One of our new cyber security experts explains why he’s now a Corvil evangelist
Having spent six years working in enterprise eDiscovery, forensics, incident analysis and investigation cases, I have an intimate understanding of the everyday pressures that security teams are under as they try to protect their businesses from constantly evolving cyber threats.
My role as a SOC analyst in a large healthcare organization was a perpetual learning curve, given we had to protect 60,000 employees and more than 80,000 user accounts in Active Directory. You learn very quickly that there is never enough time or resources to deal with the thousands of logs and hundreds of daily threats.
A lot of time is spent running down rabbit holes, checking lines of logs from various sources that the SIEM registers as suspicious. Because there is often a layered security posture where other sources will contain vital information to investigate the incident you have to cross-correlate network activity, sometimes taking days to make a definitive analysis. The problem is that to effectively minimize dwell time and mitigate insider threats, an organization needs those investigative results in minutes, not days.
All this investigation requires a lot of interaction between different members of the SOC team – the person responsible for viewing the firewall alerts will be liaising with the person viewing the SIEM alerts. Sometimes they are looking at the same incident from two different alerts and needing to extract and analyze their own packet data which most of the time is just part of the full incident. It’s hard work and inefficient but it’s a way of life for many security analysts.
Everything is reactive because you don’t have the visibility to be proactive. So if you’re chasing down a phishing attack, for example, you have to err on the side of caution. For instance in a phishing campaign where you know 1,000 users were targeted, you have to assume that 1,000 users have opened the PDF, gone to a malicious site, entered their password, and become an unwitting victim of credential harvesting. In reality maybe only 10 of those users fell prey to the campaign and exposed their password.
Tools like Proofpoint will give you some warning about phishing campaigns, URLs and attachments. You can sandbox the attachment and run behavior tests, but you will only have limited visibility of who clicked on a file and the scale of its impact. You can ask each of the 1,000 users, but can you trust them to accurately remember what they did and tell you about it? Also do you actually have the resources to do that?
Without the ability to see what users are doing on your network, you are left with no choice but to go for a complete password reset in Active Directory. It’s a nightmare for users as well as the security team – This can have an impact on productivity – and the business will want to hear good reasons why it happened.
Investigating ransomware is just as cumbersome as phishing analysis. There are many different types of cyber blackmail but you won’t know what you are dealing with until a note from the attacker pops up on screen. It could be fake tech support that locks down your desktop or steals documents or data. Either way, you’re going to be asked to pay up.
When company files are compromised in highly regulated industries like the healthcare organization where I worked, you have to know exactly what was compromised and report it to compliance. A forensic investigation will be needed to analyze the evidence.
Especially given some of the newer rules and regulations associated with disclosure of breaches, one of the greatest challenges for a SOC analyst is to determine the impact of malicious activity or a breach. Sometimes a little information is worse than none at all. In the absence of definitive evidence about the path of an attack, you have to estimate the worst, which can have a material impact on the company when disclosing.
You have to hope the infected machine is still powered up because you’ll lose volatile data if you have to reboot a machine, and with it goes important evidence. Investigating a 1TB drive after an event will typically take 8-10 hours of precise integration because it begins with imaging the disk bit-by-bit, sector-by-sector. Touch or tamper with anything and it becomes inadmissible evidence in a court case.
You have to discern if an entire drive has been stolen or if it’s a case of a few files being redirected to an FTP or Dropbox site. Clues come from analyzing internet traffic; looking for modified data. Another six hours pass and you still can’t tell the compliance team the scale of the breach. Worse, you don’t know if the incident is over or if the bad actor has left a script or file behind and the threat is still live.
Ask any SOC analyst for their ideal solution and they’ll tell you they need a single pane of glass that reveals actionable insights in a timely way, allowing them to take immediate steps to mitigate the threat. They know there isn’t a one-stop solution and that layers of security are needed. But they are also starting to appreciate how packet data in network traffic can help identify threats and resolve problems more quickly. For me, working for Corvil has only reinforced this view.
Using Corvil Security Analytics in a phishing scenario, I can search by user or workstation and quickly narrow down the suspicious traffic. Network analysis will reveal the connection between the attack and a URL, what occurred in the environment and if there is still an active connection. Corvil makes it easier to spot FTP or SSH traffic associated with ransomware, track lateral movement across the network, and pinpoint the incident’s origin to a single workstation.
By analyzing historical and real-time packet data, anomalous behavior is easier to see. You can answer the difficult questions about the scope of the attack and what systems or data affected users are accessing more quickly. Network analysis also ticks important boxes for compliance, and because network data cannot be altered as easily as machine logs there’s no compromise to any legal process.
For under pressure security analysts, I’d go as far as to argue that network analysis, when delivered in readily useable ways, is a great cure for their stress and headaches. We’re not claiming we have all the answers, but as part of a security ecosystem we help put SOC teams on the forefront and make them proactive. Crucially, we reduce the mean time it takes to detect and respond to attacks. As a former security analyst, I can tell you that’s a game changer.