Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday March 5th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll discuss how to make an effective security operations centre with guest commentator Dinah Davis, vice-president of research and development at Arctic Wolf. But first, a review of some of the biggest stories in the past seven days:
IT administrators whose systems include on-premise Microsoft Exchange email servers are rushing to install patches. That’s after Microsoft pushed out urgent security updates to plug several vulnerabilities. Security experts said suspicious activity from Exchange servers was noticed in January. And while Microsoft attributed the attack on a threat group based in China that usually aims at U.S. targets, others say they have seen evidence of Exchange servers around the world being exploited.
Another victim of vulnerabilities in the Accellion FTA file transfer software has emerged. Qualys, which makes a cloud security platform, says its FTA server was compromised in December. Qualys says the data exposed included files sent to customers that didn’t involve data from users of its security platform. The admission came after a threat group posted data this week it says was taken from Qualys.
As I mentioned last week, this is Fraud Prevention Month. As part of that Kaspersky has been looking at online scams offering supposed COVID-19 vaccines. In a report issued this week it found bottles are going from $250 to $1,200 each — payment only in bitcoin. There’s no proof what will be shipped to buyers will be real vaccine.
Still on Fraud Prevention Month, a security firm called Agari has warned investment firms are being targeted by scammers in what are known as business email compromise frauds. Generally this type of scam convinces victims to send a usual payment to an account controlled by crooks. In this case crooks are taking advantage of individuals or firms who make prior commitments to invest and are waiting for what is known as a capital call — that is, a request for promised money. Crooks send emails impersonating investment or insurance firms to individuals or firms saying, ‘This is your capital call, please send your money to this account.’ Those who make these kinds of deals should first check where the email comes from, and second, independently verify the call is legitimate.
And another fraud-related warning: This one comes from the U.S. Office of the Inspector General for the Social Security Administration. Crooks are creating fake copies of Federal identification badges to convince victims they are legitimate government employees. A scam may start with a phone call supposedly from a government worker claiming to need the victim’s Social Security number to resolve a serious problem. As proof of identity they offer to email the victim a message that includes a photocopy of the caller’s supposed legitimate ID. Hang up on this scam. The Social Security agency usually contacts people by regular mail about problems.
Finally, two international incidents to tell you about: Oxfam Australia has admitted a database of donors’ names, addresses, dates of birth and email addresses was copied by an attacker in January. That information can be used for ID theft. And according to multiple news reports Malaysia Airlines is telling members of its Enrich frequent flyer program that some of their personal information held by an outside IT company was copied by a hacker.
It takes a lot of effort to detect and stop a data breach, which is why many companies have created a security operations centre, or SOC. To discuss how to build an effective SOC I’m joined by Dinah Davis of Arctic Wolf.
The following is a condensed version of our talk. To hear the full conversation, play the podcast.
Howard: First, what is a SOC?
Dinah: It’s a facility that houses an information security team. They’re responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. Basically, their goal is to detect, analyze, and respond to security incidents, using a combination of technology solutions and a strong set of processes.
Q: Does it need to run round the clock?
Dinah: You can run a security operation center without doing that. I just don’t know how effective it would be.
Q: What are some of the key roles in a SOC?
Dinah: One of the most key roles is the analyst. They’re the ones that are always compiling and analyzing and looking at the data, trying to figure out if there’s been a breach. Typically you would have a manager of the group who could step into many of the roles if they needed to. The opposite side of the analyst is also the investigator and responder. Sometimes those are the same roles and sometimes they’re different, but once a breach occurs, the investigator finds out what happened and why. And they work really closely with the responder. The responders look at a number of tasks that come out of responding to a security breach, like looking at the different requirements and organizing the response in general. Sometimes there’s also an auditor who will go back and re-look at how everything was done in the past, so they can continue learning as they go.
Q: Is there a minimum number of people needed for a SOC?
Dinah: I think you can have four major levels of SOCs: The most basic would be a scrappy team of 12 people to do a 24 by 7 job. And they would be able to focus just on the detection part. Anything less than 12 and you’re going to just burn people out and you’re not going to have the coverage you need. That costs about a million and a half dollars a year to run.
The intermediate level, in addition to the team of 12, might add an investigator and [incident] responder so that they have remediation of incidents and using more advanced detection tools. And those usually cost around $2.5 million a year to run. And advanced SOC will rely a lot more on tuning the system so they can be more effective with their people. It will also have a threat hunting team, which work proactively outside of detection looking at systems to find indicators of compromise, Those SOCs are usually about $5 million a year to run.
And then you glorious learning SOC, which is all the things combined. It takes automation to the next level so people can do more in-depth work. It has [application] developers on the team. The team relies on the metrics of the IT system and constantly improves what they’re doing to reflect what they see. It may also bring in red teams on a regular basis to attack the system to see how they’re doing. That’s about $6.5 million a year.
That starts to make you ask what does the small company do? That’s where you want to look at like managed services. That what companies like Arctic Wolf and eSentire do. They offer MDR (managed detection and response) or XDr (extended detection and response).
Q: There’s a 2019 Ponemon Institute study that asks respondents how important is their SOC to their overall security strategy. Interestingly, only 27 per cent said it was essential. Another 40 per cent said it was very important. One way of looking at that is 67 per cent of respondents said that their SOC was at least very important to the organization. That’s not high.I might’ve thought that if you’ve taken the time to create a SOC, it would be seen as essential.
Dinah: Did everyone who responded to that actually have a SOC? Because if they didn’t, then that might indicate why. Or maybe their SOC is doing a really good job and they’re not having incidents.
Q: Another interesting question I saw him in the survey was what data does your organization SOC collect and use to detect incidents? Now, firewalls incident detection and authentication of information was on the top, but at the bottom were things like information from cloud access brokers, or user behavior analytics and endpoint protection that does that suggest that data from those devices is being underused or ignored?
Q: So what can IT leaders do to make their SOC effective?
Dinah: I think there’s five main things:
–Reduce alert overload and false positives by tuning your system so you’re getting more signal than noise;
–Get your security processes in order. It’s great if you have all this stuff, but if you don’t have good process to deal with it then it can become problematic. Focus on two of the most important parts of the process — the detection and response. When something happens how is the team notified? What’s the criteria for escalating of an event to an incident? What does the investigation response process look like? What do remediation efforts look like?
–Streamline your team communications because events are usually high-pressure situations. Use a tool like Slack. It’s not enough, but it’s a great way to set something up cohesively, and then you can create channels for reporting threats or daily communication. For each incident you can create a specific channel so anybody dealing with that one knows to go there;
–Have a reporting capability. You need to know how effective your SOC is. Some metrics you might want to track include volume of events, false positive ratios, head count to ticket ratios, time to detect, or even time to response. Those numbers by themselves might not mean much, but what you really want to do is look at the trending: Where is it going? Is it taking longer to get to events or shorter to get to events;
–Finally, you want to orchestrate and automate as much as possible. Orchestration will connect your security tools into a single pane of glass, ensuring that they’re all working together cohesively. Then you can use automation to streamline workflows between tools to eliminate manual, tedious tasks and free up time for higher-value work.