How does the CyberProof Defense Center (CDC) a Security Orchestration, Automation, and Response (SOAR) platform – help organizations maintain a more effective cyber security strategy and respond to threats more effectively? And how does the CDC’s virtual analyst, SeeMo, assist in the day-to-day work of security operations? In this interview, cyber security analyst Hen Porcilan gives us unique insights into what it’s really like to work at CyberProof.
As a security analyst, how has working with the CDC changed how you identify and respond to threats?
Prior to joining CyberProof, I worked for a large bank, where – as in many other large organizations around the world – the security operations center (SOC) team used a platform that receives alerts exclusively from a SIEM platform. This is dramatically different from what takes place here at CyberProof, where the CDC handles a much broader range of data and activities, saving time by doing many actions automatically and providing reports that summarize important results.
Can you give us some specific examples of how working with the CDC is different than other environments?
One important point relates to automated alerts and enrichment. Here at CyberProof, the process of handling alerts is different.
In traditional systems, there were three actions I needed to do for each alert in order to gain context and learn more about the severity and nature of an alert. Using the CDC, in contrast, SeeMo takes care of these same activities automatically, displaying the alerts together with the enrichment it collected.
At CyberProof the alert information I receive is already valuable to me as an analyst because it’s easier for me to understand the context of an alert, and to gain insight into its significance. This not only saves me time but also allows me to prioritize faster and more effectively. And because the actions done by SeeMo are continually updated, the information is always accurate and reliable – meaning, the information is even more reliable than when I was looking up the information manually.
Does the CDC allow an organization to integrate multiple tools efficiently?
Yes, the CDC provides a holistic view through a single pane of glass. I’ll give you an example. In most other SOCs, the enrichment process requires manual combing through external sources – while at CyberProof, enrichment is done within the CDC platform itself. The process is handled by SeeMo and all of the information that SeeMo uncovers appears automatically in a common ChatOps channel that is available for analysts and customers alike.
The fact that this is all done internally and is displayed in a single pane of glass saves me time and helps me concentrate on the alert at hand by cutting out the need to look through other external sources in order to conduct research.
In your experience, does working with the CDC reduce the possibility of human error?
One of the advantages of the CDC is that it offers consistent, comprehensive, searchable records and documentation.
Where I used to work, a lot of information was lost – because it was all done manually. For example, sometimes I would check out an external site and neglect to formally document it. Sometimes I missed something or copied part (but not all) of the necessary information.
Using the CDC, in contrast, the ChatOps channel records 100% of the time including all the enrichments done by SeeMo. And it is all easily searchable. If I wanted to search an IP’s reputation in VirusTotal, for example, with the legacy system I would have to do it manually – while in the CDC, I can ask SeeMo to conduct external queries for me and it’s automatically documented.
How does the CDC help you monitor each customer’s unique IT environment and respond effectively to alerts?
The CDC is integrated into the IT ecosystem of each customer. This is crucial because using the old system, if I wanted additional information about a customer’s corporate environment, I would need to query each of the relevant databases to find the necessary information.
At CyberProof, in contrast, we are fully integrated with the corporate IT environment of each customer. I can get the information I need and access the relevant databases that help me understand what is really going on – all within the CDC.
Does the CDC have an impact on the organization of the SOC – on the human resources level?
The CDC optimizes human analyst resources. At my former place of work, I worked with two additional analysts during each shift. In contrast, here at CyberProof, I work on my own – together with SeeMo.
I am more productive than I could ever have been. That’s because SeeMo magnifies the capabilities of each analyst, contributes to the process of conducting cyber security risk assessment, and helps me do my job faster.
Does the CDC help an organization to be more scalable?
Definitely – the CDC helps an organization grow and allows it to be increasingly scalable, from several perspectives. I’ll illustrate this with one example: In my previous workplace, we relied on whatever had been documented by other analysts who worked there before us. I would have to look up processes and procedures that were documented in Word files, and they weren’t always up to date. The truth is that sometimes – especially if we were tight for time – I was tempted to skip some of the steps or recommendations that were defined.
With the CDC, in contrast, there are standardized playbooks within the system. The CDC tracks the activities of each of the analysts, ensuring that the procedures defined in the playbooks are followed consistently, step by step, every time. This creates greater consistency, which cuts the risk of human error – ensuring every contingency is handled.
Let’s say you’re reviewing multiple alerts that have come in. How do you decide which one to handle first?
With the CDC, the customer SLA of each alert is clearly displayed – which gives me an indication of its priority level. Alerts are automatically sorted based on Severity Level and have indications of SLA priority, so I always know which one to handle first.
This information about prioritization was not easily available using the old system. I had to handle the alerts as they came in – or according to whatever prioritization seemed most logical to me.
Can you tell us a bit more about how SeeMo, CyberProof’s virtual analyst, has an impact on your work?
Using legacy systems, if I received an alert from an antivirus software program regarding a particular endpoint, I had to run a scan of that specific endpoint manually.
With the CDC, this is handled automatically, because SeeMo’s activities include the automation of initial mitigation activities. If there’s an alert regarding an endpoint, SeeMo automatically scans the specific endpoint and provides a full report of the results. This facilitates a faster response.
Moreover, here at CyberProof, we’re currently working on some new features that will further automate and expedite the process of handling alerts. For example, SeeMo will provide recommendations for further action that will help the analyst make decisions about next steps or, in some cases, will implement actions automatically.
If you would like to learn more about the CDC and speak to an expert about your organization’s cyber security needs, please contact us!