Best Security Incident Response Tools

i think first of all you need to stablish what resources you whant to handle in your operation and then how important are each , once you get it try based on a "venn diagram " or a " eisenhower chart " to apply the resolution tools

fatigue is comming from do not know what tool should use or if the resource with an incident is in danger or not, only then you can configure some rules, the ionfo comming from that gona give the necesary for made more decisions

maybe im very subjective but there is a very large group of solution and strategys, not allways its gona be the same escenario

So what you need is criteria, professional skills, and then,,, be pattient and embrace yourself

good luck

Hi @Evgeny Belenky,

I think as long as you do this thing manually, you will always have to be subjective. One will always say alerts from critical assets first, setting them with higher priority.

But the concept of threat intelligence will help. Threat intelligence feeds will help in improving information about the threats you are handling. Without this, your assets and rules you set will always say "hey, this is a serious malicious activity" with brief information unlike when you get feeds from various sources of threat intelligence. 

Fighting alert fatigue - It's good to have playbooks do some repetitive work. If an alert is generated, instead of jumping into all of them as analyst, playbook will help you automate some activities like checking file hashes in virus total. At least in the end one will be getting alerts that matters most and with sufficient information added by playbooks.

It depends on the information in your current alerts. E.g if the alert has the priority or the severity field, it will be normal to use this field. 

I will assume tha in your current alert system you do not have the severity or priority field. 

The next option would be to look at the alert code. Most alarms have a number or a code, indicating the alarm, and it is the reference to documentation - what this alarm means and how to resolve it.  

I would then recommend to use this code. Get a list of alarm codes, discuss and determine the severity for this code. Once you have this, you should be able to use this list to match alarms and set the automatic severity, timelines, etc.

I think the first step is configuration. 

When teams are 1st deploying a new tool, working closely with the vendor to set up the best configuration possible to tune down the alerting for the least false positives, is critical to the success of your soc. 

Even paying the extra for a 3rd party tool configuration assessment can be the difference in millions of alerts from vendor recommended alerting. 

Then there is a phase of "tuning" where you are in the monitor mode to see what the worst and best alerting is and you go from 80% to 90% false positives. That last 10% is hardest with each tool and causes the most work and the most pain, but if successful you have less critical alerting firing off each device. 

Feeding this to the SIEM is where you get the biggest bang for your buck when doing correlation of events, setting proper alerting triggers even for critical alerts can help you prioritize even those. 

If you are looking for 10 alerts in the SEIM out of 6 million, you have to prioritize what sets those 10 above the rest so they stick out the most, critical assets, hashtags, threat feeds, UEBA, etc. - all of the things mentioned above are critical to that endeavor.

Hi @Evgeny Belenky​,

Below are a few strategies if taken into account can reduce cybersecurity alert fatigue in SOC.

1. Threat intelligence

2. Native integration

3. Machine learning

4. Watchlists

5. UEBA (User and Entity Behavior Analytics)

6. Automation

Mitigation is taking your car in for an oil change and tune up. Remediation is them finding you have a blown gasket seal and replacing the parts and greasing the engine to make your engine doesn't blow. AKA security vulnerability management.

Mitigation is pre-emptive. Remediation is reactive. Others have provided excellent examples.

Mitigation is the implementation of RAID storage. Remediation is the recovery of a failed disk. Both may be needed over the lifecycle, but the level of effort is much higher and the quality of recovery is significantly lower without mitigation - net the cost of doing business is higher without mitigation.

Let say in an IT enviroment:

"Mitigation" moves your virtual machines or containers to another Virtualization server to keep production while you find and solve the problem

"Remediation" is, in fact, finding the problem, solving it, taking notes and preventing it from happening again.

Those are just examples.

Mitigation is changing the flat tire. Remediation is getting the nails off the road. 

This vulnerability is particularly critical because Log4j is widely used in open source and commercial software and remote exploitation of the vulnerability against any internet-facing server is trivial using a single HTTP post. Exploitation results in full system compromise. The vulnerability has a CVSS Score of 10 out of a possible 10 meaning it is as bad as it gets.

