As a leading platform provider to enterprise and Federal customers in the endpoint detection and response (EDR) market, we’ve been closely watching the changing nature of how Security Operations Centers (SOC’s) are structured for optimal aggregation and correlation. We are seeing several trends emerge as SOC managers demand a more robust, yet less cumbersome set of integrations into SIEM platforms as their centralized cybersecurity lens into threat management.
In October 2016, Gartner issued technical advice on “How to Plan, Design, Operate and Evolve a
SOC.” This is perhaps the most acutely comprehensive, and accurate of assessments and guidance for both technical professionals as well as the industry—particularly it’s look at where this technology is going relative to the changing needs of SOC managers and their extended teams.
The report points out that while there are different combinations of roles and responsibilities, most SOCs have security monitoring as their core capability. Additionally, it indicates that threat hunting and threat intelligence are slowly emerging as new SOC functions. Gartner’s framework covers planning through operation and was built to help organizations that want to establish at least some operational capabilities internally, even if strongly relying on service providers. Again, I can’t reiterate enough how useful it is to security professionals.
Gartner’s assessment breaks down the tools used by a SOC into three categories: visibility, analysis, and action and management. A big piece of the visibility is endpoint detection and response, or EDR.
An EDR platform is a must-have in keeping up with the needs of an evolving SOC. It allows for greater control of the endpoint and a deeper look into the threat environment. Separately, Jon Oltsik of ESG pointed out that EDR technology is one of the best technology sets to validate alerts from other tools in the SOC, and to further investigate threats.
EDR tools linked to an intelligently integrated SIEM help SOC managers overcome the challenges associated with creating one coherent security platform. In fact one area where CounterTack is pushing the boundaries of innovation relative to SIEM, where the majority of enterprise customers want to see their EDR data, is generating even more data on top of other security platform feeds, like DLP, FIM or even UBA to an extent.
The SIEM represents a single pane of glass that most large security teams want to drive data into to normalize the view and workflow for incident response primarily. CounterTack can build on this intelligence for customers, unlike other EDR providers, for further correlation, and for pinpointing accuracy detecting threats based on behavior, not signatures or even signature-based threat intelligence feeds.
A second example of CounterTack’s commitment to integration into the next generation of SOC workflows, and in an effort to offer more efficiency and collaboration mainly for IBM customers, is the recent launch of the CounterTack Sentinel App for QRadar. This app, a featured app now available in IBM’s X-Force App Exchange, leverages Sentinel’s robust EDR capabilities, and integrates with IBM QRadar Security Intelligence to achieve better endpoint visibility. The reality is EDR technology is actually most valuable when data can be used alongside other data sets so SOC teams, who today demand a new level of intelligence quickly and comprehensively, so they can respond to threats and make impactful security decisions.
In fact, the SOC analysts we work with regularly tell us they don’t need more information, but better information, more quickly, with enough detail to either launch an investigation, or to auto-respond, by killing a process, isolating the threat, or through file extraction. SOC teams need less to sift through, and more context that matters, at the right time, and that is done through analyzing behavior, not simply signatures.
CounterTack’s approach to EDR is unique for the SOC in that it offers behaviorally-based detection, analysis and threat prevention capabilities to counter external attacks that infiltrate systems, or for malicious insider-based attacks. It also offers the industry’s only comprehensive EDR binary analysis engine. Our behavior-based approach delivers threat context and prevention, powering rapid, accurate detection while generating enhanced intelligence across other functional elements of the enterprise SOC.
To improve visibility, threat detection and IR capabilities, SOC Managers need to integrate EDR technologies. CounterTack offers a platform approach and solutions across the SOC—starting at visibility and moving into analysis and ultimately action, incident response and prevention. More on our offerings can be found on our product page.