Author: Dr. Edward Amoroso, Chief Executive Officer, TAG Infosphere Research Professor, NYU
The modern security operations center (SOC) will experience improved threat combatting through the use of detection content. This blog from guest blogger Dr. Edward Amoroso, CEO of TAG Infosphere, illustrates such content provision in the context of a commercial solution such as the Anvilogic detection engineering and hunting platform.
Introduction
The challenge of combating cyber-attacks in the security operations center (SOC) continues to increase with more capable threat actors using improved tactics and techniques. As a result, the need to collect and use detection content has emerged as a practical enhancement to the day-to-day responsibilities of the SOC analyst.
The objective is to ensure that SOC teams have access to detailed information about offensive campaigns that are continually evolving and being discovered. Having such knowledge in the form of usable content offers context and insight that are invaluable as SOC analysts focus on detection engineering and hunting.
What is Meant by Daily Detection Content?
Detection content from companies such as Anvilogic will include detailed descriptions of the offensive tactics and malicious techniques that are being used by bad actors – hackers, fraudsters, criminals, and nation-state actors – in their campaigns. This usually includes mapping to a known threat taxonomy, such as the MITRE ATT&CK framework.
The Anvilogic detection engineering and hunting platform is designed specifically to advance the collection and use of detection content for SOC teams. Their support emerged organically from interactions and support with practical SOC teams supporting enterprise security. Purple team researchers maintain and update such content with trending threats.
To that end, Anvilogic emphasizes a detection philosophy in its detection engineering and hunting platform with the goal to optimize coverage of attack detection, so that both proactive controls can be put in place and reactive remediation can be engaged.
How Does Anvilogic Provide Daily Detection Content?
Anvilogic supports a balanced approach to detection engineering, which works by offering accurate and complete information to SOC analysts. Accordingly, Anvilogic provides a wide range of this threat-based detection content built by purple team researchers, mapped to MITRE ATT&CK across multiple query languages.
The platform also uses artificial intelligence-based technology to assist in the development of code blocks that assist SOC engineers in their analysis of data generated into data lakes such as Snowflake. The result is a highly automated and intelligent means for performing detection engineering for both prevention, detection, and also response.
Using Detection Content to Combat Threats
The use of the Anvilogic platform involves building and deploying behavior attack pattern-based detections which are guided by the content mapped to MITRE ATT&CK. This is done in a code-less, UI-driven manner which can model highly complex threat scenarios. Analysts benefit from this flexibility as they hunt for evidence of malicious activity.
The primary value of the detection content from Anvilogic is threefold – namely, that it supports improved coverage for the highest priority attack methods targeting the organization, it increases the efficiency of the SOC, and it allows for automation of the detection engineering process with standardized rules.
A common use-case, for example, would involve a SOC team running SOAR and ticketing systems using Anvilogic to automate a repeatable detection process to drive standard alert output. This process would be supported by integration with systems such as Palo Alto Cortex, Proofpoint, and CrowdStrike, and normalization with Splunk, Azure, and Snowflake.
Next Steps
SOC teams should review their existing process of detection engineering and hunting, with emphasis on whether sufficient coverage, automation, and support for day-to-day alert management are in place. This information is easily obtained through interaction with the SOC team leadership and day-to-day practitioners.
SOC team success relies as much on technical skill as on whether support is available for the tasks of normalizing data, coordinating workflow, and matching alerts to detection intelligence. Where this support is lacking, perhaps with deficiencies in mappings to MITRE ATT&CK or similar frameworks, then Anvilogic can help improve SOC efficiency and operational success.