30 Sep DOES IR HAVE A HIERARCHY OF NEEDS? (Version 2)
Version 2.0 – Thank you to all of you that submitted suggestions and comments on our first version of this blog. Many of us had a great discussion about this during and after ArchC0n. We were hoping this would kick-start some discussion and have since updated the hierarchy to reflect the feedback we received, putting People and Process as the foundation.
After seeing in the past few years David Bianco’s Pyramid of Pain and Rick Holland’s Threat Intel Targeted Attack Hierarchy of Needs, I started thinking… can we apply this same hierarchy to building out SOC/IR needs? What do blue teams really need, compared it to some other models of need…notably Maslow’s Hierarchy of Needs? How does a Blue Team’s “needs” stack up? Here’s what I figured out so far.
Blue Team Hierarchy of Needs (Version 2)
(1) Right People and Process
People – People are a critical component and need the right experience and skillset as well as cross-training. SOC’s are plagued with analyst fatigue. Quality security analysts are your most valuable and important tool. Full reliance on technology to solve this challenge is not prudent.
Process – Analysts can only handle a finite number of alerts a day, which is a lot less than most organizations actually see. To optimize analysts and their ability to respond faster, use cases (or playbooks) are built around the most common alerts to mimic how they will handle, identify, contain, remediate and report each investigation and incident. These playbooks can grow quite extensive and evolve over time, and very rarely fit every organization’s need. In many cases – there is a need to adjust playbooks in real time based on an adversary’s actions.
(2) Collaboration (Teamwork) through Workflow
Having the ability, environment and tools to work together easily is critical for your blue team to succeed. Many teams still rely upon emails and spreadsheets, or IT ticketing systems. But this does not scale. Don’t divert a senior analyst away from a complex problem, when a junior analyst can perform basic IR triage and effect a resolution. Virtual teams can further accelerate response by enabling more optimal use of people, but they require a shared digital workspace where different players can contribute based on their skill and role. While simple, this concept is fairly advanced in cybersecurity.
(3) Accurate Network / System Telemetry
In incident response, our base need is data collection, notification and alerting. Having real-time information that we can analyze to determine what is happening on the network and within applications is our most fundamental need. Typically, we address this need with technology that generate alerts and a SIEM for correlation of alerts and telemetry, but once you have the telemetry how do you use it to enable IR?
(4) Automated Enrichment & Investigations
Automated enrichment in incident response force multiplies your people so that teams can get more done, faster. When people ask for automation, this is where they typically start. They automate the collection and centralization of context that will help an analyst either triage an alert (and decide if should get escalated) faster, or close it out before escalation. Without it, analysts suffer from distraction and fatigue by doing the same tasks over and over (VT queries, DNS lookups, etc…). With it, investigations are more comprehensive and efficient as well as post response audit trails. Context is vital to successful investigations that drive effective response. Keep in mind that enrichment means different things for the SOC, the IR Team and the Threat Intel Team, in the case they are separate.
(5) Automated Incident Response and Resolution
Finally, automated IR response and resolution tops the hierarchy. Speeding up broken processes simply means failing quicker, so despite the hype, automation isn’t the only answer nor always the best answer to what cybersecurity and incident response needs. It’s also important to enable the team to pivot and go off course based on an adversaries changing tactics. What we mean here is pre-planned playbooks have a place (e.g. commodity malware) but in some cases (generally the higher risk situations) won’t address a flexible adversary, or a new twist on an old attack. Whether you achieve automation through a single IR platform or a combination of integrated tools to perform IR ticketing and IR workflow, people and processes need to be in place and aligned, so tools to automate can be effective. Automation should be managed with human judgment to ensure fast, smart AND effective resolution.
As security operation centers and incident response teams evolve so do each of these needs. These steps are not something you turn on overnight, but a methodical process you mature to as your operations evolve. Let us show you how to synchronize your people, processes, and technology and achieve more…regardless of where you are on hierarchy today.
Please comment on this post. We’d love to hear your feedback on this, as I’m sure there’s room for improvement on this thought model.