Page 223 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 223

and go a different way? Were they carrying anything that could be considered a threat? You just have to
            find that one messenger and hope that they didn’t get sidetracked or tasked with something else.

            Organizations that stood up a static SOC quickly became overloaded with data and no context around
            this data. So, you decide to tune your instructions to the messengers and tell them to only report on what
            is going on outside the walls of the city.



            Defending Troy with a Context-Driven Security Operations Center

            The next day, the line of messengers is much shorter. That’s a good start, at least. Until they begin
            entering and reporting their observations.

            Each one has a seemingly frightening message. There were groups that were beginning to assemble
            outside the city wall. Each group had a clear leader and it looked like they were planning something.
            Each leader was talking with their group, pointing to the city, looking down at a piece of parchment,
            perhaps a map, and drawing things in the dirt.

            As the day goes on, the messengers keep coming, not in the same quantities, but all seeming to give the
            exact same report. You hear the same thing over and over and over again with no more information
            added to help you determine what, if anything, you should do about these groups gathering outside the
            city.

            This is where we see the emergence of security tools and platforms that help provide context around all
            the data that was flooding in. This did help organizations begin to paint a better picture - maybe there is
            something going on that we need to pay attention to. Just like your messengers, you have alerts as far
            as the eye can see. And now, you’re beginning to worry that they are planning something, or even worse,
            something already got by the defenses and they are just waiting for a signal.

            It makes a lot of sense to begin watching for suspicious activity within the walls again, not all activity, just
            anything that looks out of the ordinary. And probably time to equip the sentries with some armor and
            weapons to help defend against a possible breach.



            Defending Troy with Managed Detection & Response (MDR)

            The next day you give the new instructions to your sentries, and see to it that the supplies are delivered
            to help protect Troy. Messengers begin to arrive and let you know that sometime overnight, there was a
            delivery of wood and nails to the groups that were gathering off in the distance outside the city. Unsure
            of what the materials are for or who delivered them, it looks like the groups are beginning to work together.
            There is a clear leader among the different divisions, going back and forth between them and giving
            directions and orders.

            Occasionally,  a  few  individuals  on  horseback  ride  closer  to  the  wall  and  the  sentries  fire  arrows  in
            response to deter the threat. The messengers are reporting this activity every time an arrow is fired. It
            looks like everything is working. You are successfully defending the city and keeping the threats out.





                                                                                                            223
   218   219   220   221   222   223   224   225   226   227   228