Integrating SIEM and SOAR in a MSSP environment

Integrating SIEM and SOAR in a MSSP environment

Cyberattacks against South African organisations, or theft and / or compromise of data and personal information from South African organisations is no new news. The reasons for these breaches are various and complicated. Furthermore, as we all know, the cybersecurity game is a difficult one and not an exact science. These attacks often go undetected with huge implications – much like an assassin or eavesdropper hiding behind the curtain at a function and with the intention to cause damage.

To protect against these cyberattacks and to establish and improve the organisation’s cybersecurity effort, or for compliance requirements, organisations develop administrative controls in the form of policies and processes. These administrative controls are often informed by regulatory and other compliance requirements and are supported and enforced by deploying technical controls. Technical controls are controls like firewalls, Intrusion Prevention Systems (IPS), Web Content Filters (WCF) and end-point protection. The cybersecurity effort is then supported by cybersecurity operations, and when implemented effectively and efficiently, can provide the organisation with a wealth of operational and strategic intelligence thus guiding decision making and spend.

Recently, and from an endpoint protective control, there has been a move away from pure signature and anomaly-based detection to ”Endpoint Detection and Response” (EDR). EDR is a combination of traditional signature and anomaly-based AV combined with the monitoring and collection of end point telemetry, and then responding to threats with rule-based analysis and response. EDR provides a lot of visibility into the endpoint and allows machine speed response to threats on the endpoints.

EDR, together with perimeter and network-based controls, form powerful tools in our arsenal to detect, protect and respond to attacks. The volume of events generated by these technical controls are often overwhelming, and this is where new approaches such as “User and Entity Behaviour Analytics” (UEBA) come into play. UEBA generates a baseline of what is considered normal traffic or behaviour, and flags anomalous events as incidents.

With the protective controls in place, we need to monitor them to detect attacks and threats. As an added benefit, monitoring technical controls further allows us to measure if they are performing optimally, and that they protect as intended. Monitoring these controls can be done from an internal organisational monitoring and response structure or be outsourced to a Managed Security Service Provider (MSSP). Depending on the functions offered, or their intended usage, these structures are called Security Operation Centres (SOCs), Cyber Intelligence Centres (CICs) or Cyber Defence Centres (CDCs). We will now collectively refer to these structures as “monitoring and response structures, or SOCs” as an umbrella term to cover all these structures with their different functions.

“The primary tools used within these structures are the Security Incident and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) tools. A well configured SOAR system, together with UEBA, goes a long way to alleviate fatigue caused by the volume of events that need to be handled by SOC analysts. A well configured SOAR ingests incidents from a SIEM or other technical controls, enriches those incidents at machine speed and automates response to threats and attacks detected, thus taking the workload off the SOC analysts, freeing them up to focus on other tasks or incidents that require deeper investigation.

Building an internal organisational structure is often difficult, and some constraints stand out. Cost is the first constraint. The cost of the SIEM and SOAR tools are often prohibitive for most organisations. Facilities are the second constraint. These structures are subject to laws such as the Employment Act – prescribing labour activities as well as facilities requirements with regard to running a 24x7 operation. The third constraint is people. Regardless of who establishes a monitoring and response structure, one of the biggest challenges is finding skilled people to staff the structure. It is our experience that its extremely difficult to find skilled SOC analysts. And once you find them, retaining them becomes a challenge.

These constraints support our observation that it is mostly enterprise sized organisations who build their own internal monitoring and response structures. With this being said, enterprise sized organisations still suffer from all the constraints as mentioned. Furthermore, it is also very difficult to find experienced SOC builders – people who know how to build and structure a SOC, identify and develop processes, select technology stacks as well as implementing and onboarding clients. Needless to say, these skills are scarce. This is where MSSPs come in.

MSSPs procure the SIEM and SOAR technologies upfront, and leverage off economies of scale in that the cost of these tools are factored in among multiple clients. This approach makes monitoring, detection, and automated response to cybersecurity risks accessible to more organisations. MSSPs provide the infrastructure, facilities, processes and most importantly, the people that enable a monitoring detection and response capability. Enterprise clients can benefit from this approach in that MSSP staff are exposed to clients across different industries, technologies, and attack techniques. This gives them a broader understanding of attack techniques and attack vectors.

Cyberantix is ideally positioned to not only offer traditional MSSP services, but we are also one of the first MSSPs in South Africa to offer SOAR as a service to clients. We have been offering SOAR services for just over a year and are ahead in terms of the architecture design, deployment, and playbook development when compared to our competitors. Our people are highly skilled and experienced, all our junior analysts have more than two years working experience in SOCs, and our senior analysts more than 15 years of true cyber experience. If you are considering MSSP services, we recommend that you ask the following questions:

1. Is the MSSP ISO 27001 certified? This shows commitment and allows for some assurance that basic security controls are in place.

2. Does the MSSP offer cloud based SIEM? This is an important consideration if you have a cloud presence.

3. Does the MSSP offer per-host pricing and billing? Traditional MSSP pricing models bill per event per second (eps) or storage. This makes it difficult to calculate pricing when there’s a peak in eps or storage (such as when a malware outbreak occurs). This could potentially lead to nasty surprises.

4. Does the MSSP have a proven track record where it concerns SOAR? Your MSSP should offer SOAR services and should have a proven track record with the configuration of SOAR and integrations, use case development and playbook development.

5. Are the MSSP engineers highly skilled with the right certifications to back up those skills? You could ask to review SOC staff CVs or ask for proof of concept where you can test their skills.

6. Does the MSSP SIEM and SOAR offer and support UEBA? This is an additional mechanism to detect anomalous user and entity behavior that may be indicative of attacks. Your MSSP should have a proven track record of configuring UEBA on their SIEM.

7. Does the MSSP offer commercial threat intelligence? Does the SOAR or SIEM integrate seamlessly with commercial or open-source threat intelligence sources?

8. Does the MSSP offer bespoke use case development, or do they only offer out-of-the-box use cases? Companies differ in what they want to detect. Your MSSP should be able to guide you in terms of out-of-the-box use cases (and ensure there is enough visibility to satisfy those use cases) and should also be able to develop bespoke use cases i.e., to detect fraudulent activities.

9. Does your MSSP follow a structured approach when engaging? Do they do a visibility assessment? Do they propose use cases based on the available log and telemetry sources? Are they able to ingest those logs into their SIEM / SOAR?