Our SOC has launched a new app that detects the presence of vulnerable versions of Log4j however, detecting it does not mean you have been exploited.

My advice: Scan your network to get a full visibility report i.e. find all your legacy and shadow IT that you didn't know existed which means you should find all potential instances of Log4j, patch all of the Log4J environments, monitor your systems 24/7 using your SOC and if you don't have a SOC invest in a Managed SOC provider. 

Yet another chance to test our incident response procedures. 

So far I would say we're a B. Good on the process, and an A on team response and interactions and reducing threat risk were about a B. 

ID'g your external assets exposed to this vulnerability is your teams' #1 priority and mitigate or patch (if available) the threat. 

You also have to notify and communicate with any 3rd party to make sure they're aware so they can start the same process. You ALSO need to be fully aware of your vendors' weaknesses and defenses (mitigations, patches, knowledge and reaction time). 

Then be prepared to roll out patches or in this case shut systems down OR put mitigations in place immediately to mitigate risk to the entire environment.

One excellent opportunity for the company to test your CMDB/Inventory (at medium and big companies). 

Tenable, and I think, other Vulnerability Scanners offer a specific plugin used to check your infrastructure against Log4shell. 

If you don't have VS, you can try looking at your logging system for evidence or use:

- https://buff.ly/3lYZRh0
- https://gist.github.com/SwitHa...

In the future, Patch Mgmt pre-defined and applied schedules need to be first (proactive) from scanners/vulns. (reactive).

WhiteSource has released a utility to detect log4j vulnerability in the codebase. 

Take a look at this if it helps. In our case, a lot of projects use Elastic Search and Azure DevOps Server - both of them have log4j being used and that's where additional fixes have to be done.

https://github.com/whitesource/log4j-detect-distribution

Hi @Giusel ​,

Some of the best practices that I feel is as below.

1. The SOC must enable end-to-end network control

Your security operations center protects the enterprise from network threats, but you need to precisely define your network boundaries to achieve this. It is a common misconception that the external network is identical to the public internet, and anything that’s not part of the public internet is safe. CISOs must keep in mind that any third-party network (including and beyond the internet) can be a threat vector.

For modern organizations, API-based app integrations, external device connections via Wi-Fi or Bluetooth, and cloud-shared resources must also come under the definition of external networks.

In the case of internal networks, least privilege access should be your rule of thumb, and no single user should have complete access to sensitive/valuable information. Segregate your internal network into several tiers of access (based on its asset contents), aided by a powerful firewall solution.

2. Pay attention to shadow app discovery

Shadow applications (part of shadow IT) are a growing threat for enterprises. Traditionally, SOCs have restricted software installation on enterprise systems, even if the app came from a trusted source. However, in a remote working world, this becomes a major problem. Remote users could intentionally or unwittingly download malicious applications from the internet, eventually spreading across the entire internal network.

In addition to the firewall, regularly conduct an app discovery exercise to create a full software inventory across the hundreds and thousands of computers on your network. Classify these apps as per their security risks and take action. Also, gain from built-in restrictions that prevent unauthorized users from downloading and installing software on enterprise systems (including servers).

3. Keep a watch on hardware sprawl, even in cloud-first environments

Another myth around the SOC maintenance is that hardware doesn’t fall under its ambit. As most security vectors tend to be software-related (spreading through the cloud or public/private networks), SOCs frequently take a short-sighted view and focus only on software. In reality, hardware sprawl is a risk for every enterprise, adding peripherals like printers, routers, Wi-Fi repeaters, storage endpoints, and other unauthorized components as business needs grow. With each addition comes new security risks.

Make unauthorized hardware connectivity prevention a priority for your SOC. Also, implement processes that restrict employees from copying data for home use or offsite use. If some degree of BYOD is inevitable (as in a WFH scenario), make sure to verify identity through multi-factor authentication. Finally, scan enterprise perimeters for rogue hardware, just like shadow applications, to discover risks on time.

