How technology vendors can best serve network incident responders

This article was contributed by Bassam Khan, VP of product and technical marketing engineering at Gigamon.

As an increasing number of organizations suffer from cyberattacks, it’s evident that incident response during an active breach is incredibly stressful. Therefore, vendors need to level up their game to help customers with data, tools, focus, and expertise — especially at a time when they’re needed most. In a world where public breaches are a concern for most large organizations, technology vendors must take the time to listen and understand their challenges to guide them in finding the right solution. Vendors have access to the most advanced cloud compute, storage, and search technologies, visibility into attacks across many customers, and knowledge of effective defense practices. However, SOC teams rarely benefit from these resources.

Lack of data: historical lookback and vendors

It’s a well-known fact that threats linger for a long time before detection — 280 days according to IBM research. Then why do SaaS NDR vendors offer only 30, 60, or maybe even 90 days of lookback? The cloud offers virtually unlimited storage, so shouldn’t historical lookback at least match how long threats linger?

A case in point:

• February 20, 2020: SUNBURST attack was compiled and deployed via SolarWinds Orion Platform DLL.
• December 8, 2020: First discovery of SUNBURST attack.
• December 8, 2020 to present: 18,000 government entities and Fortune 500 companies are investigating the impact and responding to attacks.

On the days after December 8th, 2020, security teams scrambled to examine historical data to see if any of the indicators of compromise had crossed their network. However, teams were challenged by lack of network visibility, where available metadata often spanned only a few days. The lucky ones had a month of data, or 90 days at best. None of that allowed them to investigate back to the SUNBURST attack that was first deployed in February 2020 to understand the exact behaviors of the attackers in their network and the level of risk presented to the organization.

This makes us wonder why we have cloud computing with virtually unlimited storage, yet vendors aren’t addressing these challenges for their customers.

Lack of time

If you have ever been part of a security team during an incident, you understand the race against time. Every second counts. This isn’t melodrama; it’s a pressure cooker. It’s also one of the reasons for security analyst burnout.

Take for instance modern ransomware. From the time of first discovery of the presence of an attacker in the network, it is a race to mitigate their actions before you fall victim to costly ransom payoffs, encrypted critical data impacting operations, double extortion for exfiltrated data, and relentless media coverage with everyone offering an opinion on what you should do and your actions.

And yet, security vendors rarely focus on providing tools that speed investigations. They are hooked on being able to “detect” and leave the rest up to the security team. Again, why? Vendors have virtually unlimited compute power, yet most don’t offer this basic value. With current NDR tools, investigators are forced to search for events one at a time. Why can’t they search in parallel? Why can’t multiple team members all be working together sharing searches, sharing results, and collaborating? Further, why don’t the solutions offer threat-specific playbooks with “here’s the ‘thesis’ you should verify,” or worse, suggesting you use a different product to investigate and start much of the work over again there.

The cloud compute capabilities exist but vendors aren’t putting them to work for their customers.

Lack of focus

Do you remember the promise of SaaS-based security tools? Move your security solutions from on-prem to the cloud, and you’ll never have to maintain your solution – you get all the benefits of cloud computing. Well, the promise feels like it has fallen a bit flat, hasn’t it?

True, your SaaS security products are getting the latest updates in a timely fashion – but as we shared earlier, you aren’t receiving the benefits of cloud computing with unlimited storage and compute power. What’s worse is that with the use of machine learning, many of the “technology advancements” now require your staff to perform never-ending detection tuning and FP reduction efforts. In other words, vendors have passed the buck to your team to get high-fidelity findings, often benefiting them as much as you!

Vendors must step forward and eliminate these distractions. Some vendors are embracing the notion of “guided SaaS” where the solution is owned and operated by your team, but software updates, detection/false-positive tuning, system maintenance, and health checks are all performed by the vendor so that you can focus on “Job 1” — threat management. I applaud this approach and hope other vendors will step forward and include this in their offering, instead of just charging professional services fees for something they should have done in the first place.

Lack of guidance

We’ve established that lack of focus, data, and time are three big challenges facing security teams. The fourth barrier to fast response is threat-specific knowledge. Incident responders need to know the tactics, techniques, procedures (TTPs), and intents of an adversary to be able to respond comprehensively with certainty. Again, vendors do a poor job of aiding their customers here, forcing security practitioners to perform their own research on TTPs and information on the adversary’s intent so they can determine on their own how to respond.

NDR vendors sit on a goldmine of knowledge about threat actor TTPs and intent, but they don’t share their knowledge with their customers. Vendors’ threat research gathers a lot of actionable intelligence on an effective response for any given threat, but they don’t have mechanisms to share that information.

Some vendors offer add-on expertise, but the shared information is almost always about their product, not how to respond to a specific incident. Why don’t NDR vendors help their customers in their biggest time of need, sharing expertise gained from cross-deployment knowledge, crowdsourced data, and threat research? And not in vendor-speak, but as one incident responder would help another?

A challenge to vendors: Raise the bar of success

We must do better. We must empathize and innovate to eliminate the true challenges facing security teams. May 2022 begin, and continue, with truly listening to customers.

Bassam Khan is the VP of product and technical marketing engineering at Gigamon.