How to keep your SOC working in the face of cybersecurity alert overload

The challenge is that today’s stretched security operations (SecOps) teams are often on the back foot, overwhelmed by alerts from across the business. They must find a way to prioritise intelligence and feed it more effectively into security processes.

Focus on risk

Any threat intelligence programme should start with a company-wide risk assessment. What is the organisation’s risk appetite? How do critical business processes function? Where are key assets located and how does data flow through the enterprise? What controls are in place to protect those assets and data? Answers to these questions will help to build the business case for a programme, and identify where intelligence gathering should be focused.

Threat intelligence can come from a huge range of sources. These might include threat feeds from security vendors like CrowdStrike and Bitdefender, open source intel from government agencies, and even Twitter. Some of this information may be tactical intelligence on attacker tactics techniques and procedures (TTPs). It could be operational information on specific incoming attacks. Or it could be technical data such as Indicators of Compromise (IOC) and indicators of attack (IOA). The latter are forensic data pieces, such as those found in log entries and files, which can be used to detect suspicious activity on a system or network, or the digital fingerprints left behind after an attack.

Wherever the intelligence is coming from it needs to be relevant and actionable for the organisation’s specific needs. Firstly, security leaders must consider the source. Is the intelligence it provides current, high-quality and relevant? Can it be automated and produced in an easily digestible format? It should be remembered that no single tool or feed will provide a complete picture of the threat landscape. A judicious selection will best serve the organisation.

Convert intelligence into positive security outcomes

The next step involves feeding that intelligence into security processes. Many organisations do so using a security information and event management (SIEM) tool, which collects and analyses threat alerts from across the IT environment. Another popular option is extended detection and response (XDR) which uses machine learning to assess telemetry across email, servers, networks and beyond to help investigators. Alert overload is a serious challenge, so organisations should look for solutions that use advanced algorithms to help them filter out the noise and prioritise alerts more effectively.

Larger organisations may have the resources to station these capabilities in a 24/7/365 Security Operations Centre (SOC), while their smaller peers may outsource this to a third-party provider. Security-focused channel partners can help with this, and with providing managed detection and response (MDR), where they take charge of the XDR solution.

Such efforts are vital in enabling organisations to react quickly to new attacks and breaches, helping them to contain their spread and remediate before any real damage has been done. But even better is when threat intelligence can support proactive resilience efforts. This is where vulnerability management comes into its own. By using risk-based tools, organisations can continuously monitor for newly published Common Vulnerabilities and Exposures (CVEs), assess which they need to patch first and then run patching programmes to mitigate the risk of exploitation. For example, a new macOS bug won’t be relevant to an enterprise not running Apple equipment, but the latest Microsoft Windows CVE might be.

Learning and improving

A final important source of threat intelligence is digital forensics, which help teams identify the vulnerable parts of a computer system and the damage sustained following an attack. In most cases, organisations are unaware of the full impact of a breach. Bringing in digital forensic teams early on ensures critical evidence is preserved. This can be analysed to identify the source of the attack and other details, to support faster incident response and efforts to build cyber-resilience and prevention.

The Pyramid of Pain is a framework that ranks the IOCs, indicators of compromise, from IP addresses to TTPs, according to how easy it would be for an attacker to use them to gain access to the organisation. This can help forensics teams better understand what information they should be looking to preserve.

A worthwhile investment

Threat intelligence certainly requires an investment of time and resources to generate the required results. But in a world of surging cyber risk and expanding attack surfaces, it’s fast becoming a must-have for businesses everywhere. The good news is that, for those who can’t afford in-demand threat analysts and the significant CapEx and OpEx associated with an in-house SOCs, the IT channel has the expertise and resources to fill the gaps.

Orietta Sutherberry is Head of Communications and PR, Infinigate Group.

To protect critical applications and data, Infinigate provides a comprehensive Security Operations Centre as a Service. Our offering gives customers a 24×7 view of cybersecurity threats across their distributed endpoints, along with in-depth analytics of threat data. You can find out more about our Managed Security Services offering here or contact us for further information.

“Threat intelligence certainly requires an investment of time and resources to generate the required results. But in a world of surging cyber risk and expanding attack surfaces, it’s fast becoming a must-have for businesses everywhere.”