I’ve Got to Break Free
“I want to break free, I want to break free from your lies, You’re so self-satisfied I don’t need you, I’ve got to break free, God knows, God knows I want to break free.” -Queen.
Freddie Mercury and John Deacon were bemoaning the binding nature of falling in love. In either a sarcastic or paradoxical nature, the songwriter longs to break free of the hold love has on a human heart. The song writers were not security technologists; however, the song should be the theme song for every Security Operations Center (SOC). Today, Security Information and Event Management (SIEM) tools have a grip on the industry from which the SOC cannot seem to break free. Here, we will briefly discuss the problems with SIEM today, detail proven military tactics applicable to cyber defensive operations, and identify opportunities organizations can leverage when transitioning between tools.
Problems with SIEM Today
There are many challenges with SIEM tools today, and most of them are independent of the vendor. The SIEM market is built on the same fundamental philosophies, and much of the capabilities revolving around these philosophies have become table stakes amongst manufacturers. This same theory holds true for problems in utilizing SIEM at the core of security operations. Nearly all products on the market suffer some of the same shortfalls that prevent security teams from being successful with the legacy philosophy that created SIEM.
Alert fatigue is hard to define, but it is easy to describe. Everyone has heard the story of the ‘Boy Who Cried Wolf”. In this children’s fable, we learn of a shepherd boy who likes to torture the town by falsely calling out the dangers of a wolf in the sheep’s pasture. The town runs to defend their livestock and there is no wolf, to only the boy’s amusement. He does this so many times that eventually, as the story goes, when there actually is a real wolf in the pasture, the town no longer believes him. The wolf gets the sheep at the fault of the boy’s dangerously false alarms. Alert fatigue is the same. Cyber security alerts generally consist of false positives, true positives, and benign true positives. If the ratio of false positives is too high, eventually the SOC analyst’s human nature will tune out the nearly identical true positives because this alert has “cried wolf” too many times before. Alert Fatigue as a concept has been around for a while in the industry, however, it has become so commonplace that the phenomenon has been accepted as normal and found at the root of many prominent breaches.
Collect Everything / Watch Everything
The exponential quantity of data available for collection, and the fear of not having the data necessary to piece together a breach, is driving the inclination to both collect every log generated across the enterprise and watch every alert this generates. This if from a flawed opinion that the best practices of centralized log management requires organizations to publish all events in raw format to their SIEM. In most organizations, this 100% collection requirement is both unachievable, and unnecessary. In fact, if most organizations were to faithfully execute this requirement, they would find themselves drowned in log management problems, with security alerts no longer being a priority.
After all logs are collected, security operations often feel the requirement to watch everything. Many organizations purchased their SIEM for the sole purpose of creating alerts. For every correlated log, there is an alert. This foundational misunderstanding has become commonplace and accepted in the industry and is only causing alert fatigue rather than protecting the organization.
Because of centralized storage strategies, organizations feel obligated to continue to pipe increasing amounts of data to their SIEM. This, along with the increasing volume of compute in organizations, usually means they must continue to purchase increasing EPS (Events Per Second) year over year. As the volume increases, organizations continue to struggle getting all this volume into the SIEM without tuning the alerting mechanism – furthering the alert fatigue cycle. This never-ending cycle of increasing the computing processor requirements, increasing the log volume, increasing the EPS, increasing the spend has no end in sight. Breaking free from these challenges has never been more important that it is today.
Military Tactics Applied
Although few organizations have come up with an appropriate framework for combating these challenges, the military has developed some tactics and doctrines which can assist organizations with a new thought process defensible to the security professionals in their respective organizations.
In the military, most operations start with intelligence. Marine Corps Doctrinal Publication – 2 states the fourfold objectives of intelligence:
- Identifies and evaluates existing conditions and capabilities
- Estimates possible enemy courses of action
- Aids in identifying friendly vulnerabilities the enemy may exploit
- Assists in the development and evaluation of friendly courses of action based on the results of the first three
With these primary objectives of intelligence in mind, the military continues to plan military operations – fully knowing that a failure in intelligence will result in a failed plan. These intelligence estimates have effectively driven military operations for centuries and can drive corporate cyber defense strategies as well.
The similarities between the two worlds are greater than their differences. An intelligence-driven approach to defensive cyber security operations and SIEM implementation would help companies determine if they are defending against an actual threat, and not simply a possible threat.
Take Appropriate Risk
Most security leaders today have a low risk tolerance. However, the military approach would contend that accepting risk is necessary to all operations, not only combat operations. Marine Corps Doctrinal Publication – 1, the foundation of U.S. Marine Corps Doctrine states as such, “We must not tolerate the avoidance of responsibility or necessary risk.” (p. 3-7); and “the essence of the problem is to select a promising course of action with an acceptable degree of risk and to do it more quickly than our foe” (p. 4-18); and “the main effort involves a physical and moral commitment,…It forces us to concentrate decisive combat power just as it forces us to accept risk.” (p. 4-22) When organizations look to accept little to no risk with their SIEM, they are falsely hoping they can catch anything by orienting on everything. However, security operations should operate just like military operations on this front and SOCs need to learn to accept appropriate risk so they can orient specifically on the enemy and protect their critical assets.
