Working as a CSOC analyst is becoming more complex, with alert volumes increasing rapidly as perimeters are integrated, tools, regulatory constraints, and the need to detect suspicious behaviour as quickly as possible.
Increasing the number of analysts to solve these problems would seem utopian as cybersecurity skills are increasingly sought after and consequently hard to obtain. Even though attracting talent must continue to be a major challenge, implementing good CSOC tools to simplify daily life is also critical. As is usually the case with the triptych: process, competent personnel, and technology, which must be adjusted to implement an efficient CSOC. As a result, the technology part of this article will focus on the CSOC tooling.
The SIEM continues to be the fundamental basis on which analysts work. It provides us with a timeline of the detection and reaction phases. However, without additional tools, the SIEM will be based on its ability to track incidents, feed its relevant logs, data flows, or other sources of additional information. As a result, the CSOC must be originally established on complementary elements such as:
- Automation and orchestration – SOAR;
- Vulnerabilities Scans;
Ticket Management System – ITSM;
- Threat Intelligence;
- User behaviour Analysis – UEBA;
- Network Detection and Tool Response;
- Reputation Management;
- Securing the workstation and servers;
- Databases Security.
It must be acknowledged that most of the tools are used in monitoring and analysis procedures. The Ticket Management System (ITSM) currently serves as a common foundation for facilitating interactions between tools and procedures.
Automation and orchestration – SOAR
As detection scopes are expanded, the volume of Alerts grows inexorably (workstation, internal applications, cloud, etc.). Simultaneously, analyst teams grow (to a point), and there are issues with analyst homogeneity in alert processing, as well as time loss on repetitive tasks.
As a result, SOAR (Security Orchestration, Automation, and Response) tools should be considered to industrialize and automate the actions of analysts and other incident response teams. Further to that, by automating recurring tasks, this type of tool saves time. In addition to the commonly existing internal management system, it enables ticket management from a cybersecurity point of view.
Before investing in this type of tool, it is critical to first formalize the detection processes or scenarios (also known as “Use Cases”) with triage and incident response instructions (also called playbook). These guidelines will be integrated into SOAR to help analysts through the analyses step by step.
SOAR, as previously stated, saves time by automating various detection steps. For example, the tool will be able to automatically enhance an alert by retrieving information about IP addresses, its history with site queries like VirusTotal, information from CMDB (Configuration Management Database), or threat intelligence.
It is also possible to automate some incident responses, such as the isolation of a workstation or the blocking of an external IP address that begins scanning the network, with a single click and the connection to other tools.
Vulnerability scanners are crucial in reducing risk and bringing the information system into compliance. The use of a continuous vulnerability scanner is a good cyber defence practice. These solutions provide information about existing vulnerabilities that an attacker can exploit. As a result, it is a proactive method of reducing the attack surface and avoiding incidents at the CSOC level.
This good practice allows you to prioritize patch implementation based on the exposure and criticality of the impacted services. It should be noted that the frequency of the scans must be adjusted following the security team’s ability to apply patches. Generally speaking, monthly scans allow for good follow-up and give enough time to implement patches.
Ticket Management System – ITSM
The Information Technology Service Management (ITSM) system is a critical component of the CSOC’s tooling. Even though emails and phone calls are important ways of communication, they do not allow for accurate tracking and capitalization of an event. In this regard, the use of a ticket management system, which is part of the ITSM, is essential.
Ideally, an integration between SIEM and ITSM should be implemented in order to avoid time-consuming and potentially human error copying and pasting. This integration enables better collaboration among all stakeholders (CERT, network team, etc.) and will assist in the resolution of incidents more quickly and effectively.
Further to that, ITSM is frequently used as a CMDB (Configuration Management Database) and is associated with a CMDB. This function links an incident with a type of equipment, a service, or a contract. This provides the analyst with a better understanding of the incident’s potential consequences.
Threat Intelligence or Cyber Threat Intelligence aims to collect, consolidate, and organize all information from multiple trusted sources related to Cyber Threats. The aim is to be able to compare the information collected with the one contained in the SIEM for better detection. This makes it possible, for example, to clearly identify a user whose workstation is trying to connect to a site that is known to be malicious. This type of alert is very accurate and generates few false positives.
