The trend towards integrated and automated security operations cycle is an inevitable progression in security operations.
Organizational security operations are fraught with various 「uncertainties」
The expansive and intricate cyber security framework increases the workload for security teams, prompting 「uncertainty」 regarding whether it is generating added value.
In the absence of real-world attacks, there is 「uncertainty」 surrounding whether deployed security controls are effectively fulfilling their intended roles.
Despite substantial investments in cyber security, there remains 「uncertainty」 about whether the organization has obtained adequate returns.
The Development Trend of Security Operations
More and more organizations are striving for excellence in their security operations capabilities, aiming to transition from reactive “firefighting” to proactive defense. They seek to enhance their detection capabilities for the during stage of hacker attacks, striving to detect and kill attack chains before they cause damage.
By conducting security validation, organizations can transform 「uncertainty」 into 「certainty」, shifting from a 「reactive」 to a 「proactive」 operation style. This completes the cycle of security operations, resulting in an enhancement of security operations capabilities.
The 3 key capabilities for building a perfect cycle security operations
Security Operations Center (SOC)
For organizations in the early stage of building a mature Security Operations Center, we can assist them in identifying failure points, assessing coverage, and addressing various operational issues of cyber security defense stack. This ensures that the operational platform receives alerts accurately and promptly, helps on current detection rules validation and optimzation and add more usecase and rules for correlations.
Incident Response Team
Following the initial setup of the Security Operations Center, organizations need to establish an incident response team. We help optimize the incident response process, help on the team's skillset enhancement to respond to real attack incidents and reducing the average detection and response time(MTTD & MTTR) when facing actual hacker attacks.
Proactive Defense
Once the incident response system and processes are refined, the goal for organizations is to shift towards proactive defense. We assist organizations in this stage by validating their threat hunting capabilities against various threats from the massive number of attackers' weak or medium signal. This helps reduce alert noise, enhance the correlation analysis capability of the operational platform, and enables rapid identification of hacker positions and kill their attack chains.
Security Operations Cycle Validation from Different Dimensions
We summarize the validation into three models and four stages. It continuously detects and validates the effectiveness of cyber security defense stack, and enhances operational capabilities based on the validation results.
Three models of Validation
Continuous Routine Validation
Select typical attack TTPs for different security controls to validate the consistency of defense levels before and after strategy changes and rule updates. Ensure the smooth operation of "Block -> Alert -> SOC -> Response" without breakpoint.
Daily
Key Security Zone Capability Validation
Validate the cyber security defense capabilities of key business application relating components(web,midware,DB,open source etc) by the typical and latest related TTPs, and ensure that key security zones keep their defense levels continuously.
Weekly
Security Defense Scenario Validation
Validate the response of multiple security controls and security operations and reponse to typical attack scenarios involving full attack chain, multi-attack types, and real threat groups(eg.APT,UNC,FIN,TEMP, Ransomware gang). Users can also customize scenarios according to their actual situations.
Monthly & Quarterly
Four Stages of Validation
Stage 1
Boundary
Validate the coverage and capabilities of boundary defense.
Stage 2
Internal
Validate the capabilities of all internal single security controls.
Stage 3
Operation platform
Validate the capabilities of the current security operation platform and SOAR platform.
Stage 4
Personnel and Processes
simulate practical attack and trigger response activities to validate the capabilities of operational personnel and response processes.
What Support You Can Receive from Cybersecurity Validation
Remediation
Propose actionable mitigation suggestions. Remediate issues that are fixable and provide detailed attack analysis to third-party vendors for updating threat detection rules.
Revalidating
Revalidate the remediated results. Provide comparative results between pre- and post-remediation testing and generate a validation report.
Summary and Automation
Deploy continuous validation and conduct retrospective analysis.
Planning
Define the validation scope, clarify roles and responsibilities, and obtain authorization.
Execution
Conduct coverage detection on all domains within the validation scope and compile the results. Test the WAF protection capability on protected domains and compile the results.
Analysis & Optimization
Analyze the results based on the client's actual business environment and prioritize remediation.