4. Protect SOC logs to aid investigation

Access logs are among your most handy tools when conducting a post-attack forensic analysis. It also helps to root out false positives from genuinely suspicious access behavior. SOC managers typically use logging records to assess the four Ws and one H of a security breach: who, what, why, when, and how.

However, the logs themselves can be vulnerable, and it’s compromise will cripple your ability to assess and respond to any security threat. One of the first things a malicious app will once it enters your systems is to remove any evidence of the attack by rewriting device logs. That’s why it is advisable to store access logs in a separate, high-security zone that is not connected to the device itself.

Further, make sure to synchronize the timestamps across all enterprise devices generating logs regularly. A single, synchronized lock will ensure that all devices follow a central time source, allowing access events to be plotted more easily. In case of a breach, you can reconstruct the incident by piecing together logs across various devices.

5. Have a contingency plan in place via a robust backup

Assuming the worst-case scenario can be extremely helpful when building an SOC, given the unpredictable and fast-evolving nature of security threats. A big part of this is investing in a backup system that can help to restore your digital assets after an attack, even if it can’t prevent malicious parties from getting hold of it.

A cloud-based backup system can accelerate data recovery, particularly if a malicious party goes after your in-house backup service.

While no backup strategy is 100% hackerproof, remember the 3-2-1 rule: 3 copies of information, including primary/dynamic/production data and two backups, where one should be stored off-site – e.g., on the cloud. Ensure your production data is protected by strong authentication measures, and your cloud backup is accessible only to a select group of users during worst-case scenarios, like a ransomware attack.

Hi Giusel,

From my little experience, it's always good to have a good working plan on how you are going to start setting up a SOC and how you are going to gradually mature the SOC. The primary consideration is the availability of 3 components: people, technology and process.

It's very easy to manage the development of SOC when you do it in bits. Talk about technical aspects like SIEM. SIEM might have components like Logs, Network, Endpoint and SOAR. From my own view, it's not an easy thing to plug in all these components at once. You could start with a primary component like the Logs component and gradually build from that. It's also good to have a technology and deployment option that works for your business needs. 

On people, it's good to have skilled analysts else you may not get value for your investment in technology and time. Many people take different approaches to sort the issue of the insufficient number of skilled analysts. Some opt to work with MSSP jointly with the team you are developing in-house for a set period of time for the purpose of knowledge transfer.

There should be a clear workflow of activities in case of an incident. What should T1 do before passing the alerts to T2 .. or closing false positive alerts? What are your sources of threat intelligence?

Sadly, I cant contribute due to lack of experience in that field. But I would love to read about your findings

https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf

Only this :)

Hello,

Below there are views on the pros and cons of Internal SOC and SOC-as-a-Service.

Pros and cons of outsourced SOC:

Outsourcing pros

• 
  Trained personnel. The MSSP has experienced personnel immediately available, saving the organization the time and expense of hiring and training the dedicated people needed to do the analysis.

• 
  Infrastructure. The MSSP also already has the facilities and tools required to do the job, saving more time and the upfront expense of building out an internal SOC.

• 
  Continuous threat monitoring. MSSPs should provide SIEM capabilities that filter false alerts so forensics are only conducted on legitimate threats. This type of proactive, continuous threat hunting and monitoring may be difficult for a company's cybersecurity team to conduct on its own.

• 
  Intelligent analysis. Outsourcing cybersecurity operations can provide security analysis capabilities while an organization builds its own in-house SOC.

Outsourcing cons

• 
  How much analysis is the MSSP going to provide? Outsourcing the cybersecurity operations function does not usually provide features such as multi-tier analysis of alerts or an incident response service. Instead, many outsourced cybersecurity operations only provide the equivalent of a Level 1 cybersecurity operations analysis.

• 
  What happens to alerts that the MSSP cannot clear? The MSSP may only be able to analyze a subset of alert logs generated by an organization. Alerts from applications like databases and web applications may be outside of its area of expertise. If the MSSP is also a tools or hardware vendor, it may only be able to analyze logs from its own products.

