Whether run in-house or as an MSSP, SOC’s greatest challenges revolve around finding skilled analysts.
As a cyber security industry veteran, Murray Benadie and Zenith Systems have been involved in the deployment of over 40 SOCs across Africa. “South Africa is not immune to critical cyber skills shortage and this is particularly acute with SOC analysts,” says Benadie.
“Analysts are in high demand and as a result are not only locally mobile, but globally mobile as well. With the ever-increasing cyber threat environment, most organisations are deploying their own internal SOCs or are outsourcing to MSSPs, with the resultant demand for SOC analysts outstripping supply. Furthermore, we have seen analysts that we have trained, headhunted to countries such as the UAE, New Zealand, Australia and Europe,” Benadie confirms.
“This is a global challenge and one that we are now able to assist customers in addressing through the use of AI/ML powered analyst solutions such as the Respond RDA solution.
"We have been amazed at the exponential impact that Respond RDA makes in our customer environments, with one documented case showing that the Respond Analyst monitored 138M events, escalating just nine incidents in a one-month period. That is the equivalent of 2 000 human analysts working 24×7 to cover 138M events in one month. So not only does Respond dramatically increase the volume of processing accomplished, but it also exponentially reduces false positives.
“We are seeing this type of dramatic contribution to cyber defence all over the world. One example is Agio, a managed security services provider (MSSP), that took the wraps off a partnership with Respond Software.”
The MSSP has incorporated Respond Software's technology into its managed detection and response (MDR) service. About 60 clients have access to the technology and Agio plans to extend coverage to its entire customer base of some 300 companies over the next couple of years. The company works with financial services firms, healthcare organisations and payments enterprises.
The traditional model for providing intrusion detection and response was built around a multi-tier SOC, said Peter Schawacker, managing director of cyber security operations at Agio. Low-level analysts would filter through events, looking for indications of attacks. Incidents would then move up the chain to more-experienced analysts. That approach, although honed for years, has proven inadequate for handling today's threats, he noted.
The conventional SOC model "pits the least-experienced analysts against, sometimes, nation-state attackers who have an interest in not being detected," Schawacker explained. "We wanted to try to find a way to automate decision-making that occurs at the level-1, triage stage and get ahead of some of the more complex attacks."
The MSSP began piloting Respond Software's technology in September 2019 and, based on early results, rolled out the MDR service to the initial group of clients in January 2020.
Schawacker said Respond Analyst has been able to sniff out attacks the company wouldn't be able to detect with other tools. Thus far, the software has provided early ransomware detection, identified what appeared to be some form of worm malware and caught phishing-based attacks as they attempted to extend access from compromised systems.
Respond Software reinforces Agio's SIEM and security orchestration, automation and response (SOAR) tools. SIEM is good at detecting clearly malicious activities, Schawacker noted, while SIEM, used in combination with SOAR, can investigate suspicious activities when intention is more in doubt. Respond Software, he added, deals with a third category of activity: anomalous occurrences that are new and novel or develop slowly over a period of days, weeks for months.
We wanted to try to find a way to automate decision-making that occurs at the level-1, triage stage and get ahead of some of the more complex attacks. So-called low-and-slow attacks might not trigger a SIEM, Schawacker said. They will also typically elude human analysts because they unfold over a period of time extending well beyond an employee's shift.
Respond Software's offering acts as a virtual analyst, emulating a seasoned analyst's judgement and analysing more data without adding personnel, according to the company.
"Most MSSPs and MDR [providers] are just throwing bodies at the problem and that just won't work," he said.
Share
Zenith Systems
Zenith Systems is a Cyber Security industry veteran and has deployed cyber security solutions in high profile organisations throughout Africa.
Zenith Systems specialises in Respond RDA, Spirion Sensitive Data Solutions, Acalvio NextGen Cyber Deception, LogPoint NextGen SIEM, Snare Logging Solutions and MassComz Multichannel Critical Event alerting system.
Respond Software
Respond Software delivers near-instant return on investment to organizations in their battle against cyber-crime. As a leader in the emerging class of automated software known as Robotic Decision Automation (RDA), Respond Software is working to address the critical shortage of skilled security analysts impacting security teams of all sizes. Its patented intelligent decision engine, PGO®, uniquely combines human expert judgement with the scale and consistency of software to dramatically increase capacity and improve monitoring and triage capabilities at a fraction of the cost of in-house or outsourced personnel. Respond Software was founded in 2016 by security and software industry veterans and services customers across critical infrastructure sectors such as banking, energy, and retail. https://respond-software.com/
ITWeb Security Summit 2020
In an increasingly connected, digital world, cyber security threats are constantly evolving and increasing in number and sophistication. Security professionals need to be up to speed with the latest technologies, techniques and skills for predicting and mitigating potentially crippling cyber attacks, the methods and tools in use by today's threat actors, and the latest legal and compliance demands. ITWeb Security Summit 2020, now in its 15th year, will again bring together leading international and local industry experts, analysts and end-users to unpack the latest threats facing African CISOs, CIOs, security specialists and risk officers, demystify emerging cyber security strategies in AI, blockchain, IOT, DevSecOps and more, and explain how to increase an organisation's cyber resiliency.