80 20 Rules of cyber soc team

The 80/20 Rule of Cyber Security Operations Centre


The Pareto Principle, commonly known as the “The 80/20 rule”, states that 80% of effects come from only 20% of causes. This means that focusing resources on the right area of work, we can achieve 80% of the results with just 20% of efforts. As cyber security experts know, securing organization requires a lot of effort in order to keep up with evolving cyber security threats. How can security analysts spend more of their time doing activities that protect their organizations the most and spend less of their time chasing noise? Read on.

For many years, companies have relied on antivirus software as their main defence against attack on endpoints, this practice is still common today with many organizations. Originally, the antivirus software only task was to protect endpoints by identifying signature based attacks, like infected attachments that are downloaded through emails or malicious links that are opened on web-browsers to access blacklisted websites. The only problem with current antivirus software is it is not efficient anymore; every company that got hacked in 2017 (87% of Canadian companies - Source IDC) had some form of anti-virus software and most of them also had advanced intrusion and detection solutions to monitor their networks.

Organizations need to accept they’ll eventually get breached and, in fact, their environment may already be compromised. Many organizations do not even know they are under attack until they see an indicator of compromise like virus signatures, MD5 hashes or malware files, malignant IP addresses or domain names linked to botnet command and control servers.
Hackers are aware of common IOCs built into a company’s detection systems and constantly adapt their strategies to deceive them. Adversaries, armed with advanced tools, are now using tactics that extend beyond basic malware. Hackers can utilize a variety of exploits and vulnerabilities to attack an organization, giving security analysts a substantial amount of data to collect and analyze. These next-generation attacks are designed to burrow deep into a network and persist even after a breach is detected and the attack is supposedly shut down. This leads to a knowledge limitation on the SOCs as they have to keep track of seemingly endless number of possible attack vectors.

For security analysts that have limited resources, hunting for malicious operators while they are spreading across a complex and fragmented enterprise network is very costly and time consuming. Manual detection usually entails a security professional first receiving an alert about malicious behaviour, and quickly determining if it’s legitimate. Next, the analyst figures out what caused the alert and understands its implications before finally taking action. Often, SOCs have blind spots due to an organization running multiple isolated networks, an inability to collect real-time information from some endpoints and the complexities of operating in multiple geographic locations, among other issues. The multiple steps involved in manual detection slow down threat response time.
Finally, IOC-based detection approaches, which are rigid and look for a finite yes/ no answer, have a tendency to produce either an excessive amount of false positives, or high false negative rates, depending on the threshold set into the system. False alerts can desensitize security teams, causing them to tune out these notifications and place an organization at risk.

To stay ahead of the adversary, organizations have to use more sophisticated, dynamic tactics that keep evasion and deception techniques in mind. The work is tedious and require a lot of manual efforts, therefore it is important to apply the 80/20 rules in areas that effectively improves productivity of the SOC team. Balabit surveyed which methods or vulnerabilities IT security experts think that attackers are using the most (and take advantage of) when they want to get sensitive data in the shortest time. Here are the most popular hacking methods:
1. Social engineering (e.g. phishing)
2. Compromised accounts (e.g. weak passwords)
3. Web-based attacks (e.g. SQL/command injection)
4. Client side attacks (e.g. against doc readers, web browsers)
5. Exploit against popular server updates (e.g. OpenSSL, Heartbleed)
6. Unmanaged personal devices (e.g. lack of BYOD policy)
7. Physical intrusion
8. Shadow IT (e.g. users’ personal cloud-based services for business purposes)
9. Managing third party service providers (e.g. outsourced infrastructure)
10. Take advantage of getting data put to the cloud (e.g. IAAS, PAAS)

One will quickly notices that endpoints are at the heart of every cyber attack based on these hacking methods; they are attractive targets for hackers since they are vulnerable by nature and connected to users. With a success rate of close to 90%, hackers have understood that antivirus software installed on endpoint are ill-equipped to thwart their attacks. Antivirus software was designed as a mouse trap to identify malware based on signatures; the software contains a library of signatures and uses them to identify malicious code. Every time new malware is discovered, antivirus vendors add its signature to a blacklist of applications. But attackers and their tactics have evolved, malware is no longer the only weapon in their tool kit. The threats today’s security teams face include advanced persistent threats and ransomware attacks. There are also targeted attacks, which use tailor-made, never-before-seen malware variants; fileless malware attacks, which do not use any malware; and zero-day exploits that leverage unknown vulnerabilities. Unfortunately for the defenders, all of these threats can bypass antivirus detection mechanisms, no wonder 9 out of 10 companies got hacked in 2017 in Canada.

Detecting and effectively responding to advanced persistent threats require obtaining ongoing, comprehensive endpoint visibility. Automating the threat hunting process is the only way SOCs can keep abreast with morphing cyber attacks. This new threat landscape requires adding cyber detection to an organization’s security strategy. Proactive detection, also known as cyber hunting, closes the gaps that traditional security tools, such as antivirus software , firewalls and sandboxes, neglect.

During an attack, attackers stay in your system for weeks or months before the ICO detects them. Cybereason deep hunting platform allows SOCs to automate the hunting process across the organization, correlating events on all endpoints at a rate of at least 8 millions per second and then derive to a conclusion by answering effectively if your company is under attack by known operations, unknown operations or hackers within your own organization not using any malware. Our clients are able to identify threats earlier and remediate them quicker using our advanced automated hunting tool, with few clicks of a button.

The platform automatically collects and organize information in a manner that SOCs can answer with certainty these five questions when under attack:
1. What is the root cause of the attack?
2. Which users and machines are affected?
3. What communications did the attacker make?
4. What tools did the attacker use?
5. What is the attack timeline?

Investing in an automated threat hunting and real-time attack detection and response addresses 8 of the 10 most popular hacking methods. At UbiTech, we provide tools and services that help organizations identify advanced persistent threats (APT) early and remediate them effectively in an automated manner. We are happy to see our clients move from an alert-based or whack-a-mole-based type of security response to a more holistic environment based type of security detection and response. Reach out to us for a short demo to see how our hunting engine can super charge your security analysts’ productivity and protect your organization.