Product reviews, deals and the latest tech news

How network incident responders can best benefit from technology providers’ offerings

As the frequency of cyberattacks rises, it’s becoming more and more obvious that responding to a breach while it’s still ongoing is very unpleasant. In order to support clients, suppliers must be better at what they do, particularly at a time when they are most needed. It is imperative that technology providers take the time to listen and understand their customers’ concerns in order to help them discover the best solution. In addition to having access to the most cutting-edge cloud computing, storage, and search technology, vendors have access to a wealth of information about assaults on their clients. However, these resources are seldom used by SOC teams.

There is a lack of information: a historical look back and merchants

It’s well-known that threats may remain undetected for lengthy periods of time — up to 280 days, based on IBM study. So, why do SaaS NDR providers only provide a lookback period of 30, 60, or even 90 days? Considering that the cloud has nearly infinite storage capacity, shouldn’t historical lookback be able to keep pace with the length of time that threats persist?

The following is an example:

SolarWinds Orion Platform DLL was used to assemble and distribute the SUNBURST assault on February 20, 2020.
The SUNBURST attack was first discovered on December 8, 2020.
Since the 8th of December, 2020: More than 18,000 government agencies and Fortune 500 firms are assessing the consequences and preparing for possible terrorist strikes. They are all working together.

There was an immediate scurry to review past data in the days after December 8th, 2020, to see whether any of the signs of breach had crossed the network. Team members were hampered by a lack of network visibility and information that was only accessible for a limited period of time. Most people had less than a month’s worth of data. They couldn’t go back and look at the SUNBURST assault, which was originally launched in February 2020, to figure out what the attackers on their network were doing and how much of a danger the firm was exposed to.

This begs the question of why companies aren’t addressing these issues for their consumers, given that cloud computing offers nearly infinite storage.

No time to do everything

As a member of an incident response team, you know the urgency of the situation. Time is of the essence. This isn’t a melodrama; it’s a steamroller. Also, it’s one of the main causes of security analyst exhaustion

Modern ransomware is one example of this. You must act quickly once an attacker’s presence has been detected in your network to avoid paying ransom, having critical data encrypted, having your operations disrupted by double extortion for exfiltrated information, and being relentlessly covered by the media with everyone offering an opinion on what you should do.

Security providers, on the other hand, seldom concentrate on delivering technologies that speed up investigations There is an addiction to being able to “detect” and relying on the security team to take care of everything else. What’s the point of asking this question again? When it comes to computing power, the options available to vendors are nearly limitless. Investigators are compelled to look for each event one at a time using existing NDR techniques. Why aren’t they able to do separate searches at the same time? For the sake of efficiency, why can’t numerous members of a team collaborate on a single search? The solutions should give threat-specific playbooks with “here’s the hypothesis you should check,” or worse, propose using a different product and starting most of the investigation over over elsewhere.

But manufacturers aren’t putting these cloud computing skills to use for their clients.


SaaS-based security technologies had a lot of potential. Using cloud-based security solutions means you’ll never have to worry about updating or maintaining your on-premises systems. Isn’t the promise a little stale now, isn’t it?

True, you’re getting fast updates for your SaaS security solutions, but as we said earlier, you’re not getting the advantages of cloud computing, such as limitless storage and computational capacity, for free. The worst part is that many “technological improvements” now need constant detection tweaking and FP reduction efforts due to the usage of machine learning. It’s been your team’s job to collect high-fidelity results from suppliers, which has benefited both of you!

Vendors must take the initiative to remove these hindrances. There are some vendors who are embracing the concept of “guided SaaS” where the solution is owned and operated by your team, but software updates, detection/false-positive tunability, system maintenance, and health checks are all performed by the vendor so that you can focus on “Job 1″—threat management. In instead of just charging professional services costs for something they should have done in the first place, I welcome this approach and hope that other vendors would follow suit and include it in their offerings as well.

The absence of direction

It is clear that security personnel face a shortage of focus, information and time. The fourth obstacle to rapid action is lack of threat-specific information. Responders must be familiar with the adversary’s tactics, methods, and procedures (TTPs) if they are to reply fully and confidently. Customers are forced to do their own research on TTPs and information on the adversary’s purpose in order to make their own decisions on how best to react.

NDR suppliers have a wealth of information regarding the tactics and motivations of threat actors, but they refuse to share it with their clients. A lot of actionable intelligence on how to respond to a specific threat is gathered by vendors, but they don’t have procedures in place to exchange this knowledge.

However, a lot of add-on knowledge from vendors is focused on their product, rather than on a particular occurrence. NDR suppliers could aid their clients at the most critical moment of need by sharing knowledge obtained via cross-deployment, crowdsourcing, and threat research. Rather, how would one incident responder assist another, rather than using vendor-speak?