Alex Mastretti, engineering manager of the security intelligence and response team at Netflix, recently declared the formation of a “SOCless detection team,” signalling a shift in their security program in an effort to bring detection and response closer together. Optimizing your team’s approach to security can feel like a huge, but worthwhile undertaking, and as we discussed in our post, “Time to Blow Up the SOC?” the time for change is now. Many teams are re-examining their organizations’ security programs come to the realization that their SOC may be burdening their team’s efforts instead of helping them. As Alex so deftly put it, “The last thing we want is a bunch of lame alerts creating busy work for a large standing SOC.”
In short, a SOC is often faced with a constant barrage of data, making it nearly impossible to keep up with alerts, nevermind respond to them appropriately. Issues such as alert fatigue are very real and put the security of entire organizations in jeopardy. Improving data quality and automation are two key factors that Alex addresses, and they can go hand in hand to minimize false positives and help effectively respond to attacks as soon as they happen.
First, when it comes to data, more is more – but that could mean more alerts, not increased protection As we often say here at Capsule8, “The answer to more efficiently finding the needle in the haystack isn’t collecting more hay.” It’s crucial to focus on telemetry data that can provide meaningful signals and not just noise. Data pumped in through a traditional security appliance, for example, can provide a look at network traffic but not the necessary context to make a good, and immediate, call. This means your confidence in each potential alert is lower, so you have to investigate each one and eat up valuable time and resources that could be spent on more meaningful security issues. Relevant data on the machine level provides better visibility into what’s happening on a file system, what’s happening in memory, what’s happening in the OS, and even what’s happening in the application (for common applications). That’s telemetry data that can help you hone in on important signals and push aside the false positives that can divert the attention of your team.
Second, security teams should be focused on automation to aid in providing quick and effective responses to stop attacks as they happen. As Alex discusses, “every triggered rule should fire automation before it fires an alert to a human. When a human gets an alert they should be the right person, and be provided the right context and the right set of options.” This approach of “decentralizing alert triage to system experts,” will help immediate investigation when there is the highest probability of a real attack and monitoring the truly critical events in real time. To take it one step further, automated responses such as such as strategically killing attacker connections or restarting workloads upon detection of an attack can disrupt them as soon as they are detected, saving the crucial seconds, minutes, hours, or even days it would take for a typically SOC response. Another key aspect of this approach is aligning the pain of alert fatigue with the security team responsible for the systems that generate them. By aligning the alert triage with those who have the ability to reduce them, incentives are aligned for high-quality alerts.
This “SOCless” approach could also be (and was, by one of our co-founders) called “Capsule8 in a box.” It’s a more proactive approach to security so time and resources aren’t wasted by false alerts and ensuring the ensuing response is the right one. This approach will help to cut down on wasting countless hours investigating false alarms and our “shoot first, ask questions later,” strategy for attack disruption means that alerts that are highly likely to be real attacks can be stopped faster, before any damage is done.
Driving toward the SOCless enterprise is the motivation behind the Capsule8 Platform. Over the coming weeks, expect more from us on how security engineering organizations can take the journey to becoming SOC-less.
Capsule8 is developing the industry’s first real-time, zero-day exploit detection platform purpose-built for Linux production environments – whether containerized, virtualized or bare metal.