Privacy is a core value when it comes to digital security. The dynamic pace of cybersecurity evolution stresses the importance of privacy protection, which involves safeguarding user identity and keeping data private, safe and secure when online. In this blog article, I would like to share my expertise gained through 20+ years in the field and as CISO at SOC Prime.
For the last 7 years in SOC Prime, we have found our own ways to communicate with customers, collect feedback, and combine products and services in the right and scalable proportion. While delivering professional SIEM and co-managed services for Fortune 500 and Global 2000 companies, we saw a lot of skillful approaches applied by cybersecurity engineers from various organizations and industries who successfully managed to build proper detection mechanisms regardless of limited resources at their disposal. Let’s draw an analogy with manufacturing history to explain the root cause of privacy concerns and ways to handle them.
Humanity came up with the right way to make goods as a result of a long history of attempts and mistakes. This journey started from handmade goods only for personal consumption, followed by crafting goods for sale in medieval markets, and reaching full-scale production for the mass market via automated manufacturing processes.
Taking this analogy, in terms of content development in the cybersecurity field, most enterprises are still in the Bronze Age, making in-house content out of sync with current threats. There are several reasons for that. First, the difficulty revolves around ownership, as it is hard to truly own something in a large enterprise. Thus, it is quite challenging to assume responsibility for making a wrong decision. Another challenge involves hiring and keeping mature experts, both due to a talent shortage of ~3 million people, as well as the fact that top experts often progress to specialized businesses. For example, an expert with strong malware research and reversing skills is likely to transition to an EDR vendor, so it requires a major effort to keep them in-house. The restrained budget and limited time on content development is another stumbling block.
Finally, when it comes to content development challenges, privacy concerns remain an issue. All options except in-house content development require third-party access to the organization’s sensitive data. At the same time, all kinds of logs and telemetry coming from edge, cloud, SaaS, and “crown jewels” applications contain sensitive data that is frequently subject to regulations and may often contain the company’s IP. As this data usually ends up in SIEM, log analytics and EDR silos, the access is often privileged and unrestricted. Still, available options in today’s market addressing this challenge require giving full access to a third party. If that third party is a well-established MSSP or MDR, the privacy concerns are less pressing, but quite often, content development is outsourced to startup-like third-party vendors that have a few dozen people on the team, including non-engineering positions, striving to protect the data of a Fortune-100 company “like their own”.
For organizations like government or federal agencies, it is nearly impossible to approve such third-party access to sensitive data. Here, I will try to shed some light on the existing privacy concerns and prove that the industrial revolution in content development has genuinely occurred. Privacy is no longer a stumbling block to the development of detection algorithms, including the automated processes.
First, let’s take a step back and agree on terms to be on the same page. An alert, signal or detection — whatever you name it — by its nature consists of a detection rule or hunting query (algorithm) applied to logs, telemetry, API information (data) with a certain result (outcome).
To make a high-quality rule from a privacy perspective, you should have access to SIEM / EDR / XDR / Data Analytics / Log Analytics / Threat Hunting Platform (hereinafter, Platform), as well as to a data source and to an alert outcome. No privacy concerns exist until you plan to involve a third party. By analyzing a large scope of rules across a variety of our customers, including their unique ways of processing alerts, we have built the following content development maturity model, which helps explain how SOC Prime mitigates privacy risks. This model contains four stages of content development maturity. The higher the stage, the more mature the content development process, as well as from the privacy protection perspective:
optional* — access is not required if the customer manually deploys content items.
The first stage of the described content development maturity model is the most susceptible to privacy risks. In addition to the customer’s privacy concerns, content development at the first stage also raises further challenges with the IP (Intellectual Property) rights, since content made in the customer’s infrastructure based on the customer’s logs belongs to the customer only. These challenges clearly explain why SOC Prime’s products and services cannot be delivered at the least mature and the most privacy vulnerable first stage. SOC Prime can work at the second stage by delivering co-managed services, but the crowdsourcing development model available at the third and fourth stages provides more maturity and greater privacy awareness. The highest content development maturity achieved at the fourth stage is what makes SOC Prime stand out from other cybersecurity vendors. We have already collected customer feedback for a significant period of time, allowing us to be less dependent on the customer feedback loop.
