Sponsored The SolarWinds attacks compromised tens of thousands of systems across US federal government agencies and private sector companies alike. The US will feel its effects for years, and it was largely avoidable. In fact, according to Lior Div, CEO and co-founder of Cybereason, if those systems had been using a concept called operation-centric security, they could have spotted it immediately.
Operation-centric security is a term that Div has coined to describe a new way of approaching cybersecurity. It correlates subtle chains of behaviour that reveal potential cyber attacks earlier by providing analysts with more context across devices and users. If you're a security operations center (SOC) analyst, it might just save your sanity - and your network.
Data, data everywhere, and all of it useless
Here's the problem with traditional cybersecurity threat hunting: SOC operators are coming at it blind. That sounds counterproductive, because they have data. Lots of it. More than they've ever had before, in fact. The problem is that it all looks the same.
That data is also fragmented. It comes from multiple tools, most of which don't talk to each other, because security teams have built technology frankenstacks comprising different point solutions. That means the red flashing lights warning you about suspicious events on your endpoints don't know about the other alerts flagging incidents in your network infrastructure. And neither of those know about the alerts emanating from your servers.
This leaves security teams looking at a sea of alerts, many of which might be part of the same attack. Without a correlated view at the back end, analysts have no way of knowing.
All they can do is dig into the most likely-looking alerts manually to see how - ..