Many service providers will imply that security operations centres (SOCs) should only focus on proactive threat detection, however at Nettitude we believe that a balance of reactive and proactive capability is essential.
Nettitude believes that a SOC should absolutely have reactive approaches to identifying threats. There are multiple examples of where reactive capability has value, and the global WannaCry incident is a great example of where a SOC needed to react rapidly, to a global ransomware epidemic. By identifying indicators of compromise quickly after the initial outbreak, service providers were able to build reactive logic in to their detection capability that was able to identify and contain malicious threat activity as soon as it was identified. To date, no service provider had proactively identified WannaCry to its release. As a consequence, approaches that only focused on proactive threat detection would have sorely missed the mark.
That said, there are incidents where reactive capability simply isn’t enough. There are many types of attacks that do not generate log data that can be analysed either with a security information and event management (SIEM) appliance or by a SOC analyst. As a consequence, it is important that a SOC analyst or threat analyst performs a threat hunting exercise to identify rogue processes, rogue behaviour or abnormal traffic patterns. This proactive approach which goes beyond conventional log analysis is an essential characteristic of a modern-day security operations centre.
So what is predictive capability?
Predictive capability occurs when a security operations centre is able to take both log data, behaviour data, process and traffic analysis and combine it with threat data an hunt findings in to a large data lake. Nettitude has built the Threat2Alert technology platform that harvests data from a global honeypot network, localised client deception network (ThreatReceivers), localised network traffic analyst engine (ThreatDetector), NG SIEM data, threat hunting intelligence and external threat feeds.
The Threat2Alert platform is built upon an extensible data lake, that allows us to share real time analytics and metadata across our next generation security operations centre client base. The Threat2Alert data lake allows aggregation of large volumes of threat metadata to be coupled to real time machine learning and TTP prediction capability. Threat2Alert gives our SOC analysts the ability to predict attacks in our client estates, based upon early warning indicators.
Rowland Johnson is CEO at Nettitude.