In supporting Department of Defense customers every day, I’ve seen the human toll of today’s cybersecurity challenges: Military security operations center, or SOC, team members often work consecutive 12-hour shifts, addressing a growing mountain of alerts. Each alert could take between 20 minutes to 2 hours or more to research, with additional alerts rolling in.
Some admit that they don’t intend to continue on this path for long, planning to seek other opportunities — including those outside of cybersecurity — in private industry. Meanwhile, the threat environment looks to grow more foreboding for the foreseeable future:
- The Pentagon continues to invest in the fifth-generation mobile network, or 5G, which is expected to enhance intelligence, surveillance and reconnaissance; enable new methods of command and control; and streamline logistics systems.
- The DoD’s ongoing collaborations with academic institutions and private industry on what’s called the Internet of Battlefield Things, developing biometric wearable technologies to enable commanders and their units to more effectively identify the enemy; access devices and weapons systems via speedy edge computing; and send and receive data rapidly to better respond to potentially dangerous and/or hostile situations during missions.
- Since the coronavirus pandemic, the number of teleworking DoD personnel has increased from 95,000 to more than 1 million, with connections to the departmentwide virtual private network growing from 49,600 to 440,000 per day.
The Department of Defense has expanded several capabilities to enable mass telework. Now it's discussing which ones may stick around permanently.
While these advancements are critical, they and other technology expansions/shifts will add to the already staggering volume of alerts that SOC teams face daily: Overall, 70 percent of security professionals say alerts have more than doubled in the last five years, with nearly 40 percent indicating that their organization encounters at least 1,000 alerts a day.
It’s clear that agencies must abandon outdated approaches that cannot sufficiently protect DoD networks, and implement the following three-step cycle to effectively respond to modern cybersecurity challenges:
1. Identify — and access — the data you need. This includes endpoint data so you know what you are supposed to defend. Then you must identify the host server log and network data that will provide key “clues” in resolving incidents. Host server data, for instance, may say that a potentially troublesome connection never happened, but the network data — acting essentially as a lie detector — will tell you that it did.
Once identified, you have to access it all. If your agency is still using the same routers, switches and bandwidth that it used five or 10 years ago, you won’t be able to keep up with the speed of today’s attacks. It is important to make the business case to fund what may seem like basic IT upgrades, is are in fact critical.
2. Normalize the data, and then centralize it. All data “speaks” differently. To effectively streamline alert management, you must standardize the formatting of data so it all “speaks” the same language. This will help you start to piece together “the story” that the data is telling you so you can confidently conclude whether activity is malicious or benign.
For example, like the front door of a house, the firewall is supposed to let known, “friendly” people in and keep out those who are unknown and suspicious, or don’t have a key. The network data tracks those who got past the front door who perhaps shouldn’t have, much like our home security cameras do. The endpoint data tells us whether these parties actually did any damage while they were inside, along with fingerprints they may have left behind.
3. Execute automated responses. Through automation, you establish an instant, “one button” source of information gathering for your queries, with the contextual details you seek at your fingertips. If you receive a domain name system alert, automated processes enable you to quickly review correlated network data to determine that a user connected to a malware-infected site even if the firewall data tells you that the firewall blocked the connection.
While automation relieves the burden factor for security professionals, it still requires their human input to determine whether suspicious activity should be shut down. Automated tools may identify a site as containing malware, for example, but it actually turns out to be a honeypot that your SOC created as part of a traffic-monitoring exercise. In this situation, you “tell” the automation solution to allow the activity.
There’s a reason why SOC teams experience excessive stress and frustration, to the point of job burnout: They’re tied to antiquated processes, even as the DoD embraces a new age of innovation. Meanwhile, data only grows more voluminous and disparate. The new age requires a new plan. By normalizing and centralizing data while leveraging automation, you’ll arrive at the “true story” behind alerts — and make more timely, informed and accurate decisions as a result.
Richard Chitamitre is a Corelight federal sales engineer. He previously served as a cybersecurity analyst for the U.S. Defense Department.