BOM is for SOC
OWASP CycloneDX SBOM/xBOM Standard
International bill of material standard for the software supply chain supporting SBOM, SaaSBOM, CBOM, VDR/VEX, and more.
SOC teams in many organizations are unsung superheroes constantly on the battlefield in detecting and responding to cyber-attacks. If the function works very well, you will not hear about them. If the function doesn't work well, you will not see them. Most senior leaders and engineers do not even know them. (When was the last time you made an acquaintance with a soc analyst?)
"The primary goal of a cyber security programme is to prevent attacks". Most SOC teams, however, do not get the resources and information they need to prevent actively. Hence, the function is constantly on the back foot, trying to limit the damage by responding to attacks that successfully bypass preventative security controls.
In this Cybersecurity Awareness Month, let's discuss how Bill of Materials can empower the SOC teams in your organization to improve their proactiveness and efficacy.
SOC Operating Model
The operating model is the foundation for designing a suitable SOC function by identifying the assets, threat profiles, threat models and their impact. Detailed information about the assets and their business context is critical since not every asset demands the same level of protection and response. The asset information collected and shared must be structured, verifiable and consistent to assist with determining appropriate security controls, attack surface, and threat models.
CycloneDX Bill of Materials standard is purpose-built to capture information about the full stack - from hardware (HBOM), operating environment (OBOM), software (SBOM), and cryptography (CBOM) to services and data (SaaSBOM). By standardizing on a single specification and data format, organizations can reduce errors in data collection and processing, thus reducing the risk.
SOC Functions
Below are some core functions that are part of the operating model.
All these functions require precise and machine-readable information to operate efficiently. The benefit of a specification such as CycloneDX is the availability of an ecosystem of commercial and open-source tools for these functions. We have compatible tools for threat intelligence, vulnerability management, and engineering in our marketplace that are certified and ready to deploy.
Consolidating on a single specification, such as CycloneDX, would improve operational efficiency by reducing the need for multiple training and tool integrations.
领英推荐
Onboarding
Onboarding of systems, assets, and data (commonly referred to as estate) is a continuous process to bring new assets and data classes in scope for SOC. When an organization establishes a new SOC function, onboarding might be limited to common log sources, which seriously constrain the level of protection a SOC could offer. To mature further, onboarding should also include a detailed description of the software, its components, its services, endpoints and the flow of data, an area where CycloneDX BOM standards shine.
SBOMs and SaaSBOMs help correlate and make sense of the data from the log sources. It offers knowledge to the analysts about what good and problematic data might look like to improve their detection approaches and reduce the need for large scale data-mining. Without such correlation, soc analysts and tools must mine, watch and learn, which is time-consuming and error-prone.
The list of components captured in SBOMs is also a must for threat modelling, Incident Response, and Root cause investigation. By engineering the collection of SBOM via CI/CD tools, SOC teams can receive up-to-date information as the IT estate evolves without resorting to ad hoc meetings and manual form-based processes. Detailed knowledge could also help focus and mature the threat-hunting capabilities since it reduces the "unknown unknowns".
Detection Practices
Detection capability is based on the availability of key factors where BOMs have a place.
Baseline comparison - To ascertain what 'normal' looks like based on the correlated data from the log sources and components and services
Single pane of glass - A single platform where analysts can query and retrieve both the inventory and log data
False positives triaging - Structured information can help identify false positives. For example, a poorly deployed microservice could be causing a traffic spike and eventual denial of service of another system. This abnormality could be indistinguishable from an external attack if the relevant BOM data were not available to the analyst.
Intelligence sharing - SOC teams can share knowledge about both the inventory and the mined data to collaborate and improve the group cognition
Closing Arguments
The transparency and enhanced visibility offered by BOMs would also reduce the stress levels and fatigue suffered by the SOC teams who operate in the dark.
AppSec Tools Builder | Founder, AppThreat
1 年The majority of SOC Models out there could be summarized as "collect logs -> send to Splunk or Elastic -> write queries". This is analogous to giving the police a radio and asking them to keep listening to every frequency to identify burglary and other crimes. There is a real opportunity to fix SOC with BOMs.