How Lastline Uses NDR to Help SOCs Fulfill Their Main Objectives
The SOC is a central element of your digital security strategy. One of the reasons why this is so is because you use your SOC to perform so many vital security functions. For example, 84% of respondents told Ponemon Institute in a recent study that the SOC is important to them because of its role in minimizing false positives—nearly equivalent to the 83% of study participants who valued their SOC for its threat intelligence reporting. Not too far behind, the function of monitoring and analyzing alerts tied with intrusion detection at 77%. These capabilities just barely beat out automation and machine learning (74%), agile DevOps (73%), threat hunting (71%), ad cyber forensics (69%).
Despite these important objectives, many SOC teams get bogged down with unproductive activities that pull time away from larger goals. In this post, I’ll explain how technology can improve the productivity of your security analysts, whether your outsourcing some of the work or managing it all in-house.
The Multifaceted Challenge of Managing a SOC
Making your SOCs work efficiently doesn’t come without its challenges. First, SOCs tend to be incredibly complex to manage. Nearly three quarters (74%) of respondents said as much to Ponemon in its study. It’s therefore no wonder that only half (51%) of respondents were confident in their organization’s ability to detect attacks.
Second, staffing issues oftentimes constrain the work of a SOC. Ponemon found that the typical analyst left after just 27.2 months, forcing organizations to spend an average of eight months finding and training a replacement. In response to such a rapid turnover of analysts, more than half (51%) of study participants decided to outsource some or all of their SOC needs instead of having to continually hire more security analysts.
Using Lastline to Achieve SOC Objectives
It’s not hard to find the motivation for outsourcing your SOC at the expense of hiring and investing in your SOC analysts. But outsourcing doesn’t mean you don’t still need an in-house security team or that they play any less important of a role. Your analysts are the ones who do the heavy lifting when it comes to investigating security incidents, after all. Even if you decide to hire and MSSP to augment your in-house team, you can also improve the productivity of the team you have in-house by investing in technology that will enable the SOC to achieve their main objectives, as identified in the Ponemon’s study.
Let’s examine how the Lastline Defender Network Detection and Response (NDR) platform can do just that by examining its impact on the three most important SOC analyst roles, as reported by Ponemon: minimizing false positives, reporting threat intelligence, and monitoring and analyzing alerts.
Minimizing False Positives
It might be the case that you use network traffic analysis tools to monitor your networks for anomalous behavior. That’s a good thing in general. But as we noted in a previous blog post, some of these solutions use only unsupervised machine learning to profile their operators’ networks and identify anomalies. This functionality can unnecessarily bog down your SOC analysts with false positives considering that not all anomalies are necessarily malicious. Similarly, IDPS solutions are known for generating an excessive volume of false positives.
To counter this waste of time and resources, Lastline Defender minimizes false positives by using both unsupervised and supervised machine learning. Lastline’s deep knowledge about malicious behaviors plus the addition of supervised machine learning means Lastline’s NDR capabilities can distinguish between malicious anomalies and benign ones. The solution can then focus your SOC analysts’ efforts on investigating those alerts that are most likely to be real threats before they bloom into full security incidents.
Threat Intelligence Reporting
Lastline’s Global Threat Intelligence Network (GTIN) keeps its customers abreast of the latest digital threats. Through this network, we share with customers the malware characteristics, behaviors and associated IoCs of every object analyzed by Lastline and our partners. This type of intelligence sharing can help you detect and learn about emerging threats more quickly, thereby setting up automated responses and speeding the time it takes for you to respond to malicious activity.
Not only that, but Lastline’s GTIN provides the foundation for your security team’s threat hunters to investigate malicious code seen in the wild. They can use the GTIN to specifically obtain global context about the code. That includes learning of attack types, frequency of attacks, and the reuse of code from any ongoing malware campaigns.
Monitoring and Analyzing Alerts
As discussed above, Lastline’s use of both supervised and unsupervised ML takes care of the issue of false positives. But there’s also the issue of false negatives. You don’t want to overlook an alert that could be an indication of a brewing security incident.
Lastline Defender takes care of the issue of false negatives in two ways. First, it uses its GTIN to provide customers with relevant threat intelligence so that they can do a better job of detecting real threats. But reputation and threat intelligence only goes so far. That’s why Lastline’s solution doesn’t look at an individual organization’s alerts in isolation but instead connects related notifications together into incidents, which is the second way in which we minimize false negatives. We detect what other solutions miss. And you can use our high-fidelity visibility to track the entire attack chain across its separate stages and quickly take the appropriate remediation steps, thereby minimizing the likelihood of a successful breach.
Whether you have a fully staffed SOC team or you outsource the first line of defense and use your in-house analysts for escalation, investigation, and threat hunting, Lastline Defender can make your team more productive and more effective.
Learn more about how Lastline’s NDR platform can help your SOC achieve its objectives and improve the cyber security of your organization.
Latest posts by John Love (see all)
- Coronavirus-Themed Phishing Fears Largely Overblown, Researchers Say - May 20, 2020
- Morning Cybersecurity - May 20, 2020
- Texas regulators tamp down authority of proposed cybersecurity monitor as PUC nears vote - May 13, 2020