15 May WannaCry? How Security Operations Platforms Help Get SOCs Past the Panic
As over 100 countries worldwide reel from what is being described as one of the largest cyberattacks in history, it’s important to understand that while the attack could not have been completely prevented, its disruptive impact could have been lessened substantially if targeted enterprises were using a security operations platform to accelerate alert triage and automate enrichment and response.
Attacks like these are inevitable; even companies focused on rapid patching still have vulnerabilities. Yet, unable to spot incoming threats to vulnerable systems through their existing incident response processes in time, security operations centers (SOCs) often have to turn to the more dire, existential consequences of an attack, such as business data becoming unavailable or a loss of confidence in affected institutions, in the case of high-profile ransomware.
This is the security status quo in even the largest organizations. It is akin to a physician routinely waiting until deadly bacteria spreads in a patient through a fresh wound and only then administering antibiotics, instead of triaging and disinfecting manageable, fresh wounds at the outset. It’s an approach that is expensive, slow, has unpredictable efficacy and makes attackers’ jobs easier.
Removing adversaries’ advantages
Without a structured platform approach to security operations, even familiar attack vectors can seem advanced. Most headlines are pointing out that the ransomware is spreading within enterprises using what is believed to be a stolen NSA capability known as “Eternal Blue,” but are overlooking the fact that WannaCry ransomware is initially infecting enterprises via a relatively low-tech phishing email which involves luring a user to click on a link that compromises their computer.
So why is WannaCry particularly devastating? Because it spreads fast using “Eternal Blue” and because it exploits a recently discovered Microsoft Windows vulnerability that is not yet patched in many organizations – and for which no patch previously existed for some legacy versions of Windows that are still in widespread use.
Tuning operations is easier than adding more security products
Beyond the repeated – but not always practical – advice of regular back-ups and patching, many enterprises will now reflexively rush to security vendors looking for a better mousetrap to prevent future attacks like WannaCry. They will spend money and deploy new capabilities – amounting to dollar and opportunity costs – only to find themselves compromised by a similar attack next week, month or year. Why? Because in an environment where the attackers have an asymmetric advantage of scale, technology alone can’t prevent zero-days or rapidly emerging sophisticated attacks like WannaCry.
Viewing security operations as a platform makes a difference
Instead of deploying another point solution, security teams right now should be asking themselves a few simple questions:
- Do I have the ability to automatically enrich alerts so that I can triage the most important ones first? How can we find and treat deep lacerations, first – before every cut becomes life-threatening fever or shock?
- Do I have the ability to pivot from an initial phishing alert and rapidly identify all other users who have (or haven’t) clicked?
- Do I have the ability to rapidly deploy containment mechanisms once I understand the nature of the new threat?
- Do I really believe that deploying another point solution is going to protect me from unknown and emerging threats?
If the answer to any of these questions is “No,” then before spending precious budget and time to add another point solution that only increases the complexity of your security stack, consider integrating your existing technologies in a Security Operations Platform. A flexible platform like IR Flow will help your team rapidly and automatically enrich and triage alerts to find and escalate those that are most important, faster – reducing the ability of a serious infection to spread and accelerating overall time to containment.
JP Bourget is Founder and Chief Security Officer of Syncurity.