What Can be Learnt From our Human Senses to Build an Effective Security Operations Centre
Parallels between cyber security and the human body are nothing new. In fact, cyber security has often been referred to as the immune system, or skin, of an organisation. When you think that our skin is the initial layer that blocks harmful bacteria/pathogens from entering and attacking our delicate and important internal organs, you can draw similarities between the harmful bacteria and cyber criminals/bad actors trying to gain access to the precious organs, these being a parties inner systems, technology and people.
But if we take this analogy further, you will observe key resemblances between how our human senses, namely how sight, hearing, touch and smell, mirror key components of a well-run SOC.
Event Logs. The ears of an organisation.
Often, the first thing you need in terms of data sources are event logs. Event logs act as your hearing, in that you must listen to your log messages, your firewalls, proxies, servers, act of directory and malware reporting systems. These systems tell you if something is wrong. When an event log provides you with the information that you have an access failure, a denied firewall or a malware event, you don’t actually see the root cause. But, despite this, you listen to and trust the logs to inform your decisions.
EDR tooling. The eyes of your operation centre.
Seeing is believing, and Endpoint Detection and Response (EDR) tooling is the eyesight of your SOC. When you combine event logs with EDR tooling you can observe what is happening to the endpoints of your systems. All the executed processes, binaries, and command lines act as your sight, so it is useful to look into EDR for subtle indicators of compromise.
Behaviour Analytics. Follow your nose.
Elements such as your behaviour analytics, dark trace vectors and IPS signatures act as your sense of smell. Sometimes, when you look at a network, you just know that there is an anomaly. You can’t imply what the principle cause is, but the algorithms say its negative. More often than not, if something does not smell right, it is because there is an underlying issue.
Context. The touch that guides the way.
Once we combine the elements of sight, hearing and smell, we want to be able to put context around this information to provide informed intelligence. If you observe a malware event or rogue user behaviour, for instance, then you want to be able to validate it. To do this, you need context. You must look at the actual assets in terms of the system vulnerabilities, prioritise these vulnerabilities, understand the criticality of those assets, user behaviours, or scoring mechanisms. These are the tactile things that add context to your environment, and the touch that directs you.
This context aids overall business intelligence. Often, with information overload, the overall problem can become clouded. Putting information into context allows you to make sense of issues and respond accordingly. Just because there is, say, a malware incident, does not mean that you have to react instantly. You must question its relevance, and how is it going to effect confidentiality, integrity and availability. Without context you end up chasing every minuscule issue, and not all these issues are consequential.
Si Consult understands the importance of how the right combination of technology, processes and people is crucial to provide the best cyber security. Like the brain, your SOC needs to absorb the data acquired by your senses, process this data, convert it and utilise it to enhance business decisions.
If you enjoyed this article, don’t forget to register to our upcoming webinar, held on the 18th of March at 11:00, on ‘SOC- The Central Nervous System of Your Security’ to explore how to build an effective operating centre using SecurityHQ, and to learn what elements can be drawn from the human body to assist with the development of your cyber security.