Patterns of collaboration in enterprise SOCs

Overview

As we continue building out our SOC Content Platform working with our enterprise design partners, we have had many conversations with analysts in SOC’s. In this process, we have had many learnings on the key personas, their tasks and their challenges in addressing the mission of detecting and responding to cyber attacks within the enterprise. Most importantly, we have been impressed with how they collaborate together in addressing those challenges towards achieving the detection outcomes of threat relevance(are we looking for the right threats?) and high detection efficacy(are we meeting the high TP, low FP and low FN requirements?).

Personas

1. Threat Analyst/Threat Operations/Adversary Research

a. Tasks. They research adversaries, their tactics, techniques and procedures, and track their evolution. They analyze research reports, and follow various threat intel sources, and stay on top of threat activity observed in the enterprise. In some orgs, Cyber Threat Intel (CTI) teams use Threat Intel platforms for this purpose.

b. Deliverable. They create use cases(“hypothesis”) for adversary detection for the threat detection content team. The use cases clearly specify the behaviors that the detection team must detect. Behaviors are more useful to look for than IOC’s which have a short shelf time. They may also specify as a detection target that are not just procedures but also an entire attack that is a sequence of threat procedures.

2. Detection Analytics/Threat Hunting

a. Tasks: They develop the detection content for detecting the behaviors specified by the Threat intel/adversary research team. They recreate the threat procedures as indicated in the use cases, collect the required events that log the threat behaviors including endpoint, network and cloud logs.

b. Deliverable. They craft the correlation search to detect the specific behavior. This is a complex process — the key is to maximize true positive detections (and reducing false positives) while minimizing false negatives. This is where statistical searches, correlations, and ML techniques are deployed for the detection. The detection analyst also offers guidance to the IR/Triage Analyst on what to do after an alert is generated from the detection.

3. IR/Triage Analyst

a. Tasks: This persona consumes the detection content generated by the Detection engineering team, deploys the detection content, and reviews the alerts being generated.

b. Challenges. They usually notice many false positives in the early iterations of the detection logic. This may require changes in the detection logic, require additional baselines to safe list known good activity, and also require additional use of safelists and blocklists to refine the search.

Collaboration Patterns

We observed the following patterns of collaborations between these personals to meet the mission outcomes of threat relevance and high efficacy. Where collaboration is fluid and friction-less, continuous improvement is enabled where analysts spent more time in search development and refinement and less tine in chasing alert false positives.

1.Use Case Refinement During Detection Development. During this process, the Detection Analyst works closely with Threat Analysts to refine the use cases and bring to attention the available log sources that can be used in crafting the detection. They inform the Threat Analyst team of the tradeoffs between detection scope, accuracy and the risk of false positives. The MITRE ATT&CK (https://attack.mitre.org/) framework is an important part of the collaborations workflow

2. Analyst Feedback for Efficacy Improvement. The IR/Triage Analyst can offer feedback to the Detection Analyst to improve the search. As the IR Analyst get new drafts of the detection content, she can compare the results with the previous searches, and offer feedback on accuracy improvements. This can be challenging as the people triaging alerts may not be the author of the detection logic. Developing high efficacy analytics remains an art, and takes quite a few iterations working with the IR Analyst and Threat Analyst in getting this right.

3. That Intel from Adversary Observables During Alert Review. The IR Analyst can inform the threat intel about true positive alerts observed, and what indications (e.g. behavioral, signatures) they offer about adversary tradecraft.

In future blogs, we will offer specific examples of collaboration that has led to better outcomes. We hope you found this useful, and stay tuned for more.