How modern security operations centers keep up with emerging threats
This article originally appeared on Federal News Network on February 5, 2024. View the article here.
Artificial intelligence gives rocket fuel to malicious hackers. That means cybersecurity practitioners and security operations centers had better prepare themselves and their SOC teams.
“Cybersecurity is rapidly changing, and a big introduction is what’s happening in AI,” said Dean Irwin, the senior director of cybersecurity at Maximus. “I see that more as an offensive concern for AI, more than the defensive side. It’s making [threat] actors able to be very sophisticated.”
One way for security operations center (SOC) staff to keep up is by requiring continuous training, so staff can keep up with the threats they encounter.
Irwin, who oversees Maximus teams operating three government owned SOCs, added, “We are constantly training and certifying in specific technologies. In one of our SOCs, we have three certifications per employee, which is pretty advanced.”
AI has revved hackers’ capabilities in several common cyber threats, Irwin said. Identity theft ranks high among them.
“A lot of surfaces are now in the cloud,” Irwin said, and so the model of moats and perimeter defense no longer applies. “In a cloud environment, it’s all about identity.” Deepfakes, both video voiceprints or even fingerprints, can impersonate an employee or a government official.
AI also powers ever more potent spear phishing attacks, Irwin said. The more information an attacker obtains, the more carefully it can craft an email. The latest technique, Irwin said, is called whaling, where phishing attempts target the top executives in an organization. Such attacks are difficult for tools in the SOC to detect, because the emails arrive singly or in low numbers. Therefore, SOCs must rely not only on signals from detection tools but also on reports from users who receive suspicious emails, Irwin said.
SOC staff has a third way to get ahead of threats, “what we call CTI, or cyber threat intelligence,” Irwin said. This takes people with knowledge of how to explore encrypted sites invisible to standard browsers, known as the dark web. It is on the dark web that hacker groups discuss their plans and intended targets, Irwin said.
This all makes the SOC a multifunctional blend of human intelligence and technical detection, Irwin said. It’s also bidirectional, he said, not looking only for inbound threats but also checking for “beaconing” signals from executables that got into the network undetected initially.
SOC best practices
When relying on contractor support for SOCs, Irwin recommends open communication between SOC staff, the units that own applications and services, and the IT operations staff. He said that in one instance, Maximus people operate the SOC for system encompassing 60,000 end points and 5,000 servers. Occasionally, the SOC will notice something amiss and contact the system owner.
“So if we say, ‘Hey, one of your servers is beaconing out,’ they’re like, ‘No, it’s not,’ ” Irwin said. Because the SOC rarely has the authority to take a system offline, it must have the verification on hand to convince the system owner.
“We have to prove to the system owner that this is actually a compromise and not normal traffic,” Irwin said. “They aren’t practitioners in the cyber area, so we have to educate them on what happens.”
A thorough SOC, Irwin said, will also pay attention to vulnerabilities that arise as systems age, and even analyze legacy code for vulnerabilities.
Irwin outlined three basic components of a SOC, understanding of which will help with selection of an operational vendor:
- The security event information management (SEIM) system. It stays on the lookout for intrusions and attempts.
- Endpoint monitoring. This section is likely to operate a variety of tools because of the diversity of endpoints – smartphones, notebook and desktop PCs, peripherals, and sensors or internet-of-things devices.
- A data “sandbox” where cybersecurity practitioners analyze log data or malware packages they find, all using the agency’s commercial or self-programmed tools.
Irwin said a reliable SOC staff will know and understand the types of modernization an agency is applying to its systems. One type consists of simply shifting workloads from data centers to commercial clouds.
“You’re not improving any of the security, you’re just changing where it runs, where it executes from,” he said.
Or agencies rewrite or refactor legacy applications into modern languages. In such cases, he said, “there’s a big push now for secure software design. And there are what are called memory safe languages. If [applications] are written in that language, it’s a lot harder to have a vulnerability.”
Irwin noted that with growing quantities of data undergoing encryption, a SOC staff must be adept at using metadata to analyze traffic to detect abnormalities.
Still another area a skilled SOC staff will understand is provenance of software, what libraries or open source code sets an application was built with. This varies among IoT, operational technology and data processing applications, Irwin said. He said the various cross-currents of technology underscore the need for staff certified in those technologies.
Irwin said, “In fact, we, Maximus, give SOC staff members a little bump of reward every time they get a certification, because we believe that helps show they understand it.”
Read and listen to more discussions on Federal Monthly Insights –Securing the Nation: A deep dive into federal security operations.