To dive deeper into the privacy concerns, I will explain next how we mitigate general privacy risks for our customers by illustrating the examples of SOC Prime’s core products and functionality. I’ll start from Uncoder.IO, one of SOC Prime’s pioneer projects and highly notable from a privacy perspective.
Uncoder.IO is the online Sigma translation engine for SIEM saved searches, queries, filters, API requests, which helps SOC Analysts, Threat Hunters, and Detection Engineers convert detections to the selected SIEM or XDR format on the fly.
We apply the following industry best practices to ensure data privacy protection for all users working with Unocoder.IO:
Uncoder CTI and its public version, CTI.Uncoder.IO, are online converter tools that make IOC-based threat hunting easier and faster. With Uncoder CTI, Threat Intelligence specialists and Threat Hunters can easily convert IOCs to custom hunting queries ready to run in the selected SIEM or XDR.
Unlike a standard Threat Intelligence Platform (TIP), Uncoder CTI allows grabbing IOCs from any feed or source. Just like Uncoder.IO, Uncoder CTI was designed with privacy in mind. Only the user running in each particular Uncoder CTI session has access to their IOC data. SOC Prime doesn’t collect any IOCs or their logs, and no third parties have access to this data.
Uncoder CTI addresses the privacy concerns as follows:
The world’s first platform for collaborative cyber defense, threat hunting and discovery provides security professionals with management tools for tracking threat detection effectiveness and data coverage using SIEM or XDR.
Log Source Coverage visualizes how the organization-specific log sources are covered by the SOC content from Threat Detection Marketplace, which allows tracking and orchestrating the overall threat detection program for the company. MITRE ATT&CK® Coverage displays the live progress in addressing ATT&CK tactics, techniques, and sub-techniques based on the explored or deployed detection content.
Both Log Source and MITRE ATT&CK® Coverage are designed to mitigate privacy risks with the following information protection means:
Shortly, we are going to enable exporting the coverage data to the CSV and JSON formats compatible with the MITRE ATT&CK Navigator tool. This capability comes in handy for security performers working offline in Excel or with the web-based MITRE ATT&CK Navigator tool.
Quick Hunt helps Threat Hunters visualize and hunt for the latest threats in their SIEM & XDR with a single click. Quick Hunt was designed according to the best practices of privacy protection, particularly:
The world’s first bounty-driven Threat Detection Marketplace for SOC content aggregates the most up-to-date Sigma-based threat detection content from over 300 researchers and natively delivers it via subscription to 20+ SIEM and XDR platforms. The SOC Prime Threat Detection Marketplace contains more than 130,000 detections aligned with the MITRE ATT&CK framework and continuously updated. To tailor the content search to the user’s security role and needs, the SOC Prime Threat Detection Marketplace offers a variety of customization settings and filters configured within the user profile. Still, this user profile customization based on the recommendation engine is optional.
The SOC Prime Threat Detection Marketplace sticks to the following best practices to ensure data privacy protection:
The Continuous Content Management (CCM) module powered by the SOC Prime’s Detection as Code platform streams compatible SOC content directly into the user’s environment. The CCM module automatically delivers the most relevant detection content in real time, freeing security teams to spend more time securing and less time hunting. To enable real-time content delivery and management and stay ahead of the curve, the CCM module was built following the proactive approach toward the CI/CD workflow development practice.
The CCM module mitigates the privacy risks in the following way:
Summing up, I would like to focus on the most crucial points related to the SOC Prime’s approach to privacy covering all the listed above technical controls and their efficiency verified by the independent audit. Achieving SOC 2 Type II compliance validates that SOC Prime has all the above mentioned technical controls in place for its cybersecurity solutions, business operations procedures, and technical infrastructure. All the projects are run by SOC Prime’s in-house team, ensuring no third-party access to the SOC Prime’s Detection as Code platform. Data encryption using industry standards and best practices, like AES-256 encryption algorithm for data encryption at rest and TLS 1.2 encryption protocol for data in transit, illustrates SOC Prime’s commitment to data security and privacy.
To explore in more detail how we adapt the privacy imperative at SOC Prime, please refer to https://my.socprime.com/privacy/.