The Malware Information Sharing Platform is an example of a reliable source (MISP). This portal contains compromise indicators (IoC) to help in the detection of known and identified malware. This platform can also be used to spread new info to the Community members. Information sharing is a vital part of the operation of this type of platform. It is possible to do so while remaining anonymous.
User Entity and Behaviour Analytics – UEBA
The User and Entity Behaviour Analysis (UEBA) tools have been used as an additional source of information during investigations for many years. This type of tool is intriguing, but it is difficult to use for detection because it generates too many alerts and false positives. Indeed, because humans have changing behaviours by nature, it is hard to model them completely. There will always be schedule changes or emergencies requiring unusual Behaviors, resulting in alerts.
The operation of these tools is straightforward: Those who analyze user behaviour and also the behaviour of information system components (workstations, servers, applications, network, etc.) to identify potential threats. Detection scenarios or Use Cases to detect capacity to perform or the use of high privileges at night or on weekends allow for a higher detection rate with fewer false positives.
However, as part of an investigation, this type of tool is intriguing. It is preceded by a vision centred on a user or a component of the information system, in addition to the approach. It complements the analyst’s perspective.
Network Sensor Detection – Similar to NRD
Today, several types of proves are available as sources of information on network threats. In addition, to the logs of the various equipment, the probes’ interest is to have a view of the flows and communication in the information system. Some of them use Machine Learning or Artificial Intelligence to recognize inappropriate behaviour, heading beyond detection based on signature stats.
The most difficult aspect of using probes is adjusting detection thresholds based on the context to avoid being drowned out by false positives. This adjustment or “fine-tuning” phase can be time-consuming, but it is critical for proper operation.
The positioning of the probe in the information system is the second critical parameter to consider. It is recommended that the probe be positioned to monitor flows between critical equipment or applications. For example, having a probe directly exposed on the Internet has little interest in detection, but it can allow measuring the effectiveness of tools implemented with a second probe in-house. This will allow the difference in detection between the two probes to be measured and the filtration work done by the equipment in place to be deduced.
Reputation Management – DeepWeb
In recent years, DeepWeb reputation monitoring has become a concern for businesses looking to anticipate risks or detect vulnerabilities.
The DeepWeb is a term used to describe internet sections whose content is not indexed by standard search engines for different reasons. The “pasties” site contains some of this content. Sites like ‘pastebin.com, “slexy.org”, “quickleak.se” and others are frequently used to exchange information or compromised identifiers.
The sites may also be used to exchange code snippets containing identification information and infrastructure information.
Since these sites are ephemeral by nature, traditional search engine monitoring is ineffective. To address this issue, some publishers provide DeepWeb monitoring services, which increase the visibility of data in transit.
Finding company information on the DeepWeb indicates that a compromise is in the works or has already occurred for one of the employees or the company. It is common, for example, to find user accounts (user and password) for compromised sites in which the employee uses his or her business email address rather than a personal one.
The risk, in this case, is that the user will use the same password for internal company access.
Securing Workstations and Servers – EDR & XDR
Today, most intrusions begin with the compromise of the workstation via phishing and malicious sites, but the following security measures must also be applied to servers. Email filtering and web filtering are therefore critical for ensuring the information system’s security. These filters, however, are not always sufficient, and securing the workstations and servers becomes a major asset in protection.
These are tools such as EDR (Endpoint Detection and Response) or XDR (Extended Detection and Response) that complement the information system’s protection capabilities while also increasing the detection CSOC’s detection and response capabilities.
These tools can detect attempts to exploit known vulnerabilities caused by the use of suspicious ports as well as behavioural detection methods such as UEBA. There are several options for integrating with the CSOC: Workstations or servers can directly report alerts to SIEM, or all relevant information can be retrieved by integrating only the management console. This option is frequently chosen for reasons of simplicity.
In addition to analytics capabilities, these detection tools can provide a significant advantage to the CSOC by allowing it to contain the threat. These tools can help the CSOC with the incident response and remediation actions. They can provide analysts with a very complete view of the workstation, allowing for the deletion or quarantine of files, the shutdown of suspicious processes, and even the isolation of the workstation or server pending further forensic expertise.
