SOC.OS automates security alert triage, allowing users to focus their resources on investigation and remediation. The SOC.OS Demo video explains how our centralised security alert monitoring solution works, using an anonymised incident seen by one of our users.
Watch the demo to find out:
- How SOC.OS maps security alerts to the MITRE ATT&CK® Framework
- How SOC.OS automates the parsing, enrichment and correlation of security alerts from across your security stack
- How your business context and third-party threat intelligence informs the SOC.OS severity scoring algorithm
So let’s dive in and show you a quick product demo- what’s actually happening under the hood here in SOC.OS world. So the first screen here, we have thousands of Fortinet FortiGate IPS logs…
This screen is based on an actual anonymized example taken from one of our customers. And for anyone who triages alerts day-day, this shouldn’t be an uncommon sight. The question and challenge the analyst is faced with is not only how do I triage these alerts that appear on this screen today, but how do these alerts relate through time? That is, how do these alerts today relate to all the other alerts across all my other tools in say, the last 4, 6, 10 weeks?
Indeed, it’s a daunting and dare I say, impossible question for an analyst to answer.
Impossible, of course until they start using SOC.OS …So let’s see exactly how SOC.OS helps them answer this question…
It’s the 17th of April, 2021, and you can see here thousands of alerts are being generated, and SOC.OS is ingesting them in real time, and as and when they’re coming in, SOC.OS is parsing, enriching them and then grouping them (into clusters) and prioritizing these clusters for the analyst.
And on this particular day, SOC.OS has correlated or grouped 20 alerts which are related to unique activity. All of these alerts from you can see here 1245am in the morning ’til 1130am have been mapped to the MITRE ATT&CK® enterprise technique of Exploitation for Client Execution and not only that, they all contain the same external IP address.
When there’s a match, like you see here, SOC.OS’ thesis is “Hey analyst, look at these 20 alerts in the same breath”, which is a huge time-saver in its own right, but then SOC.OS goes one step further and adds further enrichment.
So what you can see here is the customer has said, “These Joomla Core Session Remote Code Execution are critical alerts. These are alerts that I care about and I want to monitor, so SOC.OS adds that enrichment. And that that is important because it influences the ‘score'”.
It will boost this cluster higher, but also SOC.OS reads the metadata and says, we know that these alerts are telling us that that firewall has done its job and blocked this traffic, so the firewall is saying I’ve blocked it, and that therefore reduces the score of this cluster.
The analyst logs on to their cluster workbench, which is what you can see here And as you can see on the top, they log in, you’ve got 20 alerts. It first was created in the middle of the evening, all from Fortigate, you click on this first cluster to dive in further.
This is how clusters are visualized in SOC.OS, which is basically the visualization representation of the table, which I’ve just shown you here. So breaking this down, you see the exploitation for client execution is listed here, links to MITRE ATT&CK with remediation advice, you have the external entity, which these 20 alerts contained put at the top, you have the internal business assets, so this internal entity here is put here. The critical alert, the tag is up the top and you can click on the external threat intel, (the external entity) to get threat intelligence, And you can see here, you’ve got alienvault OTX feeds and abuseIPDB, in threat Intel.
The analyst looks at it and goes, “Thanks SOC.OS, you’ve grouped the 20, nothing too interesting. The firewall has done its job. It’s all blocked. I’m going to make a note and archive it.” and it disappears. Now what happens four weeks later, is where the time-based correlation capability hopefully will really come to life.
And on this day, like any other day, the 12th of May SOC.OS parses, enriches, correlates these alerts, but it now finds 21 alerts that it groups and it’s you see here, 2:30 PM to 2:45 PM all relate again to the same activity. It’s the exploitation for client execution and it’s all this external entity. But now not only does it group these 21 SOC.OS will say, “I’ve seen that pattern before”. I’ve seen that same threat type. I’ve seen that external IP address doing the same, carrying out that exploitation activity four weeks ago.
So it correlates these 21 together, but it also groups them with the 20, 4 weeks ago. And again, the thesis is, “Hey analyst, investigate these 41 alerts, albeit generated five weeks apart, together, not individually in an alert whack-a-mole fashion. Together in the same breath.”
Again, as I said before, it adds now enrichment, this is where it gets, starts to get interesting. In this case, you see different internal IP addresses with different business contexts added to it. So these are sensitive web servers. So the analyst has added this IP address here as sensitive web servers, boosting the score and very importantly, the alerts are now telling you it hasn’t been blocked, I’ve detected this traffic.
And so combining all of that, the customer logs on…this cluster is now at the top, you see now it’s 41 alerts, Again, created four weeks ago all from FortiGate, 21 have been unactioned. That’s the 21 that we’ve just seen and you dive in to investigate further.
You saw week one just before now it’s changed with this new 21 alerts, related to that same activity. So imagine without SOC.OS in week five, you’ve only managed to grab one of those alerts and triage one of those alerts. And with that keyhole view, that single alert view, your remediation steps and questions you can even ask are pretty constrained and limited.
It’s like having one piece of the puzzle, of a 41-piece puzzle and me asking you to conclude, what’s this picture telling you? With SOC.OS however, the analyst has the full 41-piece jigsaw puzzle displayed, as you see it here in front of their eyes in a very intuitive manner.
And the story behind this is really straightforward now; week 1, 20 alerts which were all blocked, the team member commented: “firewall doing its job”. Three weeks of no activity then, this actor is back probing for more vulnerabilities, this time across two different business assets, one of which is an important web server.
And with that full time-based picture and story clear your remediation and further investigation steps become a hell of a lot more effective and well-rounded. So now the response will be as follows, I’m definitely going to go check the logs on all these three machines, definitely going to go in and block list this IP address, and I’m going to investigate deeper within SOC.OS.
So, for example, I’m now going to go in and search for all other potential clusters which contain this same external IP address, or the IP address of this sensitive web server. What other clusters and alerts affect this web server? And I can also now search for even on the MITRE ATT&CK level. So show me SOC.OS, all the other clusters that have this same threat type, right, or potentially this same alert, where else can you see those alerts?
Ultimately, what you’re trying to achieve here is answer the question: Is this just a script kiddie, or is this something potentially part of a larger, more serious, low and slow type of activity?
Thanks for listening. Hope that was insightful, and happy hunting.