The Automated SOC: Reviewing the Future of Layered Security Solutions
by David Evenden
The remote workforce has driven the need for new innovative solutions that meet organizational needs as it relates to remote access of critical data. The Automated Security Operations Center is the answer to this new challenge in cybersecurity.
This layered approach to security is the fastest, most effective, and highly secure design that meets enterprise needs, provides access to critical data to authorized employees and endpoints, introduces and implements an asset management plan, and blocks breach attempts, monitors for anomalous activity, quarantines identified intrusions, and provides a holistic view of company needs and organizational requirements.
This secure design, made possible by increased visibility and confident automated breach prevention, is automated cybersecurity powered on the back end by Cybereason. The holistic approach to security is enhanced by the StandardUser and Cybereason automated threat hunting relationship in the Automated Security Operations Center.
Cybereason unites with defenders to reverse the adversary advantage. Using one agent, their Endpoint Detection Response (EDR), one console, and one team to defend all endpoints, the Cybereason Defense Platform was designed to expose and intercept every Malop (malicious operation). A Malop is not an alert, but a contextualized view of the full narrative of an attack. Only Cybereason provides the actionable intelligence to outthink the adversary, the remediation speed to outpace their operations, and the insights to outthink attackers to end any attack.
The Cybereason Defense Platform moves beyond endless alerting to instead recognize, expose, and end malicious operations before they take hold. The result: Defenders can end attacks in minutes.
An important part of monitoring threats is having a good view of the system. The dashboard provides an overview of the sensors deployed within the environment. A sensor is any device with the Cybereason endpoint installed on it. The dashboard gives information about the status, sensor software version, OS version and type for each device being monitored. This aids in helping keep devices up to date and patched with the latest security fixes.
Moving beyond alerts to fully contextualized and correlated attack stories in real-time, without complex queries and protracted investigations, begins at the discovery board after installation. Malops (malicious operations) are clustered based on the stage they are at in the attack life cycle. The degree of pervasiveness of each malop and the time it was last active helps analysts prioritize threat triage. Other statistics, such as the malop's activity over time, can inform threat policy settings and identify targeted attacks.
Categorization of malops by type can pinpoint potential vulnerabilities in the environment's security settings. While the status of malops helps the administrators and analysts track which threats are yet to be addressed, the malware section points to the threats that were dealt with at the level of the endpoint. Cybereason's NGAV provides endpoint protection, and any malware that it detects is quarantined and suspended. If NGAV isn't able to address the threat, it escalates it and brings the threat to the attention of the analysts on the discovery board of the Security Operations Center.
Automated Real-Time Threat Hunting
Other solutions limit critical data collected because they can’t process or store it, but Cybereason collects and analyzes 100% of event data in real-time.
Cybereason correlates attack context across all endpoints through a single lightweight agent and uses real-time reporting that enables analysts to terminate threats before they become breaches. The Cross Machine Correlation (CMC) engine carries out this task and helps generate evidence of potential threats. This is based on past behavior, the user or process generating the data point, prevalence of the behavior in the organization and the degree of similarity to potentially malicious behavior. To prevent false positives and from overwhelming analysts, this evidence is further investigated by Cybereason's software to determine the likelihood of malice, and beyond a certain threshold it is escalated to the level of a malop.
A second approach to automated real-time threat hunting involves the use of NGAV's AI to detect malware. Traditional AVs use file hashes to detect whether a file or an executable is a malware, and while NGAV does that, it also leverages AI to detect malware which has been modified or hasn't been previously documented. This provides an additional layer of proactive security, coupled with the NGAV's capacity to detect file-less malware and ransomware attacks.
Leverage auto-remediation to end threats instantly or remediate with a single click during investigations on any device across the entire network. Cybereason provides built-in options for remediation, which enable users to take actions and address threats with minimal intervention. If the machine is online, actions such as killing processes, quarantine, removing registry entries, machine isolation and file execution prevention are carried out as soon as the user requests them. Otherwise, if the is machine is offline, actions except process termination are queued and carried out as soon as the machine comes back online. The UI also affords advanced remediation by allowing analysts to open a remote shell to the machines from within the interface.
