How can SOCs achieve Configuration Confidence?
By Keith Driver | Date published: 12 Mar 2020
The modern SOC has evolved from a simple alarm monitoring capability to a sophisticated analytics and visualisation platform enabling analysts to detect attacks and instigate threat hunting activity. However, the SOC still needs to ensure that the foundational cyber hygiene is in place, which prevents over 90% of intrusions. But how does a SOC demonstrate this to business leaders, giving confidence in its effectiveness? Particularly when, according to Security Magazine, the majority of SOC environments are high-pressured, and many security analysts are themselves at risk of information overload, alert-fatigue, unachievable workloads and burn-out.
In a recent blog, Palo Alto Networks asked ‘whether your SOC metrics incentivize bad behaviour?’ – suggesting that there are two key metrics that the SOC should be focusing on to reduce risk, over and above traditional KPIs like:
• Number of incidents handled.
• Mean Time to Remediate (MTTR).
• Number of firewall rules deployed.
All of the above, according to head of security operations strategy at Palo Alto, Kerry Matre, can drive the wrong behaviours in security analysts and are more appropriate metrics for a NOC, where uptime is key.
The insightful piece went on to provide two more useful metrics for the SOC: configuration confidence, and operational confidence. The latter focusing on the number of events handled per hour, the number of repeat incidents reported, the nature of alerts, to known or unknown threats, and deviation from Standard Operating Procedures (SOP). We’ll address some of those criteria later, but today we’d like to explore in more detail the metric of ‘configuration confidence’, what it is, how a SOC can achieve it, and how it can be demonstrated to the wider business.
What is configuration confidence?
Configuration confidence, to use the Palo Alto definition, is: “knowing that your technology is properly configured to prevent an attack, that you can automatically remediate it and/or that the proper intelligence can be gathered for analysis by a human.”
Key to this is ensuring the technology that the business has in place is configured to best practices and that every configuration is continually monitored so that devices and endpoints don’t become less secure because of testing or infrastructure changes.
How can SOCs achieve configuration confidence with Titania?
The way to prove that your technology is configured properly is to audit it – regularly, particularly on mission critical networks. This work is repetitive and ties your security analysts to essential activity that could be more efficient, which is why tools like Nipper which automate the configuration analysis of core network devices including routers, firewalls and switches are an essential part of the security toolset.
Traditionally a tool for NOC auditors – saving them up to 3 hours per audit, per device, because of its accuracy advantage* - Nipper now integrates with leading SIEM solutions to deliver value to the SOC as well.
* Nipper’s Accuracy Advantage Nipper intelligently models the running configuration data on the device, ensuring its detailed analysis against risk management frameworks is accurate, deterministic and repeatable. This accuracy advantage is proven to reveal findings not discovered by other systems (false-negatives) and saves auditors up to 8 minutes per investigation into false-positive results. Typically, this equates to 3 hours saved per audit, which can be better invested in mitigating genuine risks to security.
Nipper shares its accurate audit data with your SIEM, which will then provide the analytics and visualization, but also contextualization, of your data enabling SOC users to:
• See daily visibility of failures on mission-critical networks.
• Find all devices with a specified vulnerability.
• Filter by categories of error (such as CAT 1s).
• Drill down to precise detail about devices/models impacted.
• Get exact command line fixes that can be applied to the devices to remediate issues.
• Examine your security posture from different angles.
• Combine network audit data with network traffic analysis data to determine the risk of exploitation.
• Combine network audit data with device topology/role data to calculate the risk or exploitation in critical network nodes.
• Prioritize fixes based on the risk of the insecure configuration or vulnerability to your business.
This means the SOC can then start to identify vulnerability trends in core network devices/manufacturers and strategize to remediate, retire or replace technology that poses the greatest threat to the business. In other words, the combined power of Nipper integrated with your SIEM provides the “[accurate] intelligence” required by analysts to mitigate risk and design it out of the network.
In line with the cyber industry’s move towards autonomous mitigation, Titania is also in collaboration with leading SOAR providers to pave the way to automatically remediate issues on the network. The first step of which is Titania generating a fix-script for insecure configurations – which are then SOAR playbook-controlled - so a human stays in the loop while confidence builds towards fully autonomous mitigation. This, of course, will be game-changing for the SOC because it will be able to establish a continuously defendable network.
Demonstrating your SOC’s ‘Configuration Confidence’ to the wider business
In the meantime, by integrating Nipper with your SIEM, your SOC can gain greater visibility of core network vulnerabilities, ultimately building your configuration confidence. Which you can then share with other business leaders to help demonstrate how you are:
• Reducing the mean time to detect vulnerabilities and insecure configurations.
• Continuously monitoring and diagnosing vulnerabilities.
• Identifying vulnerability trends to inform strategic decision-making.
• Reducing the mean time to remediate issues.
• Improving configuration confidence in your core network.
This will also help you prove your SOC’s value in delivering on three of your key objectives:
• Simplifying operations - by integrating Nipper’s accuracy advantage and consolidating your toolset you are also improving the ROI of your existing security investments.
• Automating repetitive tasks – with a high-degree of accuracy that you trust, enabling you to better use your analyst talent.
• Rapidly responding to threats – because you have deep visibility and contextual insight of your vulnerabilities and insecure configurations, and you know the risk of exploitation.
• Many of the configuration checks speak to Risk management Frameworks such as NIST-800-171, NIST-800-53, CMMC and others.
If you’d like to put Nipper’s accuracy to the test and see if it gives you confidence in the configuration of your core network devices – you can take a 30-day trial today. Alternatively, you can get in touch with our solutions advisors to discover how Titania Nipper could integrate with your SIEM today to help your SOC gain configuration confidence and discover more about how this paves the way to enabling autonomous mitigation through your SOAR system in the future. Contact us and/or download our ‘How to’ guide today: https://bit.ly/2TK6c16