The CyberSOC model is changing, driven by cloud adoption and improvements in detection technologies on tools like Endpoint Detection and Response (EDR). Extended Detection and Response (XDR) is the realization of these changes, putting less pressure on the SIEM to correlate complex security alerts, but serve more as a single pane of glass for ticketing, alerting, and automation & response orchestration. XDR is a real opportunity to lower platform costs and improve detection, but it requires committing to a few principles that go against the established way of thinking.
Product-Native Detections have Gotten Dramatically Better
Takeaway: Focus on building detections as close to the threat as possible – SIEM should be a last line of defense.
Traditionally, the SIEM itself was one of the only tools that could correlate and analyze raw logs and identify “Alerts” that needed to be addressed. This was largely a reflection of other defensive tools being single-purpose and generally bad at identifying issues themselves. The approach that made sense was to ship it all to the SIEM and create complex correlation rules to sort the signal from the noise. Today’s landscape has changed – consider EDR. Modern EDR is essentially SIEM on the endpoint. The same capabilities exist to write detection rules on endpoints as they did in the SIEM, but now there is no need to ship every bit of telemetry data into the SIEM. In addition, vendors have gotten markedly better at building and maintaining out-of-the-box rules and alerts to get you started. We have consistently seen a sizable decrease in detections being attributed to the SIEM during our purple team engagements, and instead tools like EDR and NGFW have become more effective at both detection and prevention. There are exceptions. One of the only common essential detections that you need to rely on the SIEM for is Kerberoasting, as on-prem Active Directory doesn’t have much coverage for that. As you move to pure cloud for Active Directory, even those detections will be handled by “edge” tools like Defender ATP.
Your SIEM Really Doesn’t Matter
Takeaway: Having a deliberate process to consistently measure and improve your detection capabilities is far more valuable than having any specific SIEM tool on the market.
Purple teaming has allowed us to test and map how well our clients engineer their detections and alerts. We score all the results quantitatively and trend improvements over time. One clear takeaway is that what brand of SIEM you buy has absolutely no measurable correlation to purple team scores. Process, tuning, and testing is what matters. There are differences in products that can make them a better or worse fit for your environment or make maintenance and quality of life for your SOC a bit easier, but buying a different SIEM on the basis of trying to improve your capabilities is no longer a viable path.
Cloud SIEM is Incompatible with Old Fashioned “Log Everything” Approach
Takeaway: Every log you send to your SIEM should be directly attributed to one or more key detection capabilities you are attempting to achieve. MITRE ATT&CK is the Blue Team’s compass, but just because it maps to MITRE doesn’t mean it MATTERS. Evaluate the cost/benefit of each detection.
Nearly all the organizations we talk to have implemented or will implement their first generation of “cloud” hosted SIEM. An intuitive goal is to maintain parity with on-premise tooling, so carrying over every log and alert to the cloud makes sense right? Doing this without analysis leads to untenable SIEM costs. Cloud SIEM can be expensive and not all log data is created equal – some data is key for alerting, while other data is critical to supporting an investigation. The former should go into your SIEM, the latter somewhere else, like a data lake. Consider firewall ‘allow’ events. Most of us have sent these to the SIEM for years. Some large organizations could be paying 6 figures (or more) alone just by sending these events to your SIEM. What is the value? A possible threat intel hit that your NGFW already missed? Why not put that in a data lake, reduce your costs by 90 percent, and use a SOAR automation to search it once a day?
Intelligent Data Pipeline and Data Lake is a Necessity
Takeaway: Put the work into your log data pipeline to remove all waste prior to storing that data in the most appropriate location based on its attributes.
Managing your data pipeline intelligently can have massive impacts on controlling your spend. With SRA’s XDR service we pre-process every log and attempt to eliminate excess waste. When your primary cost driver is gb/day, consider the following example showing the before/after size of Windows AD logs.
|Full Event Length||Number of Fields||Number of Events|
Our average inbound event had 75 fields, and a size of 3.75kb. After we removed redundant or unnecessary fields, we were left with an average log with 30 fields and a size of 1.18kb. That is a 68.48% reduction in your gb/day for this log source.
While eliminating the fat in each log is great, applying similar value-analysis in where you send each log is equally important. Once you have each log optimized, it is time to decide whether it’s a log that drives a key detection (send to SIEM), or there to support investigating an alert (send to data lake). An intelligent data pipeline can make on-the-fly routing decisions for each log, and even further reduce your costs.
EDR, SIEM & SOAR Align
Takeaway: Security automation is the future but should be approached with caution and carefully aligned with your validated detection capabilities. Not all SOAR needs to be without any human involvement, initially depend on your analysts to push the “automate” button until you’re 100% comfortable with your configuration.
We can’t talk about XDR without SOAR. The future of XDR is coupled with tightly integrated SOAR technologies and baked-in integrations for key threat-neutralization technologies, like EDR, User Directories, and networking tools. XDR concepts recognize that what really matters is not how fast can you detect a threat, but how fast can you neutralize a threat. Overly simplified “If this – then that” SOAR automation methodologies aren’t effective in real-world scenarios. An integrated solution allows for efficient development of security automations, better ways to selectively trigger automation, and provide semi-automated “guided” responses to incidents. One of the best approaches we’ve seen to actualizing value in XDR automation is to:
- Conduct a purple team to identify which current detection events are optimized (very low false positive rates) and can be trusted with an automated response.
- Map the detection event to the automated response, but insert steps to let the automation portions be initiated by a human. This will let you gain confidence before you turn it fully over to automation.
XDR is a buzzword, but when viewed in a technology-agnostic fashion it is based on good foundations. Where organizations are most likely to fail is by trying to “do it all”, as in applying legacy SIEM management philosophies to modern XDR platforms. Follow our key takeaways as your program design philosophies and you will likely improve your capabilities AND reduce your costs.