Automating Onerous Security Operations Tasks

The cyber security staffing shortage has reached an unprecedented level of notoriety. You can’t visit a tech-focused media site or attend a security conference without hearing about how the industry needs XMillion number of new cyber security practitioners working in the field within the next year. While the numbers are likely inflated and sometimes self-serving to the extent that industry insiders want to push a narrative, it is true that cyber security teams work long, hard hours, and that work can feel like a never-ending battle. The number of threats and vulnerabilities is always increasing, as are the systems and software which require constant care and feeding by the security team to ensure confidentiality, integrity, and availability.

Bigger companies with greater resources—while they have more to protect—are better positioned to handle the continuous barrage. For one thing, enterprise organizations have a team of skilled cyber professionals rather than one person pulling double duty on IT ops and security. For another, if they need more tools or more staff, they usually have the resources to buy or hire them. The budget may not be as big as the CISO wants, but budget exists...somewhere.

Small- and medium-sized companies, on the other hand, are often not in the position to buy security technologies that cost hundreds of thousands of dollars (or more) or compete against bigger companies on salary. What security tooling they do have likely overwhelms operators with telemetry and alerts. Yet, regardless of size, every company needs to be able to identify, protect against, and detect cyber incidents. If managing security operations is overwhelming for big companies, it can be 100X for a team of, say, two. Still, no number of people thrown at this work will ever be enough—there’s just too much ground to cover for security analysts and operations professionals to manage manually.

A knack for finding breaches

Cyber Crucible, an intrusion response and analysis company out of Severna Park, MD, was founded because Dennis Underwood, CEO and founder, had developed a knack for finding breaches and APT actors. As a computer science undergrad, Underwood started an IT services business to help pay for college. The opportunity to work with commercial customers while studying in the classroom provided a leg up in the industry that would later translate into Cyber Crucible’s platform.

Along the way, though, Underwood was deployed overseas as part of the National Guard, which gained him invaluable military experience, transferred schools, which landed him in a position to compete in and win the National Collegiate Cyber Defense Competition, and was recruited by the NSA to do malware research and advanced analytics for intrusion analysis. After several years, Underwood left the NSA, and learned that every client, after hearing they were victims of an intrusion, wanted answers to the same questions: What did the threat actors steal? What are they doing inside our networks? How long have they been there?

Underwood realized that none of those questions had easy answers; it would take weeks or months of analysis by intrusion detection and forensics experts to uncover those answers. And though accepted industry practice was (and still is) to throw time, money, and people at post-breach analysis, Underwood wanted to find a better way—a more automated way—to get to the answers faster and with greater accuracy.

Scaling with automation

“There is no way to scale security with people,” said Underwood during a recent briefing. “We started the company by building Cyber Crucible Core, which is a cloud-based platform that automates network traffic analysis and provides reporting.” Underneath Core is Collectipede, a PCAP collector which sends “investigation bundles” up to the Core for analysis. Collectipede can be deployed as a network or virtual appliance.

Sitting next to Collectipede is AlertGlow, which, as may be evident from the name, is the triage and alerting system that feeds into Core. “Our customers, which are mostly mid-sized companies, can’t absorb all the telemetry they’re receiving in their SOC,” said Underwood. “They, like every company regardless of size, need a ‘fire alarm’ to reduce the amount of noise and tell them what’s really important. At the same time, they also want to know the product is doing what it’s supposed to. So, in that sense, our analytic engine is a bit like an air bag: it’s there, it’s working, but you only know about it when something goes wrong, in this case, when we find something important.”

With Alertglow implemented and triaging thousands of alerts, it’s likely that it will find endpoint anomalies. ZenSiphoner is an endpoint agent that captures and catalogs endpoint behavior indicative of an advanced malware infection. In that safe space, it then monitors and extracts key data as a breach is happening, so that Core can analyze and learn what the threat actor is doing: the TTPs they’re using, which targets they’re after, which usernames or credentials have been exploited, encryption keys used, and more—it's the data Underwood’s former clients coveted, only Cyber Crucible takes a fraction of the time and human resources to find the answers.

Better over time

The entire platform is predicated on automation and machine learning, and Cyber Crucible holds a patent on network intrusion detection of covert channels based on off-line network traffic. The company has also recently announced a new product, Ransomware Rewind, an automated ransomware decryptor that was born from watching customers struggle through ransomware events.

Though neither tool is relegated to a specific industry segment, Underwood says most of the company’s clients are SMBs; they’re the ones who need the most help determining “when the fire alarm is ringing.” However, and more broadly throughout the industry, bigger SOC teams are also screaming that they’re under water. All conventional wisdom says that automation and machine learning (or advanced data analysis) is the way cyber security is going to take on the talent shortage and become better over time. Cyber Crucible has a great foundation to help companies do more with less, and it’s built by people who've felt the pain of traditional malware analysis, intrusion detection and response, and other onerous operations tasks.