SOC.OS Feature: Search

  • June 1, 2021
  • Team SOC.OS
Detailed view of the SOC.OS Search bar showing the different search parameters

How will Search from SOC.OS help support key security objectives?

The Search feature from SOC.OS is the latest innovative feature to benefit from our User-Centric development process. We want SOC.OS to be a single source of truth for our users in managing their security alerts. To do that we needed to deliver an advanced investigative capability.    

Security analysts can now look forward to taking a deep dive into alert data from their cloud and on-premise security tools. The new Search feature will support security objectives by allowing users to surface relevant information at the click of a button.  

Whether your goal is preventing attacks by building a strong security posture, streamlining investigations for faster remediation, or building a strong security team, SOC.OS is here to help.  

Why now?

The core objectives of Security Operations are pretty simple; protect your organisation’s data and intellectual property, ensure business continuity, and avoid financial losses. There are countless security tools available to help us achieve these goals and protect our organisations.  

Unfortunately, the volume of security alerts produced by all these tools is causing alert fatigue in our analysts. Alert overload and fatigue means increased response times to incidents, poor threat visibility and a lack of surety that your tools are working as they should.  

It also means that we’re not getting the most value out of our tools because our time is being eaten up by manual and repetitive security log management. We’ve been missing an opportunity to tap into our alert data and realise its value.  

Reducing time spent on manual tasks and enhancing our investigative capabilities means that we can use our alert data to: 

  • Strengthen our security posture with the aim of preventing future breaches.  
  • Support investigation and remediation, reducing mean response times. 
  • Ensure that our security tools are working as they should. 
  • Upskill our teams. 

SOC.OS Search for Security Operations 

Prevention  

SOC.OS enriches alert data with information from external threat intelligence feeds (AbuseIPDB and AlienVault). Both platforms rely on input from the threat intelligence community and promote collaboration and threat sharing in the interest of strengthening our defences. 

This third-party threat intelligence can be used to identify potential threats on your network before any damage is done. You can query your alert data to return clusters that contain an entity attribute of AbuseIPDB ‘Confidence of Abuse’ score, with an attribute value of more than 80. This will allow you to identify and block potential bad actors from your network.  

Threat types, from the MITRE ATT&CK® enterprise framework associated with this activity can also support network maintenance and hardening activities. You’ll also benefit from enhanced understanding of the tactics, techniques and procedures these malicious actors are using, and opportunities to identify high priority indicators of compromise.  

Investigation  

Understanding what has happened over the course of an attack’s progression is vital to our remediation efforts. Search will enhance the user’s ability to cut through the clusters not relevant to their immediate investigation, and further reduce the ‘noise’ of the 1000s of security alerts produced by their security tools each day. SOC.OS “looks across time and space and points out the things that need attention”, meaning no time wasted “chasing down false positives”.  

Whether you’re searching for an associated external IP address, or investigating a breach that has affected your finance department, it’s done at the click of a button. You can select the entity and specific entity value you want to investigate. You’ve slashed your response times and can identify exactly what has been compromised for efficient remediation.  

Maintenance 

Significantly, 53 percent of IT leaders are not sure that their security tools are working correctly. This means that they often have to rely on expensive external contractors to evaluate their tools and controls. SOC.OS offers the user a time-based view of the world, mapping the progression of an attack over time.  

If, during an investigation, the analyst comes across a cluster with a two week gap in activity, they can ask the question “did no activity occur in this time period, or did my security tools miss something?”. They can then search clusters for the relevant source systems to ensure they were working during this period. 

Training  

Search version one will help the analysts using it to upskill within the tool. Basic Search is based on and built from “Chips”, the different entities and attributes that make up a cluster. These chips will allow analysts to explore the different aspects of a cluster, helping new team members really get to grips with the SOC.OS tool, while independently learning how to construct more advanced search queries. 

About the author

Avatar

Team SOC.OS