As outlined in a story Infosecurity ran in July, research of 427 security individuals found that 70 had faced more than double the volume of security alerts in the past five years, whilst 99% stated high volumes of alerts were causing problems for IT security teams, leading 83% to say their security staff had experienced alert fatigue.
Surely this situation cannot continue, whereby analysts are overloaded with alerts and SOC managers and CISOs are left to pick up the pieces of a team suffering the consequences? Solutions and tools are being launched to better categorize and prioritize these alerts, and one which launched this summer is SOC.OS.
Developed as a spin out concept from BAE Systems’ Applied Intelligence, and launched two months ago, SOC.OS' product is designed to help small, internal security teams manage the ever-growing number of alerts by continuously analyzing, triaging and prioritizing them, escalating the most important incidents to the IT security team for further review.
Dave Mareels was announced as CEO after he originally joined BAE Systems on an internal engineering leadership program in 2017. He told Infosecurity that the Applied Intelligence division allowed him to create a team and a five-year road map in 2018. “We knew the problem which we were solving and for whom, and why we were unique,” he said.
Mareels said five to 10 years ago, you needed SIEM to do detection, and that meant hiring people to fine tune it “and that is out of reach for small teams.” However, due to a proliferation of tools, he said the challenge is now about how to prioritize alerts when tools are deployed, and this creates “visibility and prioritization issues.”
He added: “We try to help small teams who do not roll out big SIEM products or have the time and energy to roll them out, so they need a super human analyst to do triaging.”
“We knew the problem which we were solving and for whom, and why we were unique”
Bearing in mind that the product was still classified as a beta product in July, SOC.OS was able to collect a number of early adopters. Mareels said this allowed SOC.OS to take “a customer-centric approach” which gave them feedback on which functions were a priority. “We have a strategic road map and tell the user to be part of development team, and we have good relations with customers and the beauty is they can work with us to give us visibility and shape the product with us,” he said.
One customer Infosecurity got to talk to was Chris Sleep, information security manager at the Natural History Museum. He said he knew SOC.OS from his previous relationship with BAE Systems, and having reconnected with a member of the SOC.OS team, it became one of the early adopters.
Running with a small infosec team, Sleep said he came through the systems administrator route “to the point where the museum recognized that it had to put resource into security; over the last couple of years my role moved first 50%, then 80% then 100% into security.”
He admitted that when the commitment to a SIEM platform could not be made, other options had to be considered and in particular, “we look at how much we can manage in-house .” In particular, Sleep admitted that as a small team, it is still on the internet and “scanners look for any IP addresses to look for vulnerabilities.”
This led the museum to look for options to better manage alerts, which led back to BAE Sysytems and to SOC.OS “who did a proof of concept on an idea they had about an entry level scaled platform that could take alerts, consolidate them and help triage processes. When you’ve got a small team like us you don’t have to spend all day glued to the (many) dashboards.”
Sleep said various network and endpoint products are used, and all of which have their own management screen, and on an average day he could count 15 different open dashboard panes on his security browser.
“I’ve got one other analyst in the team and on top of threat management, we still need to find time to educate people and maintain awareness across all staff, so time to hunt threats is constrained,” he said. “Dashboards are improving, but the ideal is to get to the point where we have a single source of triaging and then if we have to investigate, we pull out deeper detail from the (specific) dashboards which may give me more information. It is all about trying to get to the point where, if there is an attack or a threat, we know about it quickly.”
Sleep praised the SOC.OS vision of correlating data from all sorts of systems at a scale that is affordable and works for smaller teams. He said the initial proof of concept “brought out some interesting patterns and we could see what was sweeping us from outside the network.”
“Dashboards are improving, but the ideal is to get to the point where we have a single source of triaging”
Much like Mareels said, early adopters were able to feedback on what worked and what could be improved, and Sleep said that working with the beta “gave us the advantage to give feedback and say what we would like it to do and things that are important to us.”
He said the “ongoing interaction really helped give a great insight into how the platform was being put together, and it’s always great to see how your own thoughts can influence an ongoing design.”
Whilst Sleep admitted the product did not solve all of his issues, and he still had to work with other dashboards for deeper detail, with the SOC.OS platform he can prioritize and filter alerts.
He explained: “With the current version, the information we generate is consolidated in the platform. It is delivered to me and the dashboards are being revised and improved constantly, which is fantastic.
“There is also correlation across events that the firewall has thrown at me with what the IPS has alerted, compared to what cloud apps are telling us and matched to what our anti-malware is telling us and that may flesh out to ‘here is something that may be a medium priority in one system,’ but once you see it in four or five places it becomes more interesting.”
Whilst SOC.OS has a fairly interesting offering, it is in its early stages of launching its service. However, early user feedback seems positive. Ensuring that its smaller user base can wade through the multitude of daily alerts should be a positive and ensure that businesses are able to remain in a better security posture.