For the past 13 years, I’ve been heavily involved in the military intelligence community and the cyber security industry, setting up cyber defenses and training security personnel from leading enterprises and government organizations. During that time, I saw first-hand how cyber tools failed to address the operational challenges faced by security teams.  So I teamed up with Alon and Garry to build a new kind of security operations center (SOC) platform. The Siemplify Threat Analysis Platform, which we launched today, is  built from the ground up to address today’s real-world security challenges. It brings a “command-and-control” model to the SOC, combining real-time threat analytics, visual investigation, and incident response. See, what I found repeatedly when engaging with SOC teams was that all too often they were alerted to a threat — and a thousand other items. In fact, the security teams were inundated with so many alerts that they couldn’t identify the relevant ones. When they did identify threats, they lacked the visual tools to map and analyze them. The teams were further hampered by having to switch between security tools and tap into data repositories spread across the enterprise, which often necessitated mastering complex query and technical skills. Why So Many AlertsThreat detection is not a binary decision of “block” or “allow.” Security tools can’t always be 100 percent certain they will alert when something is suspicious. Because there are many fronts to protect there will inevitably be many different detection systems responsible for a different layer in the organization. This creates a situation in which detection systems fire off alerts individually and agnostically, giving security teams only pieces of the puzzle. Security teams are forced to analyze and make sense out of all this machine data and build the bigger picture. As more detection systems are added and attacks become more sophisticated, building that picture has become exponentially more complex. Minor, routine incidents trigger a flood of alerts that distract security teams. Threat actors leverage this fact to simultaneously employ multiple types of attacks and multiple attacks of the same type to generate a tidal wave of alerts, masking their true goals. The Answer: A New Kind of SOC Platform To solve the challenges of modern threat detection, we drew on our experience in military intelligence. Like cyber-security analysts, military intelligence analysts are expected to analyze and investigate threats, and initiate appropriate action. And like security analysts, intelligence analysts are hired for their ability to understand the meaning of data, not their technical ability to write a database query skills. And as such, the tools available to intelligence analysts aim to eliminate the technical complexity of intelligence analysis. They  process, normalize and correlate the raw alerts and data coming from various surveillance sources, allowing the intelligence analysts to focus on the bigger picture and easily initiate the necessary response. SOC platforms need to adopt a similar role and focus on enhancing human cognitive abilities. They need to be  “command-and-control platforms”  and eliminate as much complexity of threat analysis and incident response as possible. They also need to level up and make threat analysis and incident response easier by acting as a security integration fabric, pulling all available security tools and analytics into a single pane-of-glass. Security analysts would then be able to focus on their real job – understanding the patterns and higher order of meaning of security events.  More specifically, such a SOC platform should:

    • Automatically put into context internal and external security data

 

    • Dynamically correlate security alerts across different detection tools

 

    • Filter out the noise of alerts, prioritizing threats and focusing on what matters most

 

    • Intuitively visualize the data in a clear and interactive way for rapid analysis allowing investigation across multiple data silos

 

    • Make threat intelligence actionable by automatically matching indicators with internal events

 

  • Integrate into the existing security infrastructure allowing remediation to be initiated from a central console

These are just some of the critical capabilities security teams can expect from the Siemplify Threat Analysis Platform. We’ll be using our expertise and platform as the basis for this blog. We’ll explore the challenges facing security operations and provide original research into those challenges. Expect to also find here practical tips for how to improve SOC operations, insights into threat analysis, and help on how to make your security team more effective. Looking forward to hearing your thoughts, -Amos