Defending enterprise networks has become a convoluted challenge, one that is only getting more byzantine by the day.
I’ve written about the how SIEMs ingest log and event data from all across hybrid networks, and about how UEBA and SOAR technologies have arisen in just the past few years to help companies try to make sense of it all, even as catastrophic breaches persist.
Related: ‘Risk-based’ analysis used in SOAR
At RSA 2020, I learned about yet another emerging approach, with supporting technology, called Security Operations Platform (SOP.) At a high level, the role of a SOP is to help squeeze more efficiency – and effectiveness – out of the dense stack of security systems already deployed in the Security Operations Centers (SOCs) of mid-sized and large enterprises.
Next-gen firewall pioneer Palo Alto Networks has staked out turf in the emerging SOP space. I had the chance to visit with a brand spanking new SOP player, QuoLab Technologies, which had its U.S. launch at RSA 2020. QuoLab actually has been refining its core technology for two and a half years as part of QuoScient, the Frankfurt, Germany-based cybersecurity vendor from which it was spun out. For a full drill down on my conversation with Dan Young, QuoLab’s co-founder and chief operating officer, please give the accompanying podcast a listen. Here are my key takeaways:
It’s often said that security is a team sport. Or at least it should be. SIEM — security information and event management – is an approach to ingesting event and log data from core IT systems, as well as from the wide array of security systems most enterprises have in place. SIEMs sift out any packets of data that looks out of the ordinary.
UEBA — user and event behavioral analytics – revolves around modeling the behavior of users and devices to ascertain whether anomalous activity is actually malicious. And SOAR – security orchestration, automation and response – aims to improve management of known threats and vulnerabilities; quicken incident response; and accelerate the automation of security operations.
What’s sorely missing — and what SOP vendors are seeking to deliver — is a much better way to mesh all these disciplines, Young told me.
In many organizations, he says, the malware analysts, threat researchers and incident response specialists are set up, in essence, to compete against each other for slices of a finite IT budget. The result is that any useful intelligence pulled from the security stack, by any one of these teams, tends to get siloed on that team.
“A lot of companies out there are struggling with the ability to break down silos and walls,” Young says. “Some of that is because there’s competition for the same resources . . . but if you can remove those barriers, and get everyone to work on a common, unified framework, and make everyone part of one big team — within a team infrastructure — that’s what QuoLab is bringing to the table.”
Young describes QuoLab’s flagship product as a “data fusion, investigation and analysis platform with a collaborative spin.”
At one level, QuoLab overlays a common user interface on the output of any SIEM, UEBA and SOAR tools an enterprise may already have deployed. Rich, timely threat intelligence gets infused into this level, culled from top proprietary threat feed services, such as Anamoli, Intel 471, VirusTotal and McAfee Threat Intelligence Exchange, with more being added all the time, as well as from dozens of open source threat feeds, such as the Open Threat Exchange (OTX) and the Malware Information Sharing Platform (MISP.)
At another level, QuoLab leverages the analytic horsepower of best-of-breed partners like VMware, for dynamic malware analysis; the NSA, for static malware analysis via its new, open-source ‘Ghidra’ tool; Binary Ninja, for reverse engineering; and Maltego, for analyzing the trail of links used in an attack.
“What we’re saying is cut out the back and forth that has to go between these teams, give them a unified workspace where they can collaborate and share,” he says. “Obviously this is underpinned by a very robust set of data connectors and integrations with other partners and vendors.”
I asked Young for an example of the difference SOP can make and he gave me this description of how one customer was able to rapidly and comprehensively curtail a ransomware attack using QuoLab’s platform:
An alert got generated from the company’s endpoint, detection and response (EDR) system, identifying two laptops as getting infected by ransomware malware. The company was positioned to make quick, deep correlations thanks to the fact that its security stack, including EDR, were tied to each other, as well as to a full slate of analytics tools via QuoLab.
“They didn’t know how the entry point happened, but by putting the data into our platform, they were able, within seconds, to attribute the attack to a specific APT threat actor, because of reporting coming in from certain threat intelligence feeds.”
By taking a look at the associated network and host feeds, security analysts were able to track how the malware propagated and even pinpoint how it got detonated: by two users who clicked on a tainted email PDF attachment.
“Our tool provided that data backbone, by bringing all those different data sources and components together, into one workspace,” Young says. He adds that the more common scenario today would’ve been for the incident response analyst to take hours or days to get all the necessary parties on the same page to make a comparable level of correlations.
I came away from my discussion with Young with a fresh appreciation about the intense complexity involved in defending company networks. It will be interesting to see how quickly SOP solutions catch on. SIEM technology is about 15 years old, while UEBAs and SOAR began gaining traction five to six years ago. Hopefully, SOP platforms will contribute to making the Internet as safe as it ought to be. I’ll keep watch.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-start-up-quolab-enters-emerging-security-operations-platform-sop-space/