‘Last-Mile’ Workflows for Tighter SOC Responses

By Erik Miller, October 29, 2018 | SHARE

How many times have buyers of insider threat detection and response solutions heard this vendor pitch? “We bring your user data into our system so your security operations center analysts can work in a single pane of glass. Our solution will reduce the volume of alerts, streamlining your SOC detection and response workflows and allowing your team to focus on more meaningful threats.”

It’s true that most solutions initially make life easier for a SOC team by bringing data together in a way that boosts detection efficiency. But soon enough the newly aggregated alerts start to pile up — on top of the alerts they were supposed to replace — forcing already overwhelmed analysts to spend even more time triaging and investigating. The early promise of SOC efficiency quickly degenerates into just another pain point, resulting in even more alert fatigue for the team. And with no end in sight to the current chronic shortage of skilled security analysts, organizations won’t be able to hire reinforcements any time soon. Many even turn off their new systems entirely.

As if the alert overload problem weren’t painful enough, these systems also lack effective response mechanisms. For example, most solutions don’t specify whether the designated SOC analyst has to create a ticket or send an email or make a phone call. Nor is it clear how to ensure that the next analyst sees all the relevant data the original analyst saw. In short, these systems lack the ability — to borrow a term from the telecom industry — to help analysts through the ‘last mile’ of their investigative process.

This cycle of Level-2 analysts having to re-research from scratch, even while the data never stops refreshing, makes it increasingly difficult as time goes on to find relevant events. Every analyst handoff further erodes the organization’s ability to craft a timely and consistent response to its most serious insider threat cases.

How do security teams overcome this last-mile dilemma? Some resort to workarounds like exporting to Excel, taking screenshots or other improvised methods of retaining critical data. But data shouldn’t have to be removed from a system to be kept for research, and analysts certainly shouldn’t have to toggle to another system — only to point their colleagues back to the original system to perform the same research they just did.

Imagine a single system where SOCs could manage their insider threat investigations from start to finish, offering a consistent and repeatable mechanism for taking action against individuals whose potential risk to the organization has risen to the level of being concerning or requiring immediate action.

Haystax Technology’s insider threat mitigation solution is designed from the ground up to provide analysts with tightly integrated workflow and case management capabilities in a single environment, handling everything from alerting, triage and initial research all the way through to incident response and resolution (image below).

Embedded within the system are AI-based analytic tools for dynamically prioritizing workplace risk, plus apps for managing all  incident and behavioral data on individuals from a wide array of internal and external sources (image below). Analysts can additionally upload their notes, supporting documents and recommendations for action, and then hand off the updated snapshot of their case in a single package to the next level without leaving the system.

Here’s an example of a Haystax analytics workflow in an operational setting:

• A Level 1 analyst researches the riskiest individuals within the organization — the ones exhibiting concerning behavior — and identifies the subset who merit a deeper look. Because Haystax brings all of an organization’s data together (even non-network data like access badge logs, performance appraisals, travel records, etc.) to create a ‘trust profile’ on a user, alerts don’t just occur because of a single anomalous event. Instead, a person’s behavior across many systems and circumstances over time are taken into consideration, reducing the number of individuals an analyst needs to investigate. Say the risky individual is exhibiting behavior consistent with committing fraud or exfiltrating data and the Level 1 analyst wants to pass this case on to the next level. Not only are there behavioral indicators the Haystax platform has used to ‘reason’ that there is an issue of concern in the first place, but any evidence collected by the analyst during research can be uploaded and made visible. At this point the individuals’ risk profile, with its associated documentation and evidence, is passed along …

• … to the Level 2 analyst, who receives an alert that there is a new case to review. This analyst logs in and is greeted with the complete case package. All of the research, every event and annotation — in short, everything that led the Level 1 analyst to escalate — is readily accessible and consistent with what Level 1 observed and researched. As a result, Level 2 doesn’t have to start over and try to figure out why this particular case is in the queue. Instead the new analyst is free to focus just on the items that are new, and on supplying additional context to the case. From here, the analyst can choose to close the case for lack of evidence, or escalate to management, HR and/or the risky individual’s boss, who can…

• … decide whatever response action is deemed appropriate, based on the severity of the case. Individuals who commit fraud or IP theft are typically terminated. If the issue is more about adverse behavior to colleagues, HR could be asked to discipline the employee. Sometimes, less serious behaviors can be detected early enough to allow for remedial action to improve the employee’s attitudes towards work or colleagues or management.

One critical advantage of the Haystax system is that it can maintain total individual privacy through the use of an optional redaction capability, which replaces names, titles and other information of a personally revealing nature with alphanumeric characters. These can only be unredacted by senior managers in major risk investigations; analysts merely see the data and analytic results but have no idea of the identity of the at-risk individual.

Just as importantly, everything within the Haystax platform is auditable: every event that brought the case to light; every note; every change that was made to the system by anyone who touched the case is logged. Thus, there is no ambiguity as to why a particular response action may have been necessary, who researched the case or who added evidence. In presenting the case, decision-makers can even show how data was applied to and processed by the Haystax insider threat behavioral model, a level of analytic transparency that no machine-learned solution can match.

If your organization is looking for an insider threat mitigation tool that truly streamlines SOC operations from start to finish, it’s important to ask this simple question of every vendor: “Once my team has done its research and needs to escalate the case, then what?” Most of the time, the reply will be: “However you’re doing it now.”

To truly make your SOC more efficient and cut down on alert fatigue, make sure that your next insider threat solution provides not just a way to get all the relevant data in, but also more fully harmonized response workflows and smoother case handoffs across that critical last mile. Your analysts will thank you.

# # #

Erik Miller is Technical Project Manager at Haystax Technology, a Fishtech Group company.