Skip to main content

Whether run in-house or as an MSSP, SOC’s greatest challenges revolve around finding skilled analysts.

As a cyber security industry veteran, Murray Benadie and Zenith Systems have been involved in the deployment of over 40 SOCs across Africa. “South Africa is not immune to critical cyber skills shortage and this is particularly acute with SOC analysts,” says Benadie.

“Analysts are in high demand and as a result are not only locally mobile, but globally mobile as well. With the ever-increasing cyber threat environment, most organisations are deploying their own internal SOCs or are outsourcing to MSSPs, with the resultant demand for SOC analysts outstripping supply. Furthermore, we have seen analysts that we have trained, headhunted to countries such as the UAE, New Zealand, Australia and Europe,” Benadie confirms.

“This is a global challenge and one that we are now able to assist customers in addressing through the use of AI/ML powered analyst solutions such as the Respond RDA solution.

"We have been amazed at the exponential impact that Respond RDA makes in our customer environments, with one documented case showing that the Respond Analyst monitored 138M events, escalating just nine incidents in a one-month period. That is the equivalent of 2 000 human analysts working 24×7 to cover 138M events in one month. So not only does Respond dramatically increase the volume of processing accomplished, but it also exponentially reduces false positives.

“We are seeing this type of dramatic contribution to cyber defence all over the world. One example is Agio, a managed security services provider (MSSP), that took the wraps off a partnership with Respond Software.” 

The MSSP has incorporated Respond Software's technology into its managed detection and response (MDR) service. About 60 clients have access to the technology and Agio plans to extend coverage to its entire customer base of some 300 companies over the next couple of years. The company works with financial services firms, healthcare organisations and payments enterprises.

ITWeb Security Summit 2020
Register now for the ITWeb Security Summit 2020 virtual event, and experience four days of international keynotes, sessions and workshops all for one price. The event will feature over 50 speakers, with all content being made available on-demand online. To register, and for more information, please click here.

The traditional model for providing intrusion detection and response was built around a multi-tier SOC, said Peter Schawacker, managing director of cyber security operations at Agio. Low-level analysts would filter through events, looking for indications of attacks. Incidents would then move up the chain to more-experienced analysts. That approach, although honed for years, has proven inadequate for handling today's threats, he noted.

The conventional SOC model "pits the least-experienced analysts against, sometimes, nation-state attackers who have an interest in not being detected," Schawacker explained. "We wanted to try to find a way to automate decision-making that occurs at the level-1, triage stage and get ahead of some of the more complex attacks."

The MSSP began piloting Respond Software's technology in September 2019 and, based on early results, rolled out the MDR service to the initial group of clients in January 2020.

Schawacker said Respond Analyst has been able to sniff out attacks the company wouldn't be able to detect with other tools. Thus far, the software has provided early ransomware detection, identified what appeared to be some form of worm malware and caught phishing-based attacks as they attempted to extend access from compromised systems.

Respond Software reinforces Agio's SIEM and security orchestration, automation and response (SOAR) tools. SIEM is good at detecting clearly malicious activities, Schawacker noted, while SIEM, used in combination with SOAR, can investigate suspicious activities when intention is more in doubt. Respond Software, he added, deals with a third category of activity: anomalous occurrences that are new and novel or develop slowly over a period of days, weeks for months.

We wanted to try to find a way to automate decision-making that occurs at the level-1, triage stage and get ahead of some of the more complex attacks. So-called low-and-slow attacks might not trigger a SIEM, Schawacker said. They will also typically elude human analysts because they unfold over a period of time extending well beyond an employee's shift.

Respond Software's offering acts as a virtual analyst, emulating a seasoned analyst's judgement and analysing more data without adding personnel, according to the company.

"Most MSSPs and MDR [providers] are just throwing bodies at the problem and that just won't work," he said.

If you like something I've posted please feel free to click the "like" button!

Original Post

Add Reply

Link copied to your clipboard.