A nifty automated cybersecurity feature to aid investigation and threat hunting is the ability to use queries to search the environment for specific information and behavioral patterns. Complex queries filter data based on multiple parameters and reduce the a large dataset to provide only germane results. Creating an intersection of multiple features and filtering data in this manner is a cumbersome process, but with the graphical interface of Cybereason it becomes a relatively trivial process and the queries can be saved for future use or modification.
API Access & Data Influence
The relationship between Cybereason and StandardUser is made possible through the API provided by Cybereason. This API serves as a bridge between the Cybereason Defense Platform and StandardUser’s Automated Security Operations Center (SOC). With this API, the Automated SOC has access to Cybereason’s threat hunting data and the ability to manage Cybereason’s policies. With the help of this integration, the Automated SOC is able to provide an extra layer of protection on top of, and with the help of, the Cybereason Defense Platform.
Organizing Departmental Groups
The Automated Security Operations Center also supports the organization of machines into different departments, which provides increased visibility and customizability to an organization’s security. This separation of departments allows one to visualize the activity and patterns of a department as a whole, in addition to any threats that may be unique to that department. More importantly, departmental grouping allows security policies to be set at a department level rather than an organization level, allowing for each department to have more specialized and relevant antivirus configurations, software baselines, and policy baselines.
Developing Software Baselines
Software baselining ensures that only trusted software is allowed on a machine. In developing a software baseline, an admin whitelists the set of applications that are trusted by an organization or department and only allows this software on a machine. When software outside of this whitelist is introduced to a machine, the admin has the ability to either whitelist this software or quarantine the machine from the network until the issue can be remediated. This tool makes it easier to find active threats and potentially unsafe software that a malicious actor may use to compromise a machine.
Developing Process Baselines
Process baselining builds upon software baselining and extends its reach substantially. Whereas software baselining manages what applications are allowed on a machine, process baselining ensures that the processes running on a machine belong to an allowed piece of software. This makes untrusted and suspicious processes easily visible, increasing an organization’s protection against attacks that create a new process without installing an untrusted piece of software.
User Behavioral Analytics
While Cybereason applies behavior analysis to user activity, StandardUser Automated SOC Analysts are able to work closely with clients to better understand who, when, where, and how users should be accessing data. When something outside the baselined standards occurs, algorithms functioning inside the Automated SOC (integrating with the Cybereason API) are able to immediately identify and block that activity to prevent unauthorized access to external malicious actors or insider threats.
Custom IOC Searching
The Automated SOC supports a manual search for IOCs (indicators of compromise). If there is a suspicion that an unsafe URL was visited or a malicious process is running on a computer, one may search for that individual threat and see what machines have been affected by it. This capability gives an individual the ability to put their organization under a microscope in order to hunt for threats, if they wish to do so. Additionally, policies may be laid out to specify IOCs that will be searched for regularly, eliminating the need for repetitive manual searches.
Internal Network Connection Visibility
With access to network connections, queries, and processes, analysts operating in the Automated Security Operations Center are also able to see and create customized alerts based on anomalous internal network activity. For instance, a common TTP of malicious attackers is to use SMB/445 to communicate and migrate throughout a network jumping from machine to machine. With the granular level of access in this new tool, analysts are now able to stop endpoint activity that initiates 445 connections from workstations to workstations -- a location SMB-to-SMB activity is rarely authorized.
New innovations are paramount in this digital era, and we are here to provide automated cybersecurity solutions, as well as customized setup and monitoring, to businesses across the globe. The Automated Security Operations Center is next-level defense for your business and peace of mind.
Article originally published at: https://pentestmag.com/product/pentest-advanced-webapp-attacks/