Opinions from the inside: Dominic Carroll

 Find out what e2e-assure’s Director of Portfolio, Dominic Carroll has to say about the findings from our recent report:

Threat Detection 2024: Rejuvenating Cyber Defence Strategies. 

Does it come as a surprise to you to hear that over a third (36%) of UK businesses outsourcing their SOC feel their provider is underperforming?  

No. In fact, it’s a recurring theme that I find alarming, as I encounter it more frequently when in conversation with my fellow cyber professionals. Many SOC-as-a-service and Managed Security Service Providers appear to be relying on re-selling pre-configured product offerings that will inevitably lack sufficient tuning and therefore pull a frustratingly high percentage of false positives.  

This is evident by “providers not fulfilling their tuning obligations and escalating too many false positives” being the second largest frustration (29%) of the 500 CISOs and cyber security decision makers we surveyed.   

What is most concerning is when we delve deeper into the impact of services operating in this way, it becomes evident that these monitoring methods are no longer sufficient to accurately protect UK businesses. Modern threat actors are moving much quicker from initial access to data encryption. Resulting in an increased need for improved detection and response techniques. 

Most SOC’s have a simplified IT infrastructure setup which depicts a user’s endpoint device, providing access to data that is valuable to a threat actor. The user endpoint device has a detection and response agent installed, but crucially, this is only deployed in what we call audit mode.

Events and alerts may be generated and sent to a central Security Incident and Event Management (SIEM) platform for logging. But if the alert is not tuned to the correct priority or is using an outdated ruleset, this won’t be enough to raise a critical incident in many cases. 

As a result, escalations of malicious activity maybe too slow and lead to an even slower approval time from the appropriate authoritative individual to take containment action.  

What actions do current providers or in house teams need to be implementing to combat this?

The most important implementation any cyber security team should be deploying right now is what we refer to at e2e-assure as Attack Disruption.  

Essentially, applying automation into the security operation to isolate first and investigate immediately.  

By this is mean, where appropriate, rulesets and automation are implemented to detect anomalous account activity, rogue processes or malware. Rather than wait for an analyst to manually act further down the chain, the account is temporarily disabled, or the endpoint is temporarily isolated from the network. 

Then, in the instance of e2e-assure, our SOC analysts are immediately alerted to a high priority incident which is then triaged as being a true or false positive. If it does happen to be a false positive, the account is re-enabled, or the device is released from isolation. If it’s a true positive, the next steps in the response process are then activated.  

We have recently seen Microsoft reveal their own automatic attack disruption implemented within Microsoft Defender for Endpoint, with their focus on ‘human operated attacks’.  

The implementation of an attack disruption technique makes your environment increasingly more difficult to bypass as threat actors must invest in a whole new operating model to have any hope of going undetected. Consequently making you a much less desirable target.