Less “Red Alert”: How the Security Operations Center Benefits Significantly from System Hardening

IT security specialists in so-called SOCs, CDCs or CSIRTs usually have a lot on their plate because they have to deal with numerous events and incidents. System Hardening can significantly reduce the flood of (false) reports and at the same time improve the security of IT systems.

What are the major challenges of a SOC team?

All companies that work digitally and operate a large IT infrastructure should have a Security Operations Center (SOC) – either an in-house team or supported by a service provider. At best, SOC specialists monitor all systems around the clock and immediately initiate appropriate and coordinated countermeasures in the event of cyber attacks, for example.

So much for the theory.

In practice, it turns out that SOC teams are often overloaded and can only detect and defend against cyber attacks and the like with a great deal of effort. Why is that? For one thing, in our experience, security operations centers are often understaffed. This is due to a shortage of skilled workers, because companies can’t find the right people. In addition, budgets for SOCs are too small.

Another important reason is that SOC experts are often faced with an almost endless number of events and potential security incidents. It is not uncommon to see false positive rates of well over 50 percent. This has an impact on various levels:

    • From a technical point of view, a very large proportion of the alerts turn out to be irrelevant or false alarms.
    • In terms of time, some highly specialized employees spend most of their valuable working hours dealing with irrelevant issues.
    • The flood of incidents causes unrest, as they may be passed on to other areas of a company.
    • From a motivation perspective, turnover is high. Many professionals simply don’t feel like constantly chasing false alarms due to misconfigured systems or poorly set thresholds.

Why do so many false alarms occur?

There are several reasons for this. For example, monitoring systems without professional tuning issue an extremely large number of messages. They do not distinguish between really important and relatively unimportant anomalies. This leads to a large number of alarm messages.

In this case, SOC managers do not precisely define the depth to which individual systems should be monitored. They simply “collect” logs and do not define clean thresholds. The result can be hundreds of alerts per hour.

Understandably, this brings SOC staff to the brink of despair, as they can no longer see the forest for the trees. And if you’re unlucky, there are also infrastructure problems. After all, when countless data are received, parsed, unified, analyzed and compared, the more storage and computing load is created. These resources must be available to ensure that events can be processed near real time.

Another eminent cause lies much deeper: the systems monitored by anomaly detection systems are usually not securely configured. They have many vulnerabilities and gaps, which can accordingly be easily compromised. In other words, System Hardening implemented on industry-proven standards does not exist.

Why System Hardening can greatly reduce the burden on security teams

An unhardened system leaves the door open for “cyber-gangsters”. These use unnecessary services, unpatched applications or other attack surfaces to penetrate IT infrastructures and spread. When an attack is detected, alarm bells understandably start ringing at all ends.

Sustainable System Hardening helps in many different dimensions. On the one hand, the protection of IT systems is significantly increased, and attacks can go nowhere thanks to comprehensive System Hardening. On the other hand, System Hardening also helps in the detection and response environment.

Microsoft has also documented this clearly in the published “Digital Defense Report“:

“SOCs can mitigate alerts using hardening rules capabilities (..). Hardening against common threats can not only reduce alert volume, but also may stop many attackers before they get access to networks.”

The result: Where there are fewer (false) alarms, a real attack can be better detected! Especially where the attacker was denied a quick and easy way into the infrastructure due to hardening. The effort for the attackers increases. They have to become “louder”, which increases the chance that the SOC will detect them.

An example of how hardening and SOC alerts are related

Let’s take a look at WannaCry. The ransomware kept the IT world on tenterhooks in 2017 and was all over the media for months. The debacle was based on the SMB v1 protocol, which had been known to be insecure for many years at the time.

Thus, Microsoft publicly parted ways with SMB v1 in 2014, among other things removing it from new installations. The Redmond-based company, the Center for Internet Security (CIS) and other organizations issued configuration and hardening recommendations long before the WannaCry mess. But few companies followed them.

When WannaCry hit, there were alerts around the world. Security teams (SOC, CSIRT, etc.) were under constant stress. Either to come up with preventive measures and develop meaningful detection methods. Or to stop the spread of the virus when countless end devices had already been encrypted and the companies were subsequently blackmailed with immense ransom demands.

In the end, WannaCry caused not only turmoil, but also financial losses. Kaspersky estimates the damage caused by WannaCry in around 150 countries worldwide at around four billion US dollars.

WannaCry Screenshot (Bild: Wikimedia)

Companies that had properly hardened their systems, for example by no longer using SMB v1, were spared these expensive consequences. WannaCry was able to infect individual systems, for example if malicious code was executed via phishing emails, but it was unable to spread throughout the entire network. The technical attack vector used, SMBV1, was no longer activated.

There have been numerous examples of this kind in the past. And even now, there is no end to the reports of organizations, authorities and companies being successfully hacked. SOC teams have a lot of work to do because IT decision-makers did not do their “homework” – secure configuration – in advance.

Can a SOC be completely unburdened?

No. Protecting an IT system 100 percent from attacks and breaches is a theoretical goal, but it is unrealistic. Nevertheless, IT and security managers should always do their best to make it as difficult as possible for hackers and cyber criminals to succeed.

It often turns out that if an attacker fails with his standard methods, he gives up and looks for an easier victim. Or he is forced to use other methods, to “hop” over x systems or try new things.

The above-mentioned “Digital Defense Report” from Microsoft also addresses this issue:

“Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.”

To put it more simply, the more serious the burglary, the fewer burglars will attempt it and be successful in the end.

Don’t forget audits and evidence!

If you put a lot of obstacles in the way of the hackers, the employees from the Security Operations Center have enough time to take countermeasures and render the actions of the “cyber gangster” harmless.

And in hindsight, the path of the attacker can be traced. The work of an IT forensic expert is made easier if there are enough log files and audit reports. The latter evidence can be generated quickly and easily with the free AuditTAP, for example.

New, preventive actions should be taken on the basis of the findings. This could be the closure of further vulnerabilities or an increase in security through stricter hardening. This includes, for example, canceling special approvals for outdated software because it no longer supports current security standards.

And the SOC has to revise its processes and optimize its tools to be even better prepared for more cyberattacks in the future! These will surely come.

Conclusion

Key decision-makers in companies often focus on measures such as detection and response, and possibly also on recover or restore. That’s fine; after all, cyber attacks should be detected and remedied.

But you must never forget to take preventive action! Because: If you “lock” the systems via hardening, fewer “burglars” can get in and cause damage! WannaCry, Mimikatz, DefenderStop and the like then quickly lose their terror.

And how can a sustainable and at the same time automated System Hardening be realized? With hardening tools like Enforce Administrator!

Do you need support for hardening your systems? Contact us! Our experts will get back to you right away.

Send us an e-mail!

 

Images: Freepik, Wikimedia

Leave a Reply