Integrating SIEM and SOAR in an MSSP environment
Dr Pierre Jacobs, Head of Operations and Compliance, CyberAntix
The reports about cyber attacks, theft of data and compromise of personal information from South African organisations are increasingly frequent. The reasons for these breaches are various and complicated. Furthermore, as we all know, the cyber security game is a difficult one and not an exact science. These attacks often go undetected with huge implications – much like an assassin or eavesdropper hiding behind the curtain at a function with the intention to cause damage.
To protect against these cyber attacks and to establish and improve the organisation’s cyber security effort, or for compliance requirements, organisations develop administrative controls in the form of policies and processes. These administrative controls are often informed by regulatory and other compliance requirements and are supported and enforced by deploying technical controls. Technical controls include firewalls, intrusion prevention systems (IPS), Web content filters (WCF) and end-point protection. The cyber security effort is then supported by cyber security operations, and when implemented effectively and efficiently, can provide the organisation with a wealth of operational and strategic intelligence, thus guiding decision-making and spend.
Tools in the cyber attack arsenal
Recently, and from an endpoint protective control, there has been a move away from pure signature and anomaly-based detection to endpoint detection and response (EDR). EDR is a combination of traditional signature and anomaly-based AV combined with the monitoring and collection of end point telemetry, and then responding to threats with rule-based analysis and response. EDR provides a lot of visibility into the endpoint and allows machine speed response to threats on the endpoints.
EDR, together with perimeter and network-based controls, form powerful tools in our arsenal to detect, protect and respond to attacks. The volume of events generated by these technical controls are often overwhelming, and this is where new approaches such as user and entity behaviour analytics (UEBA) come into play. UEBA generates a baseline of what is considered normal traffic or behaviour, and flags anomalous events as incidents.
With the protective controls in place, we need to monitor them to detect attacks and threats. As an added benefit, monitoring technical controls further allows us to measure if they are performing optimally, and that they protect as intended. Monitoring these controls can be done from an internal organisational monitoring and response structure or be outsourced to a managed security service provider (MSSP). Depending on the functions offered, or their intended usage, these structures are called security operation centres (SOCs), cyber intelligence centres (CICs) or cyber defence centres (CDCs). We will now collectively refer to these structures as “monitoring and response structures, or SOCs” as an umbrella term to cover all these structures with their different functions.
Which brings us to SIEM and SOAR
The primary tools used within these structures are the security incident and event management (SIEM) and security orchestration, automation and response (SOAR) tools. A well-configured SOAR system, together with UEBA, goes a long way to alleviate fatigue caused by the volume of events that need to be handled by SOC analysts. A well-configured SOAR ingests incidents from a SIEM or other technical controls, enriches those incidents at machine speed and automates response to threats and attacks detected, thus taking the workload off the SOC analysts, freeing them up to focus on other tasks or incidents that require deeper investigation.
Building an internal organisational structure is often difficult, and some constraints stand out. Cost is the first constraint. The cost of the SIEM and SOAR tools are often prohibitive for most organisations. Facilities are the second constraint. These structures are subject to laws such as the Employment Act – prescribing labour activities as well as facilities requirements with regard to running a 24x7 operation. The third constraint is people. Regardless of who establishes a monitoring and response structure, one of the biggest challenges is finding skilled people to staff the structure. It is our experience that it’s extremely difficult to find skilled SOC analysts. And once you find them, retaining them becomes a challenge.
These constraints support our observation that it is mostly enterprise-sized organisations who build their own internal monitoring and response structures. With this being said, enterprise-sized organisations still suffer from all the constraints as mentioned. Furthermore, it is also very difficult to find experienced SOC builders – people who know how to build and structure an SOC, identify and develop processes, select technology stacks as well as implement and onboard clients. Needless to say, these skills are scarce. This is where MSSPs come in.
Choosing an MSSP
MSSPs procure the SIEM and SOAR technologies upfront, and leverage off economies of scale in that the cost of these tools are factored in among multiple clients. This approach makes monitoring, detection and automated response to cyber security risks accessible to more organisations. MSSPs provide the infrastructure, facilities, processes and, most importantly, the people that enable a monitoring detection and response capability. Enterprise clients can benefit from this approach in that MSSP staff are exposed to clients across different industries, technologies and attack techniques. This gives them a broader understanding of attack techniques and attack vectors.
CyberAntix is ideally positioned to not only offer traditional MSSP services, but we are also one of the first MSSPs in South Africa to offer SOAR as a service to clients. We have been offering SOAR services for just over a year and are ahead in terms of the architecture design, deployment and playbook development when compared to our competitors. Our people are highly skilled and experienced, all our junior analysts have more than two years working experience in SOCs, and our senior analysts more than 15 years of true cyber experience. If you are considering MSSP services, we recommend that you ask the following questions:
- Is the MSSP ISO 27001 certified? This shows commitment and allows for some assurance that basic security controls are in place.
- Does the MSSP offer cloud based SIEM? This is an important consideration if you have a cloud presence.
- Does the MSSP offer per-host pricing and billing? Traditional MSSP pricing models bill per event per second (eps) or storage. This makes it difficult to calculate pricing when there’s a peak in eps or storage (such as when a malware outbreak occurs). This could potentially lead to nasty surprises.
- Does the MSSP have a proven track record where it concerns SOAR? Your MSSP should offer SOAR services and should have a proven track record with the configuration of SOAR and integrations, use case development and playbook development.
- Are the MSSP engineers highly skilled with the right certifications to back up those skills? You could ask to review SOC staff CVs or ask for proof of concept where you can test their skills.
- Does the MSSP SIEM and SOAR offer and support UEBA? This is an additional mechanism to detect anomalous user and entity behaviour that may be indicative of attacks. Your MSSP should have a proven track record of configuring UEBA on their SIEM.
- Does the MSSP offer commercial threat intelligence? Does the SOAR or SIEM integrate seamlessly with commercial or open source threat intelligence sources?
- Does the MSSP offer bespoke use case development, or do they only offer out-of-the-box use cases? Companies differ in what they want to detect. Your MSSP should be able to guide you in terms of out-of-the-box use cases (and ensure there is enough visibility to satisfy those use cases) and should also be able to develop bespoke use cases, ie, to detect fraudulent activities.
- Does your MSSP follow a structured approach when engaging? Do they do a visibility assessment? Do they propose use cases based on the available log and telemetry sources? Are they able to ingest those logs into their SIEM/SOAR?
- Does your MSSP offer a variety of cyber security services? The core business of MSSPs is to monitor, detect and respond to threats. A mature MSSP also offers services such as Hunts, device management and incident response.
- Does your MSSP offer a one-hour first expert verdict (FEV) SLA, and a two-hour response inclusive of remediation and containment plans?
- Does your MSSP have a proven track record of building successful organisational and MSSP-type SOCs?
A mature and class-leading MSSP will guide you through the whole onboarding process. They will have the accurate tools to monitor, detect and respond to threats in your environment. They will offer a high level of process automation backed by human decision-making. Their SOC engineers will be experienced and have industry leading certifications as well as SIEM and SOAR relevant certifications. They will have a deep understanding of the security landscape, and a proven track record at detecting and responding to incidents. At CyberAntix, we offer all this and so much more. On our watch we will detect the man behind the curtain and keep you and your assets safe.
ITWeb, in partnership with CyberAntix, is conducting a survey on cyber security. To participate in the survey and to be entered into a lucky draw prize to win a R5 000 Takealot voucher, click here.