• 
  Who is going to provide a detailed analysis of potential threats? An organization still needs some internal analysis capabilities to deal with the smaller number of alerts that cannot be easily cleared by the MSSP and thus returned to the client.

• 
  Does the MSSP provide compliance management? The SOC must operate in compliance with regulations and standards that the company must conform with. The MSSP should provide templates for required and recommended compliance processes and consider regulatory standards when developing vulnerability assessments for the company.

For some organizations, complete and permanent outsourcing of cybersecurity operations is a desirable option. This is a reasonable approach for governmental organizations, in particular, where obtaining, training and managing people and facilities, as well as predicting cost-effectiveness, are preferably handled under a services contract rather than in-house. Governmental organizations may also have significant compliance obligations regarding cybersecurity where it may be convenient to transfer regulatory mandates to a contractor.

In-house cybersecurity operations center

Building an in-house cybersecurity operations center provides the greatest degree of control over cybersecurity operations and the best opportunity to get exactly the services that an organization needs. Building an in-house cybersecurity operations center can also provide the foundation for building future comprehensive cybersecurity services, including vulnerability management, incident response services, external and internal threat management services, and threat hunting.

Compared to outsourcing the cybersecurity operations function, building in-house capability has the following pros and cons.

Pros and cons of internal SOC

In-house pros

• 
  Tailors the operation to meet demands. Design the security operations and monitoring capabilities that best meet the organization's requirements.

• 
  Tracks capabilities that are stored on-site. Storing event log data internally lessens the risks that come with the external data transfer required to report security incidents.

• 
  Improves communication. Breach transparency and coordinating incident response are typically much easier and faster when the processes are conducted in-house.

• 
  Builds a unified security strategy. An in-house cybersecurity operations center can be the foundation for comprehensive security, threat and incident response capability.

In-house cons

• 
  Planning and implementation. The time required to get an in-house cybersecurity operations center up and running can easily be a year and is likely longer. CISOs and other security personnel will face a significant time investment in planning and implementing the SOC.

• 
  Costs. Establishing an in-house SOC requires a significant budget, with upfront IT and personnel investment.

• 
  Finding appropriate personnel. Hiring people who have the right skills, training and experience or developing and training existing in-house staff can be time-consuming and expensive.

• 
  Acquiring multiple security technologies. Continuous threat detection and compliance monitoring across several departments likely will require purchasing several AI-driven security tools. This may be out of reach for security departments budget-wise, especially in smaller organizations.

As with many cybersecurity decisions, the right approach for many organizations is to find the correct balance between managing the cybersecurity operations function in-house and outsourcing it to an MSSP.

One reasonable option -- particularly for companies that intend to build an internal cybersecurity operations function -- is to take advantage of the speed that outsourcing provides while the organization builds its own cybersecurity operations. Outsourcing can provide at least some of the cybersecurity services needed today, and the organization can take advantage of the trained, experienced staff that an MSSP has at its disposal while building the services that it wants to provide on its own.

When Should you Consider SOC as a service?

There are many reasons why your business could benefit from a SOC as a service company:

• 
  Having your own SOC is expensive: If you’re a small business owner, keeping your SOC in-house may be too expensive, as it can cost a lot to hire security specialists. Not only this, but you’ll also have to increase your office space to cater to them, which can take even more of a toll on your budget.


• 
  Most SOC as a service companies offer 24/7 monitoring: Having an in-house SOC will only benefit you so much, as you can’t have your security specialists monitoring your systems for 24 hours a day (unless you pay them a lot to do so). Most SOC as a service companies offer 24/7 monitoring to their clients, so you’ll always be protected from cyber threats.


• 
  They offer state-of-the-art protection: SOC as service companies offer the most up-to-date cybersecurity protection, and it’s likely that you will have a higher level of security if you outsource your SOC. It’s a lot easier for hackers to get into your systems if they are self-contained, and you are a lot more at risk if you decide to keep your security in the office.


