This is a live post which I will keep updating for my own reference.
- Signature-based approaches are the oldest and most common approaches to detect security intrusions within a networked computing environment.
- Behavioral analytics: Its a branch of business analytics where known patterns are applied to discover malicious behavior.
- Anomaly detection: Also know as outlier detection, uses statistical profiling to build a historical baseline. It alerts on deviations from established baselines that conform to a potential attack vector.
- Cross-device correlation: also known as event correlation refers to a technique where an IDS alert can be correlated with a huge number of firewall alerts to pinpoint events that are really important within a scenario where a massive amount of alerts take place.
- Kill-chain detection: is an intrusion-based methodology that allows one to focus on the different stages of an attack. This methodology was developed by Lockheed-Martin.
- Integrated threat intelligence: this might be similar to the signature-based approach but more agile and supported through industry partnerships. It looks for known bad actors by leveraging global threat intelligence from multiple and disparate feeds.
Every approach would have a goal to catch either suspicious or malicious activity. The ideal catch -and also the most complicated- would be an abstract set of behaviors that an adversary is using. Based on David Bianco´s Pyramid of pain diagram, that´s the adversary´s tactics, techniques and procedures (TTPs). This is the ideal detector based on Red Canary´s detection engineering team.
However, regardless of the approaches used, the truth is that within MSSP environments (with an overwhelming amount of security alerts) there is a huge amount of wasted time and resources processing useless security alerts, and many often either reduce the sensitivity of security personnel or ignore alerts altogether. Which could be the best solution?, that is a hard question, while innovative approaches to avoid pitfalls of alert fatigue and other SOC challenges as SOCless detections might be suitable for some environments they are not intended for MSSP environments. The best advice I have ever seen on this area to improve MSSP capabilities is this:
However, regardless of the approaches used, the truth is that within MSSP environments (with an overwhelming amount of security alerts) there is a huge amount of wasted time and resources processing useless security alerts, and many often either reduce the sensitivity of security personnel or ignore alerts altogether. Which could be the best solution?, that is a hard question, while innovative approaches to avoid pitfalls of alert fatigue and other SOC challenges as SOCless detections might be suitable for some environments they are not intended for MSSP environments. The best advice I have ever seen on this area to improve MSSP capabilities is this:
I had countless conversations with organizations complaining about the false positives sent by the MSSP. But it’s impressive how many of them are not prepared to report back those events to the provider in a way that would allow them to tune their systems and avoid a similar occurrence in the future. This is a recurrent theme in this document: You MUST WORK WITH THE MSSP, not expect them to figure everything out alone.
Augusto Barros. Research VP at Gartner.
But obviously to talk about security alerts without having an incident response plan in place is fruitless. Some companies contract MSSP services just as a checkbox where every security alert escalated, regardless of its accuracy would go to a black hole. This might be due to either a lack of security awareness within the company (lack of CISO roles) or due to budgetary reasons. In the last case, usually the IT personnel can not cope with security related work, again either due to an excessive work-load or lack of knowledge. The optimal situation would be a company with a security incident response plan in place (see NIST 800-61),
Incident response phases defined in NIST 800-61
In such optimal situations, a company whose security service is provided by an MSSP would know what to do and how to act (through defined playbooks) regarding every security alert they would receive by the MSSP.
Mini-paper released recently: Improving security incident quality in SOCs with resolution categories.
Related external links:
https://www.sans.org/reading-room/whitepapers/infosec/detecting-preventing-attacks-earlier-kill-chain-36230
https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf
https://redcanary.com/blog/common-siem-issues/
https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf
https://redcanary.com/blog/common-siem-issues/