Typically when security operations teams think about security use cases, they focus on detection scenarios, thanks to the shift underway within many organizations away from prevention.
Recently I have visited many security departments that have fully embraced the detection revolution – and, as proof, they have spreadsheets listing the various detection use-cases that they would like to implement.
Invariably, whatever the use case is – be it malware, ransomware, phishing, account lockout, jailbroken mobile devices, unauthorized configuration changes or something else – it always ends up as an alert. Rarely, though, are the times when the use case includes what happens after the alert is fired.
A critical piece is therefore missing. Each scenario the SOC team is implementing for detection should include specificity as to the remaining stages of the threat lifecycle. Yet, most are not doing that. If the lifecycle of a threat is detection > identification > investigation > mitigation > remediation, too many are only focusing on the first step.
Instituting a change in mindset
Habit could be to blame here. A threat appears, we define how to detect it and we implement a detection mechanism. Then we assume the threat will be thwarted.
This is where the security industry requires a mindset change. The use case should take into account how to detect the threat, but then how do you identify and validate that threat? What supporting data do you need to add to an investigation? What is the right way to respond when our team encounters this threat?
Consider these two scenarios:
1) You implement 50 detection use-cases, and your SOC receives 1,000 alerts in a shift and needs to determine how to respond to these alerts. It does so manually and doesn’t direct the appropriate amount of attention to each alert, making escalation decisions based on limited data.
2) You implement 30 detection use-cases, but you also include implementations for how to respond to these use cases (thanks to well-defined playbooks for the analysts to follow), plus as much automation as applicable. You receive 600 alerts in the shift, but half of those automatically clear out and the ones that are left include the data necessary for an analyst to make an informed decision.
Which one sounds better to you?
Having full lifecycle threat use cases, rather than solely detection-focused ones, is part of the key to a successful security strategy. It ensures that every security tool you implement and every detection use case you develop will be usable and valuable.
What you’ll surrender, as a result, is the possible reality that you’ve implemented a new detection mechanism, but your SOC is not fully equipped and ready to respond to those alerts.
Amos Stern is co-founder and CEO of Siemplify.