#CCSE22: "Focusing on Reducing Time to Containment Is Way to Reduce Threat Risk"

Written by

Milad Aslaner speaking at the Cloud and Cyber Security Expo
Milad Aslaner speaking at the Cloud and Cyber Security Expo

“Minimizing the risk from cyber threats by focusing on reducing time to containment” was the rallying call of Milad Aslaner, senior director of cyber defense strategy and public affairs at SentinelOne, during his security operations center (SOC) focused session at this year’s Cloud and Cyber Security Expo in Excel, London. 

Aslaner’s talk began with an exposition of the world’s biggest data breaches and hacks. He pointed to the fact that 97% of malware infections are polymorphic – running one time and never again. Additionally, cybersecurity today has become reactive – “something bad has to happen for our bosses to listen to us.” There are various factors to consider when trying to understand this. A starting point is “trying to understand the cyber challenges better,” remarked Aslaner. 

Aslaner highlighted the extant challenges within security operation center (SOC) teams. First, there is alert volume. He noted: 

  • 70% of SOCs have more than doubled the volume of security alerts in the past five years
  • 99% report high volumes of alerts cause problems for IT security teams
  • 56% of companies with more than 10,000 employees deal with more than 1000 security alerts per day
  • 93% cannot address all security alerts the same day 

Second, there is the issue of security operations. Aslaner highlighted: 

  • 65% of companies have only partially automated security alert processing
  • 65% of teams with high levels of automation resolve most security alerts the same day compared to only 34% of those with low levels of automation 
  • 92% agree automation is the best solution for dealing with large volumes of alerts
  • 75% report they would need three or more additional security analysts to address all alerts the same day 

Lastly, there is the issue of managing alerts: 

  • 88% of organizations have challenges with their SIEM
  • The top issue reported with existing SIEM solutions is the high number of alerts 
  • 84% see many advantages in a cloud-native SIEM for cloud or hybrid environments
  • 99% would benefit from additional SIEM automation capabilities

The session moved on to SOC analyst challenges. “We went through the era of collecting everything,” remarked Aslaner, but this has proven to be impractical, if not impossible. “You will always have blind spots.” Aslaner listed five SOC analyst challenges. First, there are too many tools – functional overlap creates operational difficulties and expense. Second, there is too much noise – raw, uncorrelated data slows down the ability to respond fast enough. Third, work is repetitive – performing the same steps over and over. Forth, there are too many blind spots – poor coverage for modern threats. Finally, there are too many bottlenecks – the coordination of people, processes and technology creates scaling problems.

“Then we have the incident response life-cycle to consider,” remarked Aslaner. “It’s time to consider what we change concerning our behavior and processes to better respond to the threats out there.” The incident response life-cycle includes:

  • Preparation (prepare handling incidents and preventing incidents)
  • Detection and analysis (including attack vectors, data sources, incident documentation and incident prioritization) 
  • Containment, eradication and recovery (evidence gathering and handling, identifying attacking hosts and eradication and recovery)
  • Post-incident recovery (lessons learned, leverage collected incident data and evidence retention)

“Naturally, the question of what, who and when” enters the fray, commented Aslaner. There are significant questions that SOC teams have to ask themselves, including “what is the scope of the breach?” “How did the hacker get in?” “Who is attacking?” “What is known?” and “What are the remediation options?” 

Aslaner underscored this final question and explored “decomposing time to contain,” asking the audience, “How are we getting smarter and quicker? How do we minimize time to containment?” Aslaner recommended:

  1. Isolate/disconnect the machine
  2. Update AV signatures and perform a scan
  3. Inform the IT security team 
  4. Restore the last known backup (manual)
  5. Observe the full cycle of the attack to understand the method used

There is a time and place for machines, remarked Aslaner. Humans are beneficial to a SOC team given the factors of intuition, context, ethics, creativity and strategy, he argued. “Yet, machine interfaces can assist with data collection and search, pattern matching, summarization, generalization and hypothesis testing.” 

Summarizing his talk, Aslaner warned that cyber-threats will continue to increase and “attacks will continue to become more sophisticated.” Additionally, “most enterprises are unable to respond to new cyber-threats within the first 24 hours.” SOC playbooks require updating since “they and processes are outdated and require modernization,” commented Aslaner. Finally, technology can assist, yet “many organizations still utilize legacy security solutions.”

What’s hot on Infosecurity Magazine?