• 
  The security engineers are highly skilled: You could hire some security specialists in-house, but the likelihood is that they aren’t as highly skilled as those in SOC as a service companies, who deal with current threats on a daily basis. By going through SOC as a service companies, you can get access to these specialists, without paying the premium costs that you’d have to fork out if you were going to hire them directly.


• 
  It offers you a good balance of human and tech support: Not only do SOC as a service companies offer the best technology that you can get when it comes to detecting issues, but they also have skilled people on hand to identify any potential issues, too. These companies offer a good balance between the two types of cybersecurity protection, for any type of business.


• 
  They offer training to your members of staff: These SOC as service companies also can take the time to educate your staff members, so that they can identify any issues, and react appropriately. This means that you’ll have people on hand who can notice problems immediately.


• 
  Peace of mind: When you outsource to a SOC as a service company, you can rest easy knowing that your cybersecurity is being looked after by expert analysts who know exactly what they’re doing. Having in-house cybersecurity has the tendency to be more unreliable, and it’s difficult to know that you’re hiring the right people for your business's needs.


• 
  Regular reports: Some of these companies will send you regular reports on the status of your services (even hourly reports, in some cases) so that you are always up-to-date with the status of your cybersecurity.


• 
  Flexibility: Some SOC as a service companies offer full support to your business and its cybersecurity needs, whereas others take a bit more of a backseat when it comes to your SOC. You can choose the level of support that you require, and tailor your SOC as a service plan to your budget, and your needs as a company.

A SOC is something that could secure any organization and provide immense value, whether you decide to manage your cybersecurity in-house, or with an external SOC as a service company. However, SOC as a service companies offer an array of extra benefits for the business owner… if you partner with the right company.

Evgeny I think,

SOC on-premise means a huge investment (=monthly payment) because of the people you need to operate your SOC. 

Pro: it's the total control of your SOC and logs but using the logs in a SOC-as-a-Service does not mean that they use your information. It's just the logs and I think you don't compromise your sensitive info.

Have a nice day.

Manuel

Hi Dears,

Thanks for your contributions and @Shibu Babuchandran ​ for the great listing (LIKED)

Why just take one or another? Our customers prefer a hybrid model. 

So, we are MSSP but the customers plan or have CISO/ Architects/analysts in place and we work together.

In the beginning, there is a little more investment but in the long run, the model is far better for development and enhancement.

Of course, it works best if the quality is first and costs are second.

Otherwise, take the cheapest offer and hope (maybe pray) for the best :)

Hope this adds an opinion.

Best,

Norman

It boils down to the application of knowledge and experience. 

Internal SOC capability is good at a certain point and depends on the size of the org. and his/her continued update and training, apart from being costly. 

Whereas SOC-as-a-service always has the experience and knowledge combined, project base, and/or regular engagement of its service.

This is a truly good and difficult question. 

If we could have MSSP that is reliable and offers good services at a reasonable price this will be Pros for SOC-as-a-Service, for most of the companies.

Otherwise, CONS for having your own SOC are huge: CAPEX + OPEX (Yearly upgrades and  licenses, expenses for having experts for security in-house, ...)

PROS for own SOC, In-house knowledge and strategy.

For me, the 4 main variables are costs, speed (of being operating), business knowledge and customization. 

All others - will depend on these variables.

An internal SOC demands a huge amount of money to be built. For big companies, this is a good option. 

I prefer the MDR concept as the attended way.

MSSP or SOC-as-a-Service is good for small businesses because is an OPEX way.

But as I mentioned before, with MDR as the shape of service.

Alerts are not enough. 

If you would like to operationalize the cost of running an SOC, you may go for SOC as a Service.

It is also save to assume that the Cloud Service Provider of SOC as a service has specialized skills that you ordinarily would not have. The SOC as a service operator is able to have these specialized skill because they serve several customers and so the are able to distribute the cost of ownership across all customers.

Understand that you would cede some level of governance to the SOC-as-a-service operator. For example assessment or audit, you may have to rely on third party assessment or audit report.