There has been a theme for a while that categorizes security operations centers in to two categories of operation. Reactive capability, where the SOC purely reacts, and proactive capability, where the SOC has a proactive approach to identifying threats. Nettitude’s SOC harnesses both reactive and proactive approaches, however it also builds upon this through leveraging machine based learning to provide predictive capability.
Why Reactive and Proactive capability are important
Many service providers will imply that SOCs should only focus on proactive threat detection, however at Nettitude we believe that a balance of reactive and proactive capability is essential.
Nettitude believes that a SOC should absolutely have reactive approaches to identifying threats. There are multiple examples of where reactive capability has value, and the global WannaCry incident is a great example of where a SOC needed to react rapidly, to a global ransomware epidemic. By identifying indicators of compromise quickly after the initial outbreak, service providers were able to build reactive logic in to their detection capability that was able to identify and contain malicious threat activity as soon as it was identified. To date, no service provider had proactively identified WannaCry to its release. As a consequence, approaches that only focused on proactive threat detection would have sorely missed the mark.
That said, there are incidents where reactive capability simply isn’t enough. There are many types of attacks that do not generate log data that can be parsed by either with a SIEM appliance or by a SOC analyst. As a consequence, it is important that a SOC analyst or threat analyst performs a threat hunting exercise to identify rogue processes, rogue behavior or abnormal traffic patterns. This proactive approach which goes beyond conventional log analysis is an essential characteristic of a modern day security operations center.So What is Predictive Capability?
Predictive capability occurs when a security operations center is able to take both log data, behavior data, process and traffic analysis and combine it with threat data an hunt findings in to a large data lake. Nettitude has built the Threat2Alert technology platform that harvests data from.
Global Honeypot Network
- Localized client deception network (ThreatReceivers)
- Localized network traffic analyst engine (ThreatDetector)
- NG SIEM data
- Threat Hunting intelligence
- External Threat Feeds
The Threat2Alert platform is built upon an extensible datalake, that allows us to share real time analytics and metadata across our next generation security operations center client base. The Threat2Alert datalake allows aggregation of large volumes of threat metadata to be coupled to real time machine learning and TTP prediction capability. Threat2Alert gives our SOC analysts the ability to predict attacks in our client estates, based upon early warning indicators.
To find out more about Nettitude’s Predictive SOC capability, or to understand how we can deliver SOC maturity services to deliver assurance across your current SOC solution, please fill out our contact form below and we'll be in touch.