Interview: Check Point profiles 5 battles that SOC teams face in 2020
FYI, this story is more than a year old
Check Point formed in 1993 in a decade when the internet was stretching its wings in the enterprise and consumer security space. The company has spent 27 years setting the standard for cybersecurity through its mission to ‘secure your everything’.
We spoke to Check Point’s cybersecurity evangelist Ashwin Ram to learn more about the company, and one of the most common pain points that any security professional will know well: the time it takes to detect, respond, and remediate security incidents.
“As the threat landscape has changed and evolved, so have as our capabilities. Over the years, we've evolved from just being a firewall vendor to one that offers a security portfolio,” says Ram.
The company’s security offerings take a comprehensive approach to securing the entire IT ecosystem, from data centres and endpoints to mobile, public and private cloud, SaaS applications, IoT, and even SD-WAN. These capabilities are particularly important for enterprises and their security teams so that they may protect their businesses from security threats. The reality is that security incidents are increasing in number and size.
It’s taking longer for security teams to get breaches under control
"According to Cost of a Data Breach Report 2019, a study conducted by Ponemon Institute, the average time to identify a breach in 2019 was 206 days and the average time to contain a breach was 73 days, for a total of 279 days. This represents a 4.9% increase over the 2018 breach lifecycle of 266 days,” says Ram.
That’s far from good news for security operations centres (SOCs) and those charged with protecting their organisations because the trend is going in the wrong direction. It is now taking longer for teams to sort breaches out.
“The faster a data breach can be identified and contained, the lower the costs. Breaches with a lifecycle less than 200 days were on average $1.22 million less costly than breaches with a lifecycle of more than 200 days ($3.34 million vs. $4.56 million respectively), a difference of 37%,” Ram adds.
So why is it now taking longer to detect, respond and remediate breaches? One of the main reasons is the dreaded skills gap – there is simply not enough skilled staff that organisations can rely on.
Other reasons include:
- Too many security tools to make sense of, which often leads to conflicting information when teams are under pressure to figure out what is going on.
- Lack of up-to-date threat intelligence to facilitate insights into a threat
- SOC teams struggle to effectively prioritise threats (triage)
- Reliance on manual processes
- All too often, SOC teams are spending time on incidents that turn out to be false positives.
False positives and their effects on security teams
Ram mentioned that security teams can spend too much time chasing false positives – is an interesting dilemma. Where do they come from, what are some of the implications for an organisation’s overall threat data analysis, and what effects do they have on SOC teams?
“Various scenarios can cause false positives by User and Entity Behaviour Analytics (UEBA) tools such as not being able to compensate for behavioural change,” says Ram. “They indicate a change in behaviour, however this change does not always equal a malicious behaviour.”
He points to COVID-19 as an example of how behaviours change – and how some security platforms may not have been able to keep up. COVID-19 forced a change in user connectivity patterns as people logged in to corporate networks from their homes – and often from other countries and time zones.
Ram says that many UEBA tools would have marked these changing patterns as suspicious because it was not normal behaviour that the tools had seen before. Security professionals then needed to analyse these alerts and determine if there was a threat. The reality, of course, was that the majority of those pattern changes were indeed genuine.
“Other reasons for false positives include threat intelligence data sample that is too small, poorly written threat prevention signatures and unrecognised network traffic. This is why it is important to configure intrusion prevention systems (IPS) to auto-update signatures."
Another major challenge is threat prioritisation. Ram says, “Human nature is that we work in sequential order, but this doesn’t make sense when you are defending against cyber threats.”
So what is the best way to deal with security threats when everything could be important?
When people go to the hospital without an appointment, nurses will triage patients based on the severity of their symptoms. Check Point uses a similar method in its InfinitySOC, a security solution designed to help SOC analysts identify and mitigate threats with 99.9% precision.
“You must focus on the most dangerous threats first. InfinitySOC addresses this by triaging threats so SOC teams can quickly and accurately focus on the most dangerous threats to an organisation. InfinitySOC can do this because it’s backed by the largest threat intelligence platform in the industry,” says Ram.
Lookalike domain names – what to do about them
Many businesses may not have the capacity to deal with ‘external’ security threats, the kind of threats you can’t put controls around – like domain names.
“Nothing is preventing your adversaries from registering a lookalike domain, or a domain that looks almost identical to your corporate domain name. This can cause significant damage because attackers can use this to not only target your employees and customers but also your business partners."
Organisations often face an uphill battle to get these fake sites removed, especially if the domain was registered in another part of the world. Many organisations don’t know where to start.
“InfinitySOC can monitor for lookalike domains and also carry out lookalike domain takedowns through our Incident Response Team,” says Ram.
Next steps: Incident response and compromise assessments
Beyond threat triage and minimising false positives, what else can organisations do to minimise their cyber risk? Ram says there are two key things: practice incident response and undertake a compromise assessment.
"Incident response is important for any organisation,” says Ram. “Your playground has changed. Most of the folks in your IR strategy are now working remotely, so they can’t just quickly get into a boardroom to discuss the threat. This change in condition needs to be reflected in your game plan as we adjust to this ‘new normal’”.
Compromise assessments should also be part of this new normal, especially as many organisations move large swaths of their infrastructure to cloud.
“We see so many businesses that are getting compromised due to simple mistakes and blind spots. This is happening because businesses are trying to be agile, but they are approaching cloud projects with a ‘just do it’ mindset to facilitate the changes as a direct impact of COVID-19,” says Ram.
Avoiding simple mistakes and blind spots in the new normal work environment is a matter of having the right strategies, the right staff, and the right solutions in place.