A threat intel team, just like any other team of specialists, is an organized and coordinated group composed of experts in specific areas. While managed detection and response (MDR) is an overall cyberthreat prevention service, it is actually a conglomeration of security skillsets. These roles, such as vulnerability scanning, network-based analysis, reverse engineering, malware analysis, data science and others, together form a formidable MDR force.
An MDR provider is quite different from other kinds of security firms. For example, in a company specializing in firewalls, you would only need one kind of expert. A different type would be required for a company specializing in the detection and removal of endpoint malware. An MDR provider, however, is a broader “soup-to-nuts” approach to security and must include a whole gamut of expertise. At Alert Logic, this is the approach we have taken in providing a threat intel team for any organization.
In a previous blog post, I defined threat intelligence as “cybersecurity professionals with expert training, knowledge, and skills, monitoring the threat landscape and conducting continuous research to gather information about emerging digital threats.” Now let us fully look over the specific members of a threat intel team, and then how various products from this workstream fit together.
The Team Stars
A malware analyst is an expert in taking apart malware programs such as Trojan horses, viruses, rootkits, worms and bots, to gain a full understanding of how they work. Additionally, they monitor the malware landscape and how it is evolving, and research techniques being utilized by malware for persistence and lateral movement within organizations. A malware analyst is an expert in the ways and means malware uses to get itself installed and executed. The majority of their work is dedicated to preventing malware spread before it happens, as opposed to dealing with damage after the fact.
Network Security Experts
A network security expert must have a thorough understanding of the attacks at the network layer to create effective detection techniques using network traffic. Network security experts must also be expert in various network protocols, so that they can then monitor protocols for anomalies.
A reverse engineer is expert in taking apart any kind of software program, Windows patch, or Linux patch. By reverse-engineering these, they figure out how a particular vulnerability works. When Microsoft, or any vendor, releases a patch, they don’t reveal the details of how a particular vulnerability was solved within that patch. They might say that a vulnerability, for example, was a buffer overflow, but no other details are provided. As an example of how this works, at Alert Logic we discovered a specific Microsoft SMB vulnerability by reverse-engineering it using Alert Logic’s intelligence.
A security developer is someone who is not only capable of having a security mindset but is also capable of writing production code. They develop security software, and also integrate security into software while it is being developed. It is the skill of a security developer which translates security research and hypotheses into actual working products. These individuals make it possible for research to be employed in the real world.
Every year, there are tens of thousands of vulnerabilities that are discovered. A vulnerability researcher is one who examines vulnerabilities as they come on the scene – how a specific vulnerability can be detected and exploited in customer environments. Vulnerabilities are detected from many different angles: They are scanned for in customer environments, allowing vulnerable systems to be detected as early as possible. They are also detected through many other methods including scanning, log detection, and mapping adversaries and their tactics, techniques and procedures (TTPs).
DevOps, which is a common word these days, is a combination of software development (Dev) and IT operations (Ops). SecDevOps adds security into the mix, embedding security into the development process, just as DevOps has incorporated development with operations. SecDevOps focuses on managing the stacks involved with security detection—the integrated sets of security services. The benefits of SecDevOps include increased automation and use of quality control testing with regards to security efficacy and quality.
Data scientists generally gather large data sets, structured and unstructured. They then analyze, process and model data, interpreting results for the creation of actionable plans. When it comes to specializing in security, a data scientist works by creating generalized frameworks for detecting various classes of attacks. This modeling also helps in automating certain security services provided by security analysts. The common “garbage in, garbage out” adage applies here, and a Data Scientist needs to understand salient features of security hacks in order to create good models that produce actionable outcomes.
From an MDR perspective, security architecture is highly important. It is a path forward of how security information comes together for a customer. A security architect needs to think like a hacker, anticipating hacker tactics. A security architect’s skillset goes beyond system architecture, as it’s not just about the scalability or usability of the system, but about the security outcomes that a customer needs, and have a data architecture that makes it future proof—as best as possible—against a constantly evolving security landscape.
Again, the above roles are the stars of an ideal MDR team, and the exact type of team we put together at Alert Logic.
Data science in action
At Alert Logic, we’re well into developing technology that takes common security analyst tasks and makes it possible for these tasks to be performed with data science, rendering outcomes with high confidence and accuracy.
As an example, PCI-DSS (Payment Card Industry Data Security Standard) compliance mandates that daily log reviews be conducted. Traditionally, such reviews had to be conducted by humans, and now tools can be utilized. At Alert Logic, however, we’re taking it much further than just reviewing with tools, utilizing machine learning to produce actual outcomes of anomalies seen in these logs.
Security architecture weighs heavily into this technology, as there is a multitude of log sources. The problem to be solved is to perform security on these many log sources in a scalable fashion. Competent security architecture has a direct impact on the quality of outcomes.
This particular project will reach an 80 percent completion this quarter.
Security Operations Center (SOC)
While complex technology such as machine learning is enabling numerous security innovations, we must remember to equally enable the security operations center (SOC), the human touchpoint for security within an organization. If a business must continue to add security analysts, this is not a scalable proposition. Therefore, we must utilize machine learning in the SOC as well as other areas, so that their common analysis tasks can be automated. When this is done, the SOC is free to engage with customers, rendering their true value.
It Takes a Team Effort
Threat intelligence plays a crucial role in effective managed detection and response. The efforts of the threat intel team provide essential insight and information that helps organizations identify attack trends and understand the potential impact of emerging threats. Threat intel is not a single role or function, though. It takes a team effort of dedicated specialists to deliver actionable threat intelligence and provide value to the overall MDR solution.