Everything you do from a security operations center (SOC) perspective should have a purpose. This includes the data you collect, which enables the analytics you perform, and influences how you respond to detection outputs from the heterogeneous system known as the SOC.
Even as I write this, I’m unsure if you will consider the idea of a rigid data strategy as painfully obvious or a pipe dream. That’s a problem.
Why do you collect the specific logs we collect? Do you have specific outcomes or processes being supported in mind, or are you just following best practices? If not, then I challenge us to do better. Things like best practices are important guardrails to make sure that we’re doing the bare minimum to protect our organizations, but if we can’t articulate how our SOC is utilizing a particular data stream, how can we be sure we’re achieving the benefits that led to them being best practices to begin with?
So what does a good data strategy look like?
Endpoint detection and response (EDR) may be the most impactful security technology of the last decade, and it gives us an opportunity to model how a good data strategy can work.
Security vendors are better equipped to scalably build and maintain detection rules than most customers. This isn’t to say that customers shouldn’t be able to manage their own custom detection rules, but that for the most part, every full-time employee (FTE) the vendor has tuning detections is an FTE saved by every one of their customers.
Now, because the vendor is tuning these rules in-house and presumably has developers on staff for maintaining the product, it then follows that if there are additional sources needed for detection, they have the ability to add a collector to their endpoint agent. An illustrative example of this would have been adding monitoring to detect Log4j exploitation.
Collecting additional log sources to enable specific detections is a great example of building with purpose, but the EDR story doesn’t stop there. The next innovation was understanding how important external data sources are to what can be collected by an endpoint agent. The reason this was such an important innovation was twofold: it allowed the same system to manage endpoint security and to perform detections on systems where there wasn’t an endpoint agent installed; and, it allowed alerts to be stitched together to tell the full story of a breach instead of just alerting on a series of compromised systems. Extending EDR capabilities to ingest external log sources and leverage them as though they were collected natively led to the creation of the extended detection and response (XDR) space.
How does this relate to my SOC?
What we just outlined was how a particular technology has evolved based on specific objectives, growing to encompass other technologies and, as with XDR, extending the benefits of its architecture beyond its initial endpoint use case. Some of the products you have deployed in your environment may encapsulate good data strategy practices, and others won’t. It’s important to understand that your data strategy is not limited to the data you’re collecting and how that data is utilized, but your overall security strategy should inform how and where you are leveraging this data. Let’s talk about the Palo Alto Networks SOC and the transformation we underwent in building toward a mature data strategy.
Our SOC prioritizes prevention and automation early in the cyberattack lifecycle, to enable our SOC analysts to focus on things humans are good at, such as threat hunting and identifying novel attacks. Over the course of several years, we have successfully reduced our mean time to detect to 10 seconds, mean time to respond to one minute, and created a staff efficiency of 16 FTEs.
Fortunately, it won’t take you years to reproduce these types of results because we’ve distilled what we’ve learned along the way into our products, but this is not a product pitch. Start thinking about the outcomes and objectives you can pursue and how to make sure you are collecting the right data, and leveraging the right strategies with that data to achieve those outcomes.
For more information on building a security data strategy and other exciting content, register for Cortex Symphony 2023 here.