Death by a Thousand Bolt-Ons: The Saga of the Old-School SOC

Nov 01, 2022
5 minutes
... views

After over 20 years and billions of dollars of investment, hopes and dreams being shattered, and numerous failed projects, we can finally put the old-school SOC and its workflows in the coffin. In reality, we failed it as much as it failed us, but it is time to move on. Winston Churchill once said: “Those that fail to learn from history are doomed to repeat it.” So let us take a moment and do a post-mortem on the SOCs of the past and why we need something new.

Most SOCs back in the day were built around early-generation SIEMs. These were glorified log aggregators and reporting machines. You could do correlation rules but those required absolutely perfect scenarios to work. My neighbor growing up did karate, and he always wanted us to “attack” him in a certain way. If we attacked my friend exactly as prescribed, he could block our attack. Anything else and he got whacked in his head. That is a correlation rule. You need them but more than likely you don’t need 400 karate kids in your SIEM. A Windows event code 1102 is a definite yes.

2015 Called and Wants Its Bolt-Ons Back

So we have log aggregation, some fancy reports and dashboards for management, and some really noisy rules that poor Bob in the SOC has to constantly tune. Yet attackers could log in via compromised credentials, move around laterally, and still steal our data. So we tacked onto our SIEM this weird thing called UEBA: user and entity behavior analytics. Most of these offerings were more proof of concepts than standalone products as you can see by the lack of pure-play UEBA vendors that exist today. Now Bob has to learn an entirely new way to tune rules and discover what "normal" means in machine learning.

A well-tuned UEBA is very good at alerting on anomalous events, so Bob might catch compromised credentials and lateral movement. Unfortunately, this only works if the engine didn’t need to restart (thanks Spark/Hadoop) and if the right logs were processed. Sadly, I have seen the UEBA platform show a compromised user and lateral movement but that was post-mortem. The event happened and there was a beautiful timeline of all the dirty tricks of the attacker, but they still got the goods. Poor Bob.

So we added SOAR, security orchestration, automation, and response. Yes, automate everything. Automate the response to that compromised credential by locking the account. That will fix it without Bob lifting a finger! At least until Bob realizes the automation just locked the CFO’s account on a Friday afternoon during month-end close. Yeah, career-limiting move Bob! So let’s not automate everything, just maybe these phishing emails and malware analysis.

Bolt-Ons Not Working? DOUBLE DOWN!

Now we have logs in a correlation bucket, a UEBA bolt-on, and a hyper-active SOAR. Bob is as busy as ever tuning all of that stuff, and there are still problems stopping lateral movement, compromised credentials, phishing, and ransomware as well. How about we bolt on our new EDR too? Bob assumes it can work with UEBA and SIEM and take all of the logic put into them for years right down to the agent. Sorry, Bob. It has its own really bad analytics and you have to tune that too.

So there’s SIEM, UEBA, SOAR, and an EDR, but Bob is still spending all of his time tuning and struggling to stop anything. Let's add an NDR! Oh, it is just managed Zeek with a pretty interface? It has zero analytics and can’t take advantage of the analytics of our SIEM, UEBA, or our EDR? More integrations and more tuning are in store for Bob!

At the heart of all of Bob’s pain has been the failure of SIEM. I have watched and have been a part of many of these projects and the result of most is a failure. You can build big huge muscles capable of lifting thousands of pounds, but if your heart fails, they mean nothing. The heart of the SOC was the SIEM, and that was always the problem. We bolted on treatments for the obvious symptoms, but the core problem persisted. Sometimes people have odd health symptoms for years and find out much too late that they had a heart problem. By then there isn’t much to do other than a transplant. The SOC needs one now. Unlike those patients, it isn’t too late for surgery.

If you have lived this life for the last 20 years and you can relate to Bob, come join our event in November for XSIAM where we will show you one integrated platform that handles SIEM, UEBA, EDR, NDR, ASM, TIP, and automated triage to help reduce the workload on the new modern SOC. Enable once and get rapid time to value. No more tuning Frankenstein's monster SOC for Bob!

 


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.