How technology vendors can best serve network incident responders

Join online with today’s leading executives at the Data Summit on March 9th. Register here.


This article was contributed by Basam Khan, VP of Product and Technical Marketing Engineering at Gigamon,

With a growing number of organizations suffering from cyber attacks, it is clear that response to an incident during an active violation is extremely stressful. Therefore, vendors need to increase the level of their game to help customers with data, tools, focus and expertise – especially when they need it most. In a world where public breach is a concern for most large organizations, technology vendors should take the time to listen and understand their challenges to guide them in finding the right solution. Vendors have knowledge of the most advanced cloud computing, storage and search technology, visibility of attack on many customers and effective defense methods. However, the SOC team rarely benefits from these resources.

Lack of data: historical lookbacks and vendors

It is a well-known fact that threats last longer – 280 days, according to IBM research. So why do SaaS NDR sellers only offer a lookback of 30, 60 or maybe 90 days? The cloud offers virtually unlimited storage, so shouldn’t the historical lookback at least match how long the risks last?

One case in point:

  • February 20, 2020: Sunburst Attack was coordinated and carried out via the Solarwinds Orion platform DLL.
  • December 8, 2020: First detection of sunburst attack.
  • Since December 8, 2020: 18,000 government agencies and Fortune 500 companies are investigating the impact and responding to the attacks.

In the days following December 8, 2020, security teams scrambled to check the historical data to see if any indicators of compromise had crossed their network. However, the teams were challenged by the lack of network visibility, where available metadata was often spread over only a few days. The lucky ones had a month of data or at best 90 days. None of them allowed them to investigate the Sunburst attack that was first deployed in February 2020 to understand the specific behavior of the attackers in their network and the level of risk presented to the organization.

This makes us wonder why we have cloud computing with virtually unlimited storage, yet vendors do not address these challenges for their customers.

Lack of time

If you’ve ever been part of a safety team during an event, you understand the race against time. Every second counts. This is not melodrama; It’s a pressure cooker. It is also a cause of security analyst burnout.

Take modern ransomware for example. From the time of the first discovery of an attacker’s presence in the network, you are in a race to reduce their actions before you suffer costly ransom payments, operations affecting encrypted complex data, double extortion for exfiltrated data, and endless media coverage. Everyone gives an opinion on what you should do and your actions.

And yet, security vendors rarely focus on providing tools that speed up the investigation. They are hooked on being able to “find” and leave the rest to the security team. Again, why? Vendors have virtually unlimited compute power, yet most do not offer this basic value. With current NDR tools, investigators are forced to find one event at a time. Why can’t they search in parallel? Why can’t multiple team members all work together to share research, share results, and collaborate? Additionally, why don’t Solutions offer a threat-specific playbook that says “there’s a thesis that you should check out,” or worse, suggests you use a different product to investigate and resume most of the work there.

Cloud compute capabilities exist but vendors do not put them to work for their customers.

Lack of attention

Remember the promise of SaaS-based security tools? Move your security solutions to the cloud with on-love, and you will never need to maintain your solution – you will get all the benefits of cloud computing. Well, Promise thinks it’s a little flat, doesn’t it?

True, your SaaS security products are getting the latest updates in a timely manner – but as we shared earlier, you are not reaping the benefits of cloud computing with unlimited storage and compute power. Worst of all, with the use of machine learning, a lot of “technology advances” now require your staff to make endless tuning detection and FP reduction efforts. In other words, sellers have paid your team to get high-fidelity findings, often to their advantage!

Vendors should move forward and remove these interruptions. Some vendors are adopting the concept of “guided SaaS” where the solution is owned and operated by your team, but software updates, detection / false-positive tuning, system maintenance and health checks are all done by the vendor so that you can focus. Can. On “Job 1” – Threat Management. I applaud this approach and hope that other vendors will go ahead and incorporate this into their offer, instead of charging a professional services fee for what they should do in the first place.

Lack of guidance

We have established that the three major challenges facing security teams are lack of focus, data and time. The fourth obstacle to a quick response is threat-specific knowledge. Accidental responders need to know the adversary’s tactics, techniques, procedures (TTPs) and objectives in order to be able to respond broadly with certainty. Again, vendors do a poor job of helping their customers here, forcing security practitioners to do their own research on TTP and information on competitor intent so they can decide for themselves how to respond.

NDR vendors are sitting on a gold mine of knowledge about dangerous actors TTP and purpose, but they do not share their knowledge with their customers. Vendors threat research gathers a lot of actionable intelligence on an effective response to any given threat, but they do not have methods for sharing that information.

Some vendors offer add-on expertise, but the information shared is almost always about their product, not how to respond to a specific event. Why don’t NDR vendors help their customers in times of greatest need by sharing cross-deployment knowledge, crowdsourced data and skills gained from threat research? And not seller-speaking, but one event respondent will help another?

A challenge for sellers: increasing the success rate

We should do better. We must bring empathy and innovation to overcome the real challenges facing security teams. May 2022 begins and continues, listening to customers correctly.

Basam Khan is the VP of Product and Technical Marketing Engineering at Gigamon,

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including tech people working on data, can share data-related insights and innovations.

If you would like to read about the latest ideas and latest information, best practices and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing to your own article!

Read more from DataDecisionMakers

Similar Posts

Leave a Reply

Your email address will not be published.