Virtualization Technology News and Information
VMblog Expert Interview: Jason Mical of Devo Technology Explains Next-Gen SIEM, Modern Security Operations Centers and Threat Intelligence

interview devo technology jason mical 

Security challenges seem to be growing at an exponential rate these days.  And with a rapidly expanding attack surface and increasingly sophisticated adversaries who can progress from initial access to lateral movement in minutes, legacy SIEMs are failing to meet the needs of analysts and security operations centers (SOCs). 

According to recent Ponemon Institute research, 53 percent of IT security practitioners believe their SOC is unable to gather evidence, investigate, and find the source of threats.  Analysts must attempt to manually close the gap between detection and response, fueling the growing epidemic of analyst burnout and putting enterprises at risk.

To learn more, VMblog reached out to Jason Mical, Global Cybersecurity Evangelist, at Devo Technology.

VMblog:  What does a day in the life of a security analyst look like today?

Jason Mical:  That can vary greatly depending on an individual's job function in the security operations center (SOC). A security analyst is either scrambling to see how many alerts they are able to get through in the dashboard or how many investigations they can complete. Either way, it seems like a never-ending snowball effect that is extremely demanding and stressful.

VMblog:  And what's changing about this role and why?

Mical:  The industry has been in search of new and improved enhancements to the SOC because it has been such a broken process. Organizations deploy a lot of security tools and systems but getting them to integrate and work together is a big problem. Security analysts constantly find themselves in what we call a "swivel chair" response or investigative process that is never seamless. For example, in the middle of an urgent incident, analysts may have to locate artifacts in one system then paste that data into another system to validate that the threat was successful and on which systems. Then they have to bring it back and hop to yet another system for analysis. This is a major contributor to analyst burnout. Security analysts require interoperability, automation, and orchestration to enhance and streamline this process.

VMblog:  Devo and others have said that conventional SIEMs have failed security analysts.  Can you explain?

Mical:  Legacy security information and event management (SIEM) tools set out to become a single pane of glass for all security information, but that has not happened because of the volume of data today. In most SOCs, there is still a lot of swivel-chair activity going on, as experts copy data from one user interface to another to conduct triage and perform investigations. SIEMs traditionally only had pieces of the data, so it was necessary to take those pieces and use other solutions or forensic tools to try and figure out what was happening.

VMblog:  What does that mean for the next-gen SIEM, and what should a modern SOC look like?

Mical:  The defining element for the modern SOC is to have the context and information needed to support the distinction between critical and non-critical alerts. Is this a highly important alert? Does it need to be transitioned into an incident or investigation? Is the security analyst wasting their time trying to make that decision? Analysts are using security technologies that have failed to deliver on their promises. It's time to reinvent the tools SOC teams need to do their jobs quickly and efficiently.

VMblog:  What about automation in the next-gen SIEM?  Is this where SIEM ends and SOAR begins?

Mical:  Security, orchestration, automation, and response (SOAR) is widely considered to be where SIEMs are heading. With regard to automation, many SOCs are trying to incorporate SOAR functionality into their workflows. Synergies are starting to converge between the two solutions. The path taken is dependent on what the SOC is looking for. Being able to automatically enrich data is a critical element. When looking at the full solution it helps to automate the response element of the process. If it's a mundane task, the security analyst knows which actions to take. But it is just as imperative to have an out-of-the-box perspective, especially when the analyst knows nothing about the data because it's new on their plate. This is where SOCs need to have all of the supporting context readily available to differentiate between the two situations.

VMblog:  Threat intelligence is the fastest growing security category.  Why is that?

Mical:  For a very long time, any threat discovered by intelligence analysts was used internally to help detect subsequent threats, but it wasn't shared with the community at large. Fortunately, this space has evolved to where organizations are starting to share indicators they discover in a breach or an investigation. But now that has become another factor in analyst fatigue because there is so much threat intelligence and a lot of technologies do not operationalize the data. There are bits and pieces all over the place, making it another swivel-chair, very manual process.

VMblog:  How can the next-gen SIEM help operationalize threat intelligence?

Mical:  Next-gen SIEMs are starting to weaponize or operationalize threat intelligence data to the point where SOCs can enrich this information, not only to use it for detection but also by leveraging automatic enrichment for sightings or to provide additional event context. Understanding where threat intelligence goes, how it is operated, and how it is integrated into security products as well as the broader threat intelligence landscape can enhance an organization's general security posture by taking a manual process and automating it to get answers within seconds for quick validation.

VMblog:  What do you see as the biggest threats in 2020 and how do you hunt for them?

Mical:  Ransomware is one of the largest threats that will continue to compromise organizations in the coming decade. It is evolving rapidly with sophisticated new techniques. But at the end of the day, from a threat intelligence perspective, the core foundation is still the same. Threat actors are tweaking their ransomware approach just enough to circumvent traditional detection. Ransomware is not going away anytime soon.

VMblog:  Can a next-gen SIEM really help stop an attack?

Mical:  A next-gen SIEM that integrates entity analytics, automated enrichments, and data modeling can detect the early warning signs of an attack much more efficiently. The faster the detection, the faster SOC teams can validate an attack and then ultimately reduce the risk an organization is exposed to.


Published Friday, April 03, 2020 7:35 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2020>