SecOps needs a new approach

An organisation’s ability to stay ahead of the security curve depends on two things: effective tools and capable security analysts. Unfortunately, balancing technology and human capital tends to be difficult.

Detection and prevention technologies generate hundreds or thousands of daily alerts, exceeding the amount security teams can handle. These alerts come from many disconnected sources, leaving analysts to piece the puzzle together. There’s only time to address the highest priority alerts. Low priority alerts are neglected.

As the threat landscape intensifies, organisations find they can’t manage the high volume of security alerts. Can the next generation of tools help?  

The use of APIs and SIEMs

Many organisations use APIs to integrate detection and response data. This generally involves using an expensive SIEM as the centrepiece of their security operations, which aggregates log data by parsing and normalising it, stripping away much of the valuable context.

This option is not perfect. What’s really needed is a set of technologies to reduce the total number of alerts while also allowing analysts to efficiently assess threats so that only high-priority alerts are escalated.

The introduction of security response tools

An array of logging, detection, and response tools has come to market to help. These include Endpoint Detection and Response (EDR), Endpoint Protection Platform (EPP), and Security Information and Event Management (SIEM). Each of these tools has strengths and weaknesses and can be useful against simple attacks, such as attacks that threaten just one part of the infrastructure. Most, however, are tuned for a single purpose, ill-suited to handle complex campaigns on its own.

Newer tools such as Network Detection and Response (NDR) and User and Entity Behaviour Analytics (UEBA) are designed to address some of these shortfalls. These use Machine Learning (ML) to look for anomalies against a baseline of activity. This overcomes the challenges of detecting unknown attacks using SIEM.

The limitations of network-based tools

These tools also have limitations. Network-based products cannot monitor or track local events, like process information gathered on the endpoints. NDR also has limited depth; if EDR is deep and narrow, NDR is wide and shallow. UEBA tools are reliant on third-party logs to monitor and detect threats and analyse them to assign risk scores. However, if the third-party tools fail in their detections, or aren’t logging a piece of infrastructure, then the UEBA is rendered ineffective.

This situation further exacerbates the skills gap. It’s evident that companies need to look for tools that help security teams be more effective, automate repetitive tasks and simplify investigations.

Next generation level XDR security

A next generation of incident response tools has emerged to meet the need for more sophisticated extended detection and response. Known as XDR, (where the ‘X’ stands for ‘extended’ and can represent any data source) it recognises that it’s inefficient to look at individual infrastructure components in isolation. XDR uses machine learning and dynamic analysis techniques to combine the capabilities and outcomes of SIEM, UEBA, NDR, and EDR.

XDRs stitch together data from the endpoint, network, and cloud in a robust data lake. Above all, XDR provides broader visibility with more effective machine learning analytics and integrated remediation to fundamentally change threat hunting, detection, investigation, and response.

To learn more about how Cortex XDR is redefining SecOps read Palo Alto Networks’ ‘The Essential Guide to XDR’.