A Day in the Life of a SOC Analyst Just Got Better

SOC Visibility Triad

SIEM and EDR Are a Good Start, But…

When an organization is starting out with a SOC, it typically implements Security Information and Event Management (SIEM) first. As the SOC matures, it adds Endpoint Detection and Response (EDR).  While this combination improves security, the day in the life of a SOC analyst is still stressful since there are so many false positives to investigate. In fact, many analysts are demoralized by the constant flood of misleading alerts.  There are two main reasons this is happening:

  • Inaccurate security rules/heuristics/algorithms: In this case, security products incorrectly identify certain behaviors on the endpoint and the network as malicious and raise an alert.
  • Correct security rules, but incorrect business/environmental context: The security alert is valid – the behavior observed by the security product could have been malicious, but when observed with a business context lens, the alert is a false positive.

Even worse, real threats are being missed which adds to analyst stress since they want to keep their organizations safe. Threats go undetected because they are either getting lost in a firehose of false positives or analysts can’t see them due to blind spots in network visibility. Seeing threats on the network has grown in importance as infrastructure has evolved far beyond endpoints within a well-defined perimeter to include a diverse mix of Bring Your Own Device (BYOD), Internet of Things (IoT) and public cloud deployments. Plus, organizations are providing suppliers, partners and service providers with greater access to their network which leaves them more likely to experience a cybersecurity breach through vulnerable third parties.

The SOC Needs to Add NDR

All of the above factors help to explain why, according to the SANS Institute, EDR detects only 26 percent of initial vectors of attack. The analyst needs his SOC to evolve to include the next tier of security that will provide additional visibility and context needed to accurately detect and contain threats: enter Network Detection and Response (NDR).

Gartner recommends that, “Your SOC triad seeks to significantly reduce the chance that attackers will operate on your network long enough to accomplish their goals. Logs, endpoint data and network data provide full visibility of the environment and reduce each other’s weaknesses. Using them together severely reduces the chance that an attacker can evade you for extended periods of time.”

This SOC Visibility Triad, as shown in the diagram below,  consists of:

  • SIEM/User and Entity Behavior Analytics (UEBA)
  • EDR
  • Network-centric detection and response (Network Traffic Analysis (NTA), Network Forensics Tools (NFT) and Intrusion Detection and Prevention Systems (IDPS).

 

Learn About the Benefits of a Triad Strategy

Download our new eBook, A Day in the Life of a SOC Analyst: Before and After a Triad Strategy, to learn how NDR together with SIEM and EDR makes life a lot easier for the SOC analyst.  You’ll learn how it delivers on several dimensions required in a modern-day SOC.

Mustafa Rassiwala

Mustafa Rassiwala

Rassiwala has more than 10 years of experience in security product management, building DLP, SIEM, security analytics, fraud management and network security products. He has proven success at many companies including RSA, Symantec, HPE (ArcSight) and startups such as ThreatMetrix, Platfora and JASK. He has also held engineering roles at EMC/Documentum.
Mustafa Rassiwala