The first ever Hunters Con, a virtual experience for the Humans of the SOC, took place on November 14th to shine a light on the work SOC teams do to keep their organizations safe and secure.
There was an agenda filled with content for cybersecurity practitioners, from threat hunting tips around the latest campaigns, to cyber resilience advice or how to effectively approach a security data lake strategy in your organization.
In this blog post you'll find six key takeaways around the future of security operations shared by industry experts that presented at the event.
TL;DR The six key takeaways center around:
- The Cyber Security Industry Is Transforming: Managing and Monitoring 20+ Tools is no Longer Viable
- Speed & Sophistication of Cyber Attacks is Increasing
- The Modern SOC Needs Flexible Architecture Combined with Strong integration and Interoperability
- SOC Teams Need a Platform that Grows as Data Volumes Increase
- CISOs Shouldn’t Have to Make Compromises on Data Retention Due to Cost
- Security Teams Will Take A More Analytical Approach to Incident Detection & Response
1. The Cyber Security Industry Is Transforming: Managing and Monitoring 20+ tools is no Longer Viable
Oliver Rochford, Chief Futurist & former Gartner Analyst believes the security industry is going through a wave of transformation consolidation, driven by the need for tighter integrations to improve risk posture. This isn’t the first time we’re seeing mass consolidation in the industry as in the past many vendors acquired other vendors but, in many cases, failed to integrate them successfully.
Oliver states that some ‘best in breed’ tools stagnated over time because “they weren't getting the investment or the love that they deserved, post acquisition. And so it was a risky strategy that didn't pay off in many cases, which is why now people are back to managing dozens of solutions.” Security practitioners are managing a lot of different solutions, which requires constant vulnerability assessment, for traditional tools, the cloud and red teaming.
Oliver reinforces that security analysts constantly juggle looking at breach and attack simulation data. While also looking at risk based vulnerability management, while managing their SIEM and SOAR. What’s the goal of consolidation? Oliver explains that “what we're really looking for is to ease those complexities and overheads” that security teams have. But, he warned us that it won’t be a straightforward process; “I still think it's not going to be easy to do this. We have a better starting position than last time. We have better standards and, of course, improved architecture. At the same time, though, managing all of those moving pieces, all of these different teams, political inertia. It's not an easy challenge, especially if you're going on an acquisition spray and buying a lot of different solutions at the same time.”
2. Speed & Sophistication of Cyber Attacks is Increasing
Olivier Spielmann, Group CISO at Kudelski Security shared that the speed of attacks are increasing rapidly and the time between the intrusion and a ransom request is decreasing drastically. Legacy SIEMs were designed to store logs and satisfy compliance requirements. These SIEMs were not designed to detect, contain and respond to threats at the speed they are happening today, which Olivier says is a big limitation for security teams. He states that new platforms that can “provide more context, more investigation capabilities, quicker detection and better contextualization is really something that we need on the market and that we see coming in”.
Shelly Raban, Threat Hunting Expert at Team Axon, dissected the Info Stealer Campaign that targeted Mexico-based users with newly identified multi-stage malware that performs a Man-in-The-Browser attack to redirect users to phishing sites, with a goal of stealing users’ banking information.
The MOVEit hack is not just the largest hack of 2023 — but also one of the largest and most sophisticated breaches in recent history, according to TechCrunch. Shahar Vaknin, the leader of Team Axon, a group of threat hunting experts, shared what security teams should learn from the MOVEit vulnerability which has over one thousand known victims. Shahar’s team provided visibility reports, threat intelligence, indicators of compromise (IOC’s), and relevant queries to Hunters’ customers within 24 hours of the breach. With help from Team Axon, customers were able to understand whether their servers were exposed, detect and remediate any environments that had been exploited to mitigate risk. How can security teams prepare for highly sophisticated cyber attacks? Since there will be more vulnerabilities on external applications in the future, Shahar urges SecOps teams to “detect early, patch quickly & hunt proactively.”
3. The Modern SOC Needs Flexible Architecture Combined with Strong integration and Interoperability
Oliver Rochford, Chief Futurist & former Gartner Analyst believes the north star for SecOps teams is to “decouple your analytics, your data. and your detection components and even the incident response so that you can start mixing and matching them and basically removing them and adding them as you need to”. The industry is moving in this direction, using a security data lake, security teams can run data pipelines “independent of the detection stack or of the incident response stack”. Oliver warns that the downside of vendor consolidation is that SecOps teams are “losing very tight integration, especially when it comes to automation. Right now, if you think of sorts, a terrible solution. It's bolted on. It's not built into the solution. It's like having your head separate from your body”. As an industry, we need to balance both extremes, by offering flexible solutions but also “having strong integration and interoperability so that you can derive synergies, so the sum is greater than the parts”.
4. SOC Teams Need a Platform that Grows as Data Volumes Increase
At Snowflake, many of John Bland’s enterprise customers have “somewhere in the neighborhood of 45 to 50 different security tools” which means they’re creating terabytes of data each day. Omar Khawaja, Field CISO at Databricks, shares that the “explosion of data requires more of a paradigm shift” because legacy SIEMs were designed to manage data when data volumes were 10x lower. Which Omar states will no longer work “as our data is growing 10, 20, 30%”. What does this mean for a typical SOC? Omar says that “it's not unusual every two to three years that data volumes are doubling, tripling, quadrupling”. Before joining Databricks, Omar was the CISO of a large healthcare and financial services organization for nine years. He recalls that “the SOC would 10x the amount of data that it had every year or two”. Which means SOC teams need a scalable data platform that can grow as data volumes increase.
5. CISOs Shouldn’t Have to Make Compromises on Data Retention Due to Cost
The promise of the legacy SIEM was a centralized place to do threat detection and incident response. But, largely due to the cost of data ingestion and retention, this promise has failed to materialize for legacy SIEM customers. Deploying a security data lake strategy eliminates the need to make any compromises around data ingestion and retention. John Bland states that “there is no concept of hot, warm, cold when it comes to a security data lake. It's all hot searchable, whether it's a day old or three years old”. Security teams want control over all their data in one spot. The separation of storage and compute helps security teams ‘scale up’ to meet demand when there’s a large investigation and ‘all hands’ are required on deck. And, scale down when the business is operating as usual.
Legacy SIEM customers increase their risk profile when they can’t ingest all of the data they’d like to have in their SIEM due to cost. John shares that no security team wants to say “we would have detected something more quickly or completed an investigation more quickly if that data source had been in our SIEM”. The flexibility of a modern security data lake architecture means CISOs and security teams no longer have to make compromises on data ingestion, searchability and retention.
6. Security Teams Will Take A More Analytical Approach to Incident Detection & Response
John Bland, Cybersecurity Data Cloud Principal at Snowflake, predicts that SecOps teams will “move away from a search and investigate approach to incident response to more of an analytic approach” to surface critical context to security analysts.
If he had the ability to look into the future of SecOps, Oliver Rochford, Chief Futurist & former Gartner Analyst predicts he’d see a more “distributed, modular, and composable” SIEM. “With automation and intrinsic capability and with a blend of AI and analytical capabilities to provide a user experience that revolves around data storytelling like attack narratives and breach graph.”
Thank you to all of the wonderful speakers that delivered valuable, informative sessions during Hunters Con, 2023. Stay tuned for updates on Hunters Con, 2024.