Imagine walking into an ecstatic party pumping with great beats and the happy hum that is 100 fellow guests and yelling “Show me your hands people if you’re having a good time!” Imagine a sea of hands waving and fist-pumping as those 100 people share their love of being there with you.
Sounds like the best of parties, right? Now imagine walking into the somber and serious atmosphere of a SOC, asking the same question, and having 65 out of the 100 people (it’s a big SOC!) look at you with a totally stressed-out facial expression, then watching aghast as they pack their bags and walk out. Never to return.
Sounds like a dystopian version of a SOC, right? Unfortunately, this scenario is all too real, as SOC Analysts overworked and overwhelmed by the burden of too many alerts, too many false positives, too many disparate tools, and too little visibility abandon their posts because they are suffering extreme stress.
To say this is concerning is a tremendous understatement and one that points to the fact that we, as an industry, seem to have forgotten one of the bedrock principles of security; that it is only effectively achieved when we balance the needs and capabilities of the People, Process, and Technology triad.
A major contributing factor leading to the burnout of SOC professionals is the unacceptable length of time it takes to work through the phases of the Event/Incident/Alert/Response process. Simply put, the exercise of detecting and triaging security data as it is gathered, followed by investigating and classifying (or prioritizing) incidents and alerts, and then taking suitable actions to respond is taking too long.
There are simply too many events hitting the SOC, which all too often are being poorly analyzed by the toolsets, leading to a burdensome level of false positives. This high false positive level means unnecessary extra work as SOC Analysts weed out the “neverminds,” leading to it taking way too long for analysts to work through the analysis and response phases for genuine alerts.
Delivering a significantly better signal-to-noise ratio and reducing false positives is a solved problem. Third-party testing shows that VMware Security solutions consistently demonstrate accurate detection of signals from malicious activity with no false positives.
Reducing the time and effort involved in the response phase is addressed through Automation and Orchestration. SOAR platforms, including those in VMware’s XDR ecosystem, have delivered many gains in this area, removing the burden of repetitive tasks and the gathering of valuable threat intelligence data from the multitude of tools found in a typical SOC.
XDR: Modernizing the SOC
Where SOC team members continue to need help though is in the Analysis phase. According to Forrester Analytics Business Technologies® Security Survey 2021, the “Analysis” phase of the Incident Alert/Response process is ranked as taking the most time by 42% of respondents in the survey.
Reducing Analysis time is a product of both higher fidelity data, and improved Analyst Experience. As the inventor of EDR, VMware Carbon Black provided the industry the first tool for gathering unparalleled security telemetry. EDR continues to be the foundation for security detection, shining a high-lumen beam into the previously unlit workings of the processes and workloads running on an endpoint and server.
In the world of cat-and-mouse that is cyber security, adversaries continue to evolve. Where they can gain an initial foothold into the environment, perhaps using stolen credentials, perhaps through targeting a poorly configured and unsecured K8 environment, they rapidly move laterally across the network in search of the information crown jewels and establishing multiple methods of reinfection (in case they are discovered and ejected).
With the network as the new battleground, adding Network Detection and Visibility to the existing EDR capabilities is table stakes. Network visibility shines that same high-lumen beam into the network, casting in stark shadow the indicators of malicious intent of rogue RDP traffic and C2 communications.
For this approach to be scalable network visibility must be inherent to the modern, software-defined network, not reliant on expensive and proprietary hardware-based network traffic flight recorders, and must be distributed everywhere traffic flows. Network visibility must go where EDR already exists, with network traffic analysis being software-based and distributed with EDR.
Extended detection and response (XDR) vastly assists SOC Analysts in accurate, rapid detection of anomalous behavior and is the basis of the Modernized SOC. XDR’s goal is to significantly reduce the analysis phase of the Incident alert/response process, alleviating the time burden felt by SOC Analysts, and helping to reduce the levels of burnout they currently report.