Risk Aware Security Operations

Gaurav Banga
April 11, 2018 | 8 min read | Security Posture

Most of you know Balbix as a breach avoidance platform—with the ability to continuously probe and analyze the enterprise attack surface and produce relevant cyber risk insights. CISOs and security teams get a continuous risk heat map along with prioritized and actionable prescriptions to improve cyber-resilience and decrease overall breach risk. Today we announced a major update to our BreachControl™ (now called Balbix Security Cloud) platform to bring deep risk context to security operations as well as contextualization of global threat feeds and industry-specific threat models.

Risk Context in the SOC

Organizations of all sizes struggle with the daily volume of alerts produced by their security controls, which often exceed the capacity of their security teams. It is not uncommon for a SIEM in a medium-size to produce 100s of security alerts each day. Each trained SOC analyst can typically handle 4-6 alerts daily with manual methods. Therefore, managing and acting upon daily security events while factoring in relevant business criticality information requires a level of resourcing impossible for most businesses. The recent introduction of Automation and Orchestration tools to security alert response is a great force multiplier, however automation also needs to be driven by good business risk context, which goes back to the challenge of scarce security-savvy human resources.ioc_pri2

With this update, Balbix BreachControl (now called Balbix Security Cloud) automatically ingests indicators of compromise (IOC) data from SIEM tools, such as Splunk and LogRhythm, and applies deep context. This greatly improves the quality of mitigation actions for the IOC stream by simultaneously applying business impact context, an analysis of external threats as well as up-to-date local knowledge of unresolved vulnerabilities and compensating controls. Deep Learning and other advanced AI techniques continuously analyze 10s to 100s of millions of data points to mimic expert analyst knowledge and detective techniques.

SOAR playbooks can make use of this deep context by calling Balbix BreachControl (now called Balbix Security Cloud) via API, and secops personnel can access it via the Balbix dashboard. For example, a playbook addressing an IOC related to an intranet IP address can query Balbix for business criticality information about this device, and its vulnerability state. As you can imagine, an event from a privileged admin user’s laptop which is unpatched will be treated differently than if the target system was unprivileged and/or fully patched.

Besides providing context for tactical event handling, BreachControl (now called Balbix Security Cloud) also provides a list of strategic actions to minimize ongoing risk from IOCs and improve resilience. In the example above, BreachControl (now called Balbix Security Cloud) might highlight that the privileged user’s system mean-time-to-patch is lower than the agreed upon SLA for this class of devices, i.e., the system needs to be patched more often. This is quite unique to Balbix– not only do we want to control the impact of a security event, but we also want to root-cause the event and develop a permanent solution to avoid the future occurrences of the event.

Global Threat Contextualization

It is critical for security professionals to understand the enterprise exposure to ongoing global threats and use it as one of the prioritization vectors. BreachControl (now called Balbix Security Cloud) now contextualizes ongoing global threats such as wannacry and gives you visibility into your exposure as well as the effect it has on your breach risk. It also goes beyond just the known threats and predicts which security vulnerabilities might be exploited next and helps you to prioritize fixes.

Google-like Search for Cybersecurity and Risk

The deeply technical nature of cyber security has meant that non-security stakeholders have a hard time understanding security related data, or even knowing what questions to ask. At Balbix, we believe that natural language Google-like search for security and risk information is an excellent consumption model for all business stakeholders in order to facilitate the best security-related decision making. In this update to Balbix BreachControl (now called Balbix Security Cloud) we have also made significant advances to Balbix’s search capability.

Balbix’s search engine supports terms and well as natural language based search, with suggestions and history—just as we are used to with Google search. Balbix’s search system understands the semantics of infrastructure, sites, assets, applications, device types, users and sessions: so you can ask questions such as “all smartphones in mountain view” or “all source code repositories” and Balbix will produce a relevant report, including a list of matching entities and the ability to drill down. The search system also understands the language of security including 100s of classes of security vulnerability categories, such as unpatched software, weak, default and reused passwords, missing or poor encryption, and terms such as “wannacry”, “target-like breach”, “where will attacks start”, “how will attacks propagate”, etc. Finally Balbix’s search system also understands the higher-level semantics of risk,  and can provide relevant answers to terms such as “where are my critical assets”, “riskiest systems”,  “how has my risk changed”, “benchmark my risk posture”, etc. We are also working on teaching Balbix the language of compliance, e.g., “pci compliance status”, which runs most of the technical pieces of the PCI spec and produced an audit-ready report.

s3

Introducing Risk context to security operations, and a search based consumption model for security analytics is crucial to aligning the efforts of the security team with actual business risk, and is a critical step in achieving integrated risk management and improved cyber-resilience. We are quite positive that the latest BreachControl (now called Balbix Security Cloud) update takes another quantum leap forward in this direction.