and automated playbooks for investigation and incident response help this powerful SIEM solution turn the chaos of meaningless alerts into relevant, actionable intelligence.

But, even with the best SIEM or security analytics solutions, one of the biggest challenges is maintaining and evolving SOC rules to better detect and respond to the changing threat landscape. Splunk’s Enterprise Security Content Updates (ESCU), a free subscription service, was designed to assist with this effort. It provides “Analytic Stories,” security guides that include narrative background on attack techniques and threats, accompanied by Splunk searches, ML functionality, and Splunk Phantom playbooks. These powerful components work together to help you detect, investigate and respond to signs of threats in your environment. Periodic updates help you continually uplevel your defenses.

Analytic Stories are complements to traditional indicators of compromise (IOCs), which are lagging and often ephemeral. By the time you detect them, attackers have usually changed their URLs, IP addresses and other artifacts, making the IOCs obsolete. In contrast, ESCU helps you monitor for common/perennial adversary tactics and techniques. Once you’ve identified signs of these threats in your environment, you can use investigative searches and playbooks to help you decide whether to investigate further. You can automate your response with Phantom playbooks, as well.

Ultimately, Splunk’s security content helps organizations quickly build an understanding of threats in their environments, execute best practices for investigations, and automate effective response actions based on recommended guidance.

Here’s how it works:

Step 1: Detect

As explained earlier, Splunk ES provides you with Analytic Stories that contain context on the attack technique (or actor/specific piece of malware, etc.), as well as a number of detection, investigative and contextual searches. These guides explain what data you need to get the desired results, as well as how and when to use these searches. Splunk UBA employs algorithms that become more sophisticated over time as it learns the customary user behavior patterns in your environment. Together, this is an unprecedented solution for detecting threats.

Figure 1: The narrative and detection search featured in an ESCU Analytic Story about defending against phishing frameworks.
Figure 1: The narrative and detection search featured in an ESCU Analytic Story about defending against phishing frameworks.

In our example, say that Splunk UBA detects an email with the subject line “Sorry this invoice is late!” that’s been sent to everyone in the accounting department by vendor-ar@staplespay.com between 10 a.m. and 2 p.m. today. The domain “staplespay.com” has never been seen before, according to our logs. Splunk UBA also finds an anomaly where there are potential downloads from a malicious site. Splunk ES correlates these outliers with the discovery that the email’s attachment contains several spaces in its name. The analyst receives this information as a single notable event. Time for a closer look.

Step 2: Investigate

While you may know that the events you’ve detected might be suspicious, you’ll still need more context. For example, you know the factors that you’ve flagged are only important if they occur in a certain order. If the downloads occur before the arrival of the email, it rules out the possibility that the email was the attack vector. You can use the searches and Phantom playbooks in a Splunk Analytic Story to do this.

Figure 2: Investigative searches help you dig deeper into the results of ESCU's detection searches.
Figure 2: Investigative searches help you dig deeper into the results of ESCU’s detection searches.

Step 3: Respond

At the end of the day, your goal is to protect your environment from suspicious activity. Analytic Stories are powerful weapons here, as well. You can use them to kick off any of hundreds of preprogrammed actions or Phantom playbooks. (Of course, you can also create your own playbooks, as well.) For example, in our phishing scenario you could use a Phantom playbook to quarantine the machines of users who clicked on the URL or to block the URL in the proxy.

Figure 3: A Phantom playbook that investigates domain names and URLs of potentially malicious websites. Results are formatted, combined, and posted to the event comments to assist response.
Figure 3: A Phantom playbook that investigates domain names and URLs of potentially malicious websites. Results are formatted, combined, and posted to the event comments to assist response.

Let’s Face It: You Need More Days Off

At the end of the day, the promise of data analysis and automation is to make better decisions based on insights derived from the largest sample sets in the shortest amount of time. Data is your company’s biggest asset, and the volume you collect requires processing that no army of humans can provide. A robust SIEM solution is your ticket to continuous monitoring, real-time detection, investigation and automated response.

If your company is looking to build or upgrade its SIEM, we invite you to take a look at Splunk for Security and to complement it with content from ESCU. This content will become the lifeblood flowing through your SOC, turning what was once manual and incomplete into something much more automatic and effective.

Source: Splunk