Marine Corps Warfighting Publication 3-11 highlights the importance of company level patrols when in a defensive position. “[Company Patrols] can provide redundant collection for important [information requirements] and fill gaps in the company’s collection plan.” (MCWP 3-11.1 p. 4-15) These patrols in the military context have a similar function to a threat hunt in the cybersecurity context. Ideally, threat hunts provide valuable intelligence through monitoring and alerting. When conducted appropriately, these threat hunts can uncover threats in places the organization does not have an appropriate control. Applying these military doctrines to organizational SIEM implementations, a security technologist can leverage their SIEM as a compensating control when mitigation cannot be met by other means.
For instance, if an organization knows from their threat and vulnerability matrix that they need to invest in a Privilege Access Management tool to reduce the risk of credential theft, but as of today there is no budget for the tooling, the SIEM tool can provide needed risk reduction through increased monitoring of credential theft. Using this military-driven approach, organizations can more intelligently leverage their SIEM investment to monitor known security gaps rather than just having an approach to “monitor everything.”
A SIEM is a security tool designed to alert a security analyst when a potential threat has been discovered. Usually, these alerts occur when a threat actor attempts to traverse a cybersecurity technical control. In the military defense context, these controls are called obstacles. These obstacles include everything from firewalls to Anti-Virus software. However, when SOCs do not actually watch these obstacles for enemy movement, organizations should be wary of their effectiveness. MCWP 3-11.1 states “Obstacles cannot meet a commander’s intent unless covered by some means of friendly observation and fire.” (p. 7-16) The intent behind the doctrinal placement of obstacles is that they are inherently ineffective if the defense cannot both observe the enemy traversing the obstacle and affect the outcome. Adding obstacles and alerts which security analysts cannot respond to further contributes to alert fatigue, lessening the effectiveness of already operationalized obstacles.
Azure Sentinel: Meeting Market Needs
After hearing this military-SIEM connection, you may be thinking, “what do I do now? How can we break free from this construct?” Changing process and perspective will go a long way. However, your organization wants to take the opportunity to break free from the challenges it faces in alert fatigue, rising EPS pricing models, and a failed approach. You require more than a pivot to military tactics. Ascent Solutions and Critical Start want to encourage you to take this opportunity to fully break free by moving to an innovative and disruptive technology, Azure Sentinel. Sentinel can provide significant advantages and opportunities at this time in your journey to reduce cost, leverage a new approach, and move beyond SIEM to Security Orchestration, Automation, and Response (SOAR).
Due to Azure’s ability to leverage its own cloud infrastructure, Azure Sentinel does not need to abide by the burdensome EPS pricing model. Azure Sentinel not only provides monitoring for its own platform (Office 365 and Azure) for no cost, but only charges cloud storage rates rather than an EPS model. This means organizations can leverage Sentinel in combination with their current SIEM. Many SIEM models use a “heavy forwarder” approach, allowing a forwarding tool to take load from the SIEM. This increases operational effectiveness by reducing alerts and significantly reducing the operational cost of the SIEM.
Leverage A New Approach
Security analysts can easily develop muscle memory from a process-oriented job. Unfortunately, when the subject of the muscle memory is an inefficient process built on a legacy mindset and action-triggering widget, only a completely new approach can revitalize the team. Once the yellow, green, and red lights go away, the analyst is free (or driven) to take a new perspective. In addition, many SOCs operate with dashboards upon dashboards on the finest 76” monitors on the market. However, if quizzed, the analysts behind those screens could identify the origin of only half of the alerts or widgets on the dashboard. Moving to a new solution and a new literal scenery in the SOC can drive different behaviors and perspective.
Security Orchestration, Automation, and Response
SOAR is the bigger, stronger, smarter brother of SIEM. SOAR takes monitoring and alerting and adds process automation through custom workflows. Although the real strength of SIEM will always be the analyst, SOAR frees the analyst to do higher order tasks and analysis. Azure Sentinel allows organizations to build SOAR capabilities in from the beginning. Leveraging Azure cloud infrastructure, SOAR capabilities can be instantly instantiated, built, torn down, rebuilt, and scaled to new, unique levels
Are You Ready to Break Free?
Looking at the fundamental flaws the legacy SIEM approach was built upon, the current sentiment towards the status quo of security operations is no surprise. It is expensive, cumbersome, and tiring. Much of the industries’ turnover and subsequent headcount shortage can be linked to using the same failed methodology and principles – but expecting a different outcome. Pivoting the principals towards proven, military-based tactics, wrapped around a product that enables those principals, allows security teams to refresh their landscape and turn their attention towards dealing with risk instead of alerts. While this seems like a radical assertion, it is what is necessary to break free.
Want to learn more?
Register for our upcoming webinar – Do SIEM Better: Tackling the Modern Challenges of Your SIEM Practices