CAN WE REALLY KNOW EVERYTHING?*
Ivan Salles, CISSP, CISM
SOC | SOC-CMM | CISSP | CISM | CISO || @Mente Binaria | @CCN | @OpenCTI.BR
*originally published as a sponsored post on https://www.blackhat.com/sponsor-posts/08222023-trend-micro.html
In an era dominated by an excess of information propelled through social media, smartphones, and the expansive Internet of Things (IoT), I often find myself amidst a deluge of data that doesn't always align with my interests. Concurrently, I'm compelled to absorb as much information as possible to avoid missing essential sources of happiness.
The Info Game in Security Ops Centers (SOCs)
This dynamic regarding information abundance is mirrored in Security Operations Centers (SOCs). There's a prevailing belief that more data equates to heightened awareness and security. Consequently, vast volumes of data from various sources are synthesized into a repository of rules, generating numerous daily alerts. Understandably, this barrage leads to "alert fatigue," prompting the question: are all these alerts truly necessary?
Evaluating Risks
Consider a situation where one navigates a potentially hazardous area in a city. If an individual with suspicious behaviour, possibly carrying what looks like a weapon, approaches, sounding an alert is vital. On the other hand, if a person in formal attire with a refined briefcase is seen, the urge to alert is diminished due to the absence of evident danger. The challenge lies in distinguishing between caution and undue paranoia.
领英推荐
Turning Off Paranoia Mode
In SOC information flow, the focus should shift from tools to strategy. Start with comprehensive threat intelligence evaluation. Determine which threats genuinely imperil the organization and identify critical assets along with potential consequences of compromise. Understand executive concerns, such as ransomware and data leaks.
While complete knowledge is unattainable, a profound understanding of what matters is feasible. The goal is to guard against threats like ransomware, secure cloud infrastructure, and protect vital assets.
After comprehending threats and concerns, formulate precise detection strategies aligned with the organization's goals. Detect data exfiltration, counter spear-phishing, monitor databases, track network movement, and identify attempts to delete or encrypt data.
Concluding the process involves selecting appropriate sources for detection plans. These sources include firewall logs, Active Directory, email records, antivirus data, databases, and cloud-related information.
Evolving the SOC Paradigm
Adapting to evolving cybersecurity threats requires a focused approach. Striving to cover all scenarios can impede effectiveness. Conversely, our approach minimizes redundancy, reduces alerts, mitigates alert fatigue, and optimizes resource allocation.
How can Trend Micro help? With the framework established, choosing the right platform is vital. The Vision One XDR platform offers comprehensive protection, detection, and response. It amalgamates telemetry from endpoints, email, cloud, and network, providing a holistic view of cyber risks for operational and executive stakeholders.