Most traditional anti-viruses incorporate EDR features in order to combine the best of both solutions. To ensure better integration and operation, XDR solutions are built on a set of tools from the same vendor. When compared to EDR, which is focused on each workstation or server, XRD provides a more global view and detection.
Note: As mentioned in the introduction, it is preferable to address the source of the problem by implementing security awareness to reduce the impact of employees who launch malware and attachments received via phishing emails in combination with the type of investment. A phishing campaign will mostly result in fewer detections and alerts.
The implementation of a sandbox enables the CSOC or CSIRT to conduct quick assessments of the dangers of a suspicious file. To recap, the sandbox mechanism is based on the isolation or simulation of an operating system allowing the execution of files in a controlled environment.
Another type of sandboxes can also be used to protect web access or email by detecting potentially malware. This type of sandbox is added to the filtering chain for email traffic or the web (beware of delays). They can serve as an additional source of information for the SIEM. In the case of CSOC tooling, the sandbox’s primary purpose is to assist with incident resolution assistance by allowing rapid scanning of suspicious files. Analysts will be able to learn more details about a suspicious file using this tool.
Databases are critical systems because they host most data. Even though we may believe that the security is available directly in the database management system, some features are not available and additional tools are required.
Tools can be used by monitoring access, queries, user activity, SQL injection protection, vulnerability detection, and other options.
For example, IBM Security Guardium provides a comprehensive set of capabilities ranging from discovery and classification of sensitive data to vulnerability assessment, file activity monitoring, offending, encryption, blocking, alerting, and quarantine. This solution can send alerts about noncompliance with security policies to the SIEM.
CSOC Tooling in a nutshell
Since the CSOC’s scope is extensive, it is critical to integrate equipment and procedures over several phases. The SIEM integration, which is the main building block, comes first, followed by the integration of log sources.
For logs, it is useful to begin with the most exposed equipment or applications: that is, those that are accessible via the internet. This integration must take place across the company’s various sites.
When it comes to logs, we recommend starting with the technical logs and then moving to the application part. Here’s an example we propose you follow:
- Integration of equipment’s that is directly accessible via the internet;
- Integration of security equipment (firewall, proxy, antivirus, active directory, probes etc);
- Server Integration, beginning with the most sensitives;
- Workstation Integration;
- Integration of business applications starting with the most sensitive ones.
Even though tooling is an important component of the CSOC, each of these solutions provides benefits that will assist detection teams in keeping up with the evolution of the information system and threats.
However, before making additional investments, it is critical to make good use of existing tools. Before considering adding a new solution, each tool should be used to its full potential through automation implementation. The implementation of a new solution must be driven by genuine and well-defined needs.
Overall, being able to decide when to invest in tools and selecting the right ones for the CSOC is a challenge.
The main challenges when it comes to CSOC:
- Make the right technological investments, and don’t spend too much time looking for the best technologies rather than improving the efficiency of the ones you already have.
- To get feedback, share your work with your peers. Each CSOC is tailored to its specific needs and requirements.
- Artificial intelligence (AI) and machine learning technologies, or any other that promises to fully automate your CSOC, will not magically transform a low-maturity CSOC into a high-maturity CSOC. To make the best use of the tools, your CSOC primarily requires trained personnel and time-tested procedures.
- To reduce the risk of project failure, prepare the CSOC team and relevant stakeholders for a process-based assessment. Define the level of maturity of the targeted CSOC, as well as the deadlines, resources, and budgets.
- Align the tool selection process with the target operating model and CSOC goals to avoid making premature investments.
- Make technological investments that will yield the best results against new threat vectors, beginning with the most vulnerable areas.
- Make technology investments that will provide the best results against new threat vectors and start with the most exposed areas
- Beware of fashion words such as artificial intelligence and machine learning and prefer the implementation of effective and peer-reviewed solutions
- Begin by mastering the tools and procedures on a small scale before expanding.
Did you like this article addressing CSOC Tooling? Feel free to share it.