Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: Bali Kuchipudi

RSA Archer Suite

2 Posts authored by: Bali Kuchipudi Employee

There is a lot of uncertainty these days and back in my college days in my Quantum Physics class, the Heisenberg Uncertainty Principle took the prize for uncertainty.    Heisenberg Uncertainty Principle states that you can never simultaneously know the exact position and the exact speed of an object.

 

104002Security operations team could put the Heisenberg Uncertainty Principle to shame by using a combination of intelligence and context during security investigations.

 

Think of it this way, when an incident occurs, the security operations team needs to take a holistic approach when investigating threats.   By using a combination of intelligence and context, the security operations team can effectively detect, investigate, respond and remediate security threats.    Let’s see how this plays out during the investigation process:

 

  • Visibility - An event happens; the team has visibility to see attacker’s every move and be able to reconstruct the event. How did the attacker infiltrate our environment, what other systems did they access, did they install malware, have they opened up a backdoor for future attacks?

 

  • Business Context - Prioritize with business context; the team should always prioritize the events that affect the critical assets of the organization. There are a lot of events but if you are able to quickly identify and prioritize events that affect the critical assets, you can minimize the risk impact to your organization.

 

  • Vulnerability Information -  If an incident happens due to an existing vulnerability, let’s prevent that incident from happening again by addressing the vulnerability.  It is important for the security analyst to quickly take an incident, see the affected asset, the criticality of that asset and see if any vulnerabilities exist.

 

  • Identity Context - Is the access appropriate? It is important for the security operations team to have a view into asset access entitlements, user entitlements and roles.  If an incident happened due to an orphaned account, it is important to close those attack surfaces to prevent future attacks.

 

  • Threat Intelligence – Are there threats that are targeting companies in my region or vertical? If so, can I leverage what other companies have done to detect these threats and respond effectively.

 

When I talk to customers building out their incident response teams, I always mention VISIBILITY, ANALYSIS and ACTION. The ability to leverage advancements in technology and big data analytics as well as a combination of intelligence and context to better detect, investigate and respond to security incidents.

 

Uncertainty NO-MORE — Certainty YES during the security investigation process.    Let’s limit the Uncertainty Principle to Quantum Physics.

100907

 

… To think about how investments in technology and staff will work together in your organization’s Security Operation Center (SOC).    When we introduced RSA Security Operations Management (SecOps), our intent is to help customers to really think about what framework and orchestration of people, process and technology are required to build out their SOC capabilities.

 

As such, the key value propositions of SecOps are as follows:

 

  • Business Context – Provide up to date business context of assets to security analysts so they can prioritize incidents that pose the biggest risk to their organization.
  • Incident Response – Provide a framework to collaborate and effectively investigate security incidents that is aligned with industry standards.
  • Breach Response – Provide a framework so when an incident leads to a data breach, the organization is prepared ahead of time to respond to the breach.
  • SOC Program Management – Enable SOC teams to run the overall incident and breach response process as a consistent and predictable business process.

 

As I started talking to customers about SecOps, I have found that the SOC maturity levels differed across the board.    The mature SOC customers who are in “Defined” Stage or above of the CMMI Maturity Level immediately see the benefits of SecOps, the ability to automate their overall SOC processes, drive efficiencies, drive consistency and prove the overall effectiveness of the team.

 

But early stage customers that are in the “Initial” or “Managed” stage of their SOC implementation would pose the question back to me, “We are in EARLY stage of building out our incident response team and SecOps has a lot of functionality, where do I start?”.

 

You are never too early to take advantage of SecOps functionality.  You are investing in technology and staffing your team --- how do you get full return on your investments?  SecOps can be implemented in stages and more functionality can be introduced as your team matures.  For starters, if you are in the early stages of SOC implementation, here are 3-items that you should think about at this stage:

 

  • Alert aggregation into SecOps – Analysts will have one place to go look at new incidents and manage the queue.

 

  • Prioritize incidents against business context – Start getting your IT asset information into SecOps / Enterprise Management and assess the risk of those assets.  Analysts will be able to prioritize the incidents that pose the biggest risk to the organization.

 

  • Leverage OOTB Incident Response Procedures  - SecOps has OOTB response procedures that were authored by our RSA Advanced Cyber Defense Team.    You can build on these response procedures and create your own.

 

The above 3-items will immediately improve your analyst effectiveness.  From here, you can continue leveraging additional SecOps functionality for Breach preparedness and overall SOC program management.  So, my answer back to the early stage customers --- You are never too early to leverage SecOps, it can bring immediate benefits to your SOC team.

 

SecOps has been available for our customers for exactly a year.  I continue to learn from RSA customers and let’s continue fighting the good fight against the bad guys!   Watch Bob Cheong, CISO of Los Angeles World Airports talk about how he built his SOC capabilities from scratch. 

 

100929               100930

Filter Blog

By date: By tag: