Issues facing SOC professionals include too many alerts, a shortage of talent and a lack of technology.

Edward Gately, Senior News Editor

September 15, 2018

9 Min Read

With the cyber threat landscape changing so rapidly, it’s tough to stay ahead of the bad guys, and it’s even tougher if you don’t have enough firepower in your arsenal.

At this week’s Exabeam Spotlight 2018 conference, its inaugural user conference, Steve Moore, chief security strategist, spoke with us about the latest issues facing security operations centers (SOCs), the changing definition of insider threat, and if there’s any light at the end of the tunnel in terms of winning the cybersecurity war.

Moore spent the last two-and-a-half years building health care provider Anthem’s cybersecurity program post-breach. He also wrote Exabeam’s recent State of the SOC report.

In terms of insider threats, the definition has expanded beyond someone who works for you and means you harm, Moore said.

“The insider threat is, to me, somebody who means you harm or someone who is also compromised and is ignorant to that fact,” he said. “So Steve Moore means you no harm, but my credentials are stolen or I have malware on my machine, and now my electronic self is zipping about and being party to a potential breach. So the issue is that most organizations don’t understand internal attribution, so most are ignorant to the fact that if they have a compromised person who as a human soul means them no harm, but as an electronic entity that’s been compromised, that is a issue. You’re almost having to reteach … if there [are] innocent people involved.”


Exabeam’s Steve Moore

For his report, Moore spoke with SOC professionals across CISO, CIO, analyst and management roles, and found three key issues: too many alerts, a shortage of talent and a lack of technology.

“They have alert fatigue, which is not only overwhelming them, but causing them to miss what is important,” he said. “Fatigue leads to lack of prioritization, which is just sort of this muddled mess, which then leads to never really running down one thing completely. You’re just sort of halfway done with lots of things.”

And beyond the talent shortage, many respondents said the people they work with aren’t qualified enough, “so it’s not the fact that there’s an empty seat, but I’m in that seat and I’m not good enough to do the job,” Moore said.

“The next is technical debt … so the technology that we have is aged to the point where it is ineffective,” he said. “So we have this perfect storm that has arrived on our doorstep of too many alerts, not enough people, not enough qualified people, and we’re doing it with old tech. I can’t think of something that’s much worse.”

Moore’s advice: Do fewer things better. Pay attention to fewer alerts and identity current tech deficiencies, he said.

“And I’m going to tell all the executives this because right now, the state we’re in, we’re ineffective right out of the gate,” he said. “We’re garbage right now and we’re OK with it. We’re going to continue for a period of time being garbage, but out of that we’re going to do a few things very well. We need to work on prioritizing our work, prioritizing on the events and the triaging better, and then we’re going to collapse the time it takes us to perform those tasks.”

Also, the most senior people are going to “stop being nerds and they’re going to start being mentors,” Moore said.

“So we’re going to take the people we have who aren’t up to snuff and we’re going to train them up and we’re going to do that by …

…caring for them as individuals, and making sure that our leader, our smart folks, are going to facilitate the next phase of their learning,” he said.

And there aren’t enough conversations taking place between those in the trenches and those at the CIO/CISO level, Moore said.

“There [are] a lot of brilliant people trying to defend better and there’s technology that’s coming along that’s helping us move more, and get better and better at managing identities and managing accounts,” he said. “When you ask if it’s always going to be this sort of gloom and doom, it’s hard for me. The adversary is always going to be there, as long as there [are financial incentives, there will be an adversary … and they’re going to continue to evolve. But I like the odds.”

WatchGuard: Passwords Remain Easy Targets for Cybercriminals

Half of military and government-employee passwords can be cracked in less than two days, according to a new report by WatchGuard Technologies. Weak passwords and credential theft were a major theme in this second-quarter report.

Several of the report’s other key findings include:

  • The vast majority of cyberattacks were delivered via the web last quarter — and one of the most prevalent threats involves a brute-force attack against web application passwords.

  • Mimikatz, a well-known password and credential-stealing malware variant, was the most dominant threat in the second quarter:

  • Malicious cryptocurrency miners continue to gain favor among cybercriminals, making their way into the list of top 10 malware variants for the first time last quarter.


WatchGuard’s Corey Nachreiner

Corey Nachreiner, WatchGuard’s chief technology officer, tells us authentication is still a major target for hackers, and a weak link for most SMBs.

