By: Taj El-khayat, Area VP – South EMEA, Vectra AI
The security operations center is blind. In a technology hotch-potch of unvetted remote devices, third-party networks, and anonymous clouds, the region’s SOC analysts are left in the dark. But these unknowns come with one advantage. They are known to us. They are known unknowns. We know what we don’t know.
This may seem like meager comfort when facing a threat landscape as ominous as the one currently outside our digital doors. But the plain truth is, if we only rise to the occasion and extend our security beyond our data centers and endpoints to the beyond — public clouds, their services, and their identities — we take a huge step forward.
So, let’s examine what we don’t know. First, we are not entirely sure of the extent of our attack surface. Second, we can only speculate as to the next attack methods threat actors will unleash upon us. And third, strangely, we may even be inadequately aware of the tools we have in place, what they do, and what further blind spots they create. We need to eradicate these unknowns because we know they leave security teams unable to defend our borders, our data, and our systems. A recent Vectra study revealed lack of visibility, lack of detection of modern attacks, and poor integration as the top three reasons security tools fail. All because of our unknowns — which, remember, are known to us.
When trying to arm outgunned SOCs, we need to think upstream. We know what our unknowns are, but we should ask ourselves why security teams must endure them. The problem lies in three basic shortfalls — the three Cs of cybersecurity blindness.
1. Coverage
We must face up to an unassailable fact. We operate in a perimeterless environment where prevention is all but inviable. All modern cybersecurity approaches acknowledge this to some extent. Attack surfaces are expanding, so we must deploy zero trust principles, for example, to cover the AWSes and Microsoft Azures, the Microsoft 365s, and the GCPs. Hundreds of SaaS apps and dozens of cloud-based identity products combine to form a sprawling unknown. This fills attackers with glee and a switched-on security professional with dread. Two-thirds of modern attacks use authorized services and APIs as inroads. Attack surface unknowns, for SOC teams, are addressable if only they could gain unified visibility across data centers, endpoints, public clouds, SaaS, and identities. In other words: coverage.
2. Clarity
Let us all spare a thought for today’s SOC. Facing more sophisticated attacks, CISOs and their teams watch their budgets dwindle. They see business expectations rise while resources shrink. And they see colleague after colleague bid farewell to the chaos, leading to more pressure. The SOC in 2023 is Doing-More-With-Less Central. Now consider the individual security analyst, a problem solver who spends their days tweaking and tuning tools. And not just any tools. These are legacy tools like SIEM and IDS that employ rules-based functionality that is inadequate in thwarting modern, high-speed attacks. There is no incentive for talent to remain in place. We must reimagine the SOC to allow it to deal with fast-paced, unknown attacks, or risk security staff heading for the exit.
Fortunately, having previously solved the coverage problem, we can add much-needed context to real-time signals and reduce latency in SOC workflows. Technology that rapidly captures and analyzes data in context, at speed and scale, is now possible. What we are describing is clarity.
3. Control
So, attack opportunities are on the rise, attackers’ methods are becoming wilier, and security teams are shrinking. A recent report showed 42% of UAE cybersecurity professionals believed their organization’s leadership was neglecting security. Vectra research has revealed that 72% of security leaders fear an attack is already in progress within their walls but they cannot confirm it because of a lack of visibility. Investments in technology and tools often do not translate to value because information and tool silos persist. This leaves SOC teams dashing between one pane of truth and another, never receiving the whole picture and becoming more frustrated by the day. And, of course, attackers often rely on just this kind of ill-equipped adversary for their success. The solution to the silo paradigm — a single pane that allows analysts to shut down suspect sessions, rescind credentials, and act against an aggressive anomaly — returns control of the environment to where it belongs: the SOC.
To arms
We are, essentially, trying to unwind a Spiral of More — more attack surface, more attack methods, more cybersecurity tools, more alert fatigue, more resignations. Indeed, the only thing we see less of in this spiral is talent. But there is something of which we need more. Signal efficacy. More signal efficacy equips SOCs in a way that makes attackers think twice. In trying to return some measure of intimidation to our battlements, we turn to Attack Signal Intelligence, the result of decades of research and analysis of attacker behaviors. AI and ML models have been fine-tuned to such an extent that they can detect real threats and ignore the ones that routinely result in false positives and alert fatigue. Attack Signal Intelligence is an autonomous digital detective, fully versed in attackers’ habits and exhaustively briefed on the individual environment it is tasked with defending.
Cloud-based incidents are escalating. Unknowns have become the constant bane of security professionals. By prioritizing prevention, organizations are inviting blindness; and attackers will be only too happy to capitalize. We must address the three Cs — coverage, clarity, and control — if we are ever to empower our security teams to see all the way to the horizon in every direction. Attack Signal Intelligence is the security professional’s best means of doing precisely that.