The providers must step up their game to provide consumers with data, tools, attention, and knowledge at a time when they’re most required. In a world where most major enterprises are concerned about public breaches, technology suppliers must take the time to listen and understand their problems in order to help them discover the best solution. Vendors have access to the most modern cloud compute, storage, and search technologies, as well as visibility into assaults affecting a large number of customers and knowledge of successful protection strategies. SOC teams, on the other hand, rarely profit from these resources.
Data scarcity: a look back in time and vendors
It’s a well-known fact that threats may go undetected for a long period — according to IBM study, up to 280 days. Why, therefore, do SaaS NDR companies only provide lookback periods of 30, 60, or even 90 days? Given that the cloud provides essentially endless storage, shouldn’t historical lookback at least equal the duration of threats?
Consider the following example:
• SolarWinds Orion Platform DLL was used to construct and launch the SUNBURST attack on February 20, 2020.
• The first SUNBURST assault is discovered on December 8, 2020.
• From December 8, 2020, until the present, 18,000 government agencies and Fortune 500 corporations are researching and responding to terrorist assaults.
Security professionals hurried to investigate past data in the days following December 8th, 2020, to see whether any of the indications of breach had crossed their network. Teams were, however, hampered by a lack of network visibility, with available information frequently only lasting a few days. The lucky ones got a month’s worth of data, or at most 90 days. None of this allowed them to go back and analyse the SUNBURST assault, which was originally launched in February 2020, to learn more about the attackers’ particular behaviours in their network and the degree of danger they faced.
This makes us ask why, in an era of cloud computing and nearly infinite storage, manufacturers are failing to solve these issues for their clients.
a scarcity of time
If you’ve ever been on a security team during an incident, you know how important it is to stay on schedule. Every second is crucial. This isn’t dramatisation; it’s a high-stress situation. One of the causes of security analyst burnout is this.
Take, for example, today’s malware. From the moment an attacker’s presence in the network is discovered, it’s a race to mitigate their actions before you’re hit with expensive ransom payments, encrypted critical data that disrupts operations, double extortion for exfiltrated data, and relentless media coverage with everyone weighing in on what you should do and how you should act.
Security companies, on the other hand, rarely focus on offering technologies that expedite investigations. They’re addicted to the ability to “detect” and leave the rest to the security staff. Why, yet again? Despite the fact that vendors have nearly infinite computational power, most do not provide this essential service. Investigators are compelled to search for events one at a time using existing NDR technologies. Why can’t they search at the same time? Why can’t numerous members of a team work together, exchanging searches, results, and collaborating? Furthermore, why don’t the solutions provide threat-specific playbooks with “here’s the ‘thesis’ you should check” or, even worse, recommend you explore with a separate product and redo most of the work there. The cloud compute capabilities exist but vendors aren’t putting them to work for their customers.
Inability to concentrate
Do you recall how promising SaaS-based security technologies were? When you move your security solutions to the cloud, you won’t have to maintain them again, and you’ll enjoy all the benefits of cloud computing. Well, the promise seems to have gone flat, doesn’t it?
True, you’re getting the newest updates in a timely manner for your SaaS security solutions – but, as we mentioned earlier, you’re not enjoying the benefits of cloud computing, such as limitless storage and computational capacity. Worse, many of the “technology breakthroughs” now demand your personnel to do never-ending detection tuning and FP reduction efforts due to the usage of machine learning. In other words, suppliers have shifted the buck to your team in order to obtain high-fidelity results, frequently to their profit as well as yours!
Vendors must take the initiative and remove these annoyances. Some vendors are adopting the concept of “directed SaaS,” in which your team owns and operates the solution, but the vendor handles software upgrades, detection/false-positive tuning, system maintenance, and health checks so you can focus on “Job 1” — threat management. I commend this approach and hope that more vendors would follow suit and incorporate it in their offerings, rather than charging professional services fees for something they could have done themselves.
a lack of direction
We’ve determined that security teams face three major challenges: a lack of focus, data, and time. Threat-specific information is the fourth impediment to quick reaction. To respond completely and confidently, incident responders must understand an adversary’s tactics, techniques, procedures (TTPs), and intentions. Again, suppliers fail to assist their customers in this area, leaving security professionals to conduct their own research on TTPs and information on the adversary’s purpose in order to understand how to respond on their own.
NDR suppliers have a treasure of information on threat actors’ TTPs and intentions, but they don’t share it with their clients. Threat research by vendors collects a lot of actionable intelligence on how to respond effectively to any given threat, but they don’t have a way to share it.
Some suppliers provide additional knowledge, but the information supplied is nearly usually about their product rather than how to respond to a specific situation. Why don’t NDR suppliers support their clients at their largest time of need, sharing experience obtained from cross-deployment knowledge, crowdsourcing data, and threat research? And not in a vendor-speak sense, but in the sense that one incident responder would assist another?