Threat Detection is a notoriously difficult problem that most security organizations continue to struggle with. Despite a myriad of tools, 24/7 SOCs, and millions spent on services, the average time to detect a breach is 146 days. Worse, many indicators point to the problem growing in scale. Clearly, we need a new pragmatic approach to tackle this challenge.
Not long ago software development faced a similar challenge. Continuous Integration and Delivery (CICD) has helped deliver software with agility, speed, and quality. It is time we applied the same concepts to cyber security, in the form of Continuous Threat Detection.
Several months ago we started conducting Blue Team Training Sessions with a group of security analysts averaging 4+ years of experience. We had several goals in doing so. First, we wanted to get an up close and personal view of how easy or hard threat hunting really is. Second, we wanted to gauge to what extent analysts are able to utilize the tools available to them in the market today. Third, we thought it would be a good way to engage with our community and provide value.
We did not set out to create a representative sample nor do we believe that what happened during the training is representative of the skills and knowledge of the industry as a whole. That said…we were surprised, so we thought the experience might be of interest to other security folks.
A recent article in Network World by ESG's Jon Oltsik correctly called out the fact that Incident Response (IR) automation is becoming a very hot topic in the infosec world. In it, Oltsik calls out the multiple factors that are driving demand for IR automation and orchestration, including the manual nature of IR work, the cyber skills shortage, and the difficulty of coordinating activity between secops and devops.
Great companies are built on two major factors: compelling market need and innovative solutions. As we launch LogicHub, we aspire to be one of those great companies. So we want to begin by introducing you to the thinking and the technology on which we’ve founded the company.
The majority of security teams still rely on rules to detect threats. Typically, these teams have a central repository of security events and implement rules that create an alert when the condition within the rule matches. This rules-based technology has been in use for a number of years; and while Security Operations teams have come to rely on it for alerting, they are finding daily that it has several limitations.
While SIM and other security analytics products are able to detect and alert on “known” threats, they are ineffective at recognizing and alerting on threats that the system does not already know how to detect. (If you want to learn more about why that is, read Monica Jain’s blog, 5 Key limitations of doing Threat Detection with Rules)