respurces_bg.png

Blog

OPIsrael and the Value of Next Generation SOCs

Gad RosenthalApril 7, 2016

Today is an excellent opportunity to see how next generation SOC platforms are changing enterprise security. One of the biggest organized cyber attacks against Israeli organizations, #OPIsrael, is scheduled for today. It’s the kind of scenario that can overwhelm conventional security operation centers (SOCs) and one that brings out the value of the Siemplify platform. The Nature of the Threat The majority of attackers participating in #OPIsrael are hacktivist groups, like Anonymous. They will primarily be looking to launch distributed denial-of-service (DDOS) attacks against Israeli-related sites and publishing personal information (mainly credit card details):

“With regard to the attack vectors, we assume the attackers will attempt to carry out DDoS attacks or leak the databases of small Israeli websites (based on past experience, most of the data leakage will be recycled from previous campaigns). We also believe they will use familiar or self-developed DDoS tools, as well as malware based on njRAT, which is very popular among Arabic-speaking hacktivists. “It is also possible that there will be attempts to infect Israeli end-points with Ransomware via emails with malicious files during this campaign. In most cases, these malicious emails pose as invoices, fax notifications or fake purchase orders to deceive unsuspecting users. Moreover, attackers sometimes spoof an internal email address to alleviate the concerns of potential victims. –  SenseCy, a threat intelligence company

So Many Attacks, So Little Information With conventional security operations, attacks like #OPIsrael can be overwhelming. The attacks often originate from multiple regions and involve multiple actors,  making detection more difficult for the typical tier-1 security analyst.

Screenshot.png

Threat intelligence service providers have been monitoring the #OPIsrael effort and their reports could be a significant asset in fighting such cyber threats. Practically, though,  threat intelligence reports are consumed by threat intelligence investigators in conventional SOCs not the tier-1 security analysts triaging incoming security alerts. And DDOS triggers an enormous number of alerts. The alerts appear to the security analyst as rows-upon-rows of independent entries in the spreadsheet-like interfaces of their SIEMs. Analysts are left having to sift through those entries, researching and analyzing each one. They struggle with understanding the strategic picture,  the connection between the alerts and the importance to the business. Always at risk is the possibility that they will miss the few truly critical alerts, amongst the thousands of others, indicating the bigger threats — data exfiltration attempts or critical system penetrations. Stop Working From Alerts Instead of triaging thousands of security alerts, tier-1 security analysts in next generation SOC work from a prioritized list of “cases.”  Cases are visual representations of the attack chain, synthesizing information from many sources including:

  • The significant alerts from the SIEM
  • Threat intelligence reports
  • Active Directory information, and business intelligence information

Instead of being overwhelmed with thousands of alerts from a DDOS attack, the security analysts of next generation SOCs only have to work with a handful of cases. Alone, shifting from alerts to cases is a paradigm shift. Siemplify customers see the workload of their tier-1 security analysts decrease significantly, more than 90 percent in at least one instance. Just as important, though, security analysts can see and focus on the important cases, the ones indicating a bigger threat often lost in the wave of DDOS attacks. The tier-1 analyst in a next generation SOC can also investigate many of those cases, a function usually reserved for more senior analysts. The Siemplify platform lays out the entire attack chain as a visual storyline. Analysts investigate a threat simply by clicking on an icon and pivoting off of the object. Gathering information from data stores is also simpler than in conventional SOCs. Analysts retrieve data by filling in forms not by writing complex queries.

12.png

Building accurate and reliable cases requires a robust backend. With Siemplify, advanced data science algorithms analyze the enormous amount of networking- and security-related information that may be relevant to the alert. A graph database helps understand the relationships between users, applications and networking objects. Together, the two automatically identify the significant security events.

Think Strategically

By taking a strategic view, security teams become more efficient. They focus on what matters, first. They analyze threats faster and respond quicker. With DDOS, for example, analysts can remediate an attack by blocking a pattern of attacks emanating from a region at the click of a button.

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Subscribe to Email Updates

Top Stories