“Multifactor authentication (MFA) is clearly a great way to address weak passwords and credential theft, but many SMBs don’t have a company-wide MFA solution, and 61 percent believe MFA solutions are designed for larger companies,” he said. “That is no longer the case, with modern, easy and inexpensive MFA solutions that are highly effective even at the smallest company. From an SMB channel perspective, this means MFA is a greenfield opportunity. Not only can VARs and MSSPs further protect their customers by offering MFA, but in doing so they can create new service opportunities and recurring-revenue streams. By offering an SMB-focused MFA solution, VARs and MSSPs can make their entire security services portfolio even more effective and lucrative.”

The most surprising finding was an unexpected drop in both malware and network attack volume in the second quarter, Nachreiner said.

“Over the last few years, our team has felt like we had a basic understanding of how malware and attack campaigns wax and wane over the seasons,” he said. “For instance, we have become used to a large increase in malware and attack volume during [the fourth quarter] due to holiday-specific campaigns, followed by …

… a drop in [the first quarter]. So, last quarter’s significant reduction in attack volume came as a surprise and we look forward to examining the data moving forward to help us understand whether this was an anomaly, or signs of some new trend.”

What wasn’t as surprising was government and military employees still using weak passwords on social media, Nachreiner said.

“Though one should expect those in government and military organizations to have higher operational security practices than the common civilian, we’ve become cynical over the years about the general password practices of just about anyone,” he said. “Despite many password leaks and breaches over the past decade, most people still seem to use still use weak passwords and don’t implement proven password security practices. Again, this is why MFA is such a valuable addition to any security strategy.”

eSentire, Sumo Logic Launch Integrated MDR and SIEM Platform

eSentire and Sumo Logic have partnered to deliver an integrated managed detection and response (MDR) and security information and event management (SIEM) platform that protects organizations from current and future blind spots and evolving cyber threats across network, endpoint, cloud and mobile devices.

The integration of Sumo Logic’s cloud-native solution with eSentire’s pure-play MDR platform eliminates common blind spots exploited by adversaries. eSentire security analysts leverage Sumo Logic’s ability to bring together log and metric data from on-premises and cloud assets.


eSentire’s Chris Braden

Chris Braden, eSentire’s vice president of global channels and alliances, tells us the platform will allow eSentire partners to “continue offering their customers everything they could obtain from eSentire directly.”

“It is highly important to us that our customers are never disadvantaged in any way when they buy from one of our partners,” he said. “This platform creates the same new opportunities that it creates for our sales team; an ability to further complement our MDR offerings with a managed SIEM solution and enhanced logging capability. Our partnership with Sumo Logic also extends our reach into cloud-based applications and environments, while providing a rich and robust user experience for reporting.”

Now was the right time for eSentire, a MDR company, to partner with a “leading SIEM technology provider to further enhance our platform with enriched logging capabilities,” Braden said.

“We needed a platform where we could make use of leading analytics and data strengths that complement ours, and we found Sumo Logic to be by far the most compelling offering,” he said. “Fundamental was their ease of deployment and integration into our MDR service via a rich set of APIs. We did an extensive evaluation of 10 separate technologies, and in the end, Sumo Logic was our clear choice technically and commercially for this strategic partnership.”

WhiteHat Adds AI to Security Testing Offering

WhiteHat Security has added artificial intelligence (AI) software to WhiteHat Sentinel Dynamic, its application security testing (DAST) offering, which draws from …

… a repository of 95 million identified vulnerabilities.


WhiteHat Security’s John Atkinson

The enhancements will allow WhiteHat to deliver the “highest level of accuracy in the shortest time frame, which can traditionally only be achieved through fully automated testing with additional human verification, according to the company. AI-enabled verification will take just seconds, it said.

John Atkinson, WhiteHat’s vice president of strategic alliances and channels, tells us partners’ customers will receive an “agile solution to vulnerability management that simply hasn’t existed in the marketplace.”

“No one has ever used this AI-based approach for vulnerability verification until now,” he said. “We’re taking our 16 years of legacy data and using that to train the WhiteHat Sentinel Dynamic solution to verify, with a high degree of certainty, that a vulnerability is real or not. This will enable organizations that are short-staffed or need to free up their security analysts’ time to augment the human verification function.”

When companies are building and releasing apps multiple times a day, they can’t always wait for humans to verify false positives, fix those vulnerabilities and get those fixes into the next build, Atkinson said. These new enhancements will help them solve those problems, he said.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like