With the threat landscape evolving at an unprecedented rate, real-time monitoring to provide visibility of security events is essential.
We asked Roger Bell, Head of Content, to tell us about the important work that happens behind the scenes to optimise the technology we use to deliver our ThreatDetect™ MDR service and protect our clients 24/7.
Can you briefly outline your role?
I manage Redscan’s Content Team, which is responsible for developing and delivering security content for technologies that we deploy as part of our MDR service. The primary technologies that we leverage are SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) solutions.
Tell us about the type of content you create
I’m responsible for overseeing the creation of a wide range of content. This typically includes threat detection rules, parsers, API clients, response actions and automated reports.
Threat Detection Rules
A threat detection rule (aka “use case”) is a set of logical conditions used to identify potentially malicious behaviour. Each rule evaluates data ingested by SIEM and/or EDR platforms: raising an alert when a potentially malicious pattern of events is identified. Alerts are reviewed by our security operations centre team, or in some cases are used to trigger automated responses. Redscan has developed in excess of 1500 proprietary use cases, a key differentiator of our service.
For threat detection rules to work in an efficient manner whilst consuming thousands of events per second, we first need to transform data into a common schema. This is the purpose of parsers which use regular expressions to extract values of interest. By normalising heterogenous data into a common schema, parsers facilitate threat detection, response, hunting, investigations and reporting.
There is often demand to monitor cloud-based data sources that aren’t natively supported by existing SIEM and EDR tools. We’re responsible for developing API clients that ingest these data sources and transform them into a format which can be parsed for ingestion.
A response action could be defined as anything beyond an alert notification. Response actions are triggered by threat detection rules and they can be invoked manually or automatically where the risk/reward ratio is appropriate to do so.
Actions can vary significantly in impact. For instance, when an account is created, that username might be added to a watchlist which is used by another threat detection rule that monitors for suspicious behaviours exhibited by new accounts. If ransomware is identified, the device might be isolated, process terminated and/or malware deleted.
We develop reports for certain types of activity which are low impact but high frequency. These are observations that, individually, would cause alert fatigue if reported to our Security Operations Centre or directly to clients. Examples of these types of activities include account modifications or threats blocked by a firewall.
The reports we create are typically generated and shared with customers on a daily or weekly basis.
Is there such a thing as typical day in your job?
Most days involve developing new content as part of a project and tuning existing content to optimise performance. Customer environments change all the time. As a result, a threat detection rule or parser may become less effective over time. Tuning enables us to reduce false positives/negatives and ensures that we continue to deliver the best security outcomes to our clients.
We’re in frequent contact with other stakeholders across the business to understand the impact and effectiveness of the content we developed. These stakeholders include members of our SOC, Engineering and Threat Intelligence teams. We also collaborate closely with our Red Team who help us to test rule sets and identify new attacker techniques.
The offensive security knowledge across Redscan is great and helps us to ensure that the content is effective as possible at identifying and responding to the latest threats.
“A threat detection rule or parser may become less effective over time. Tuning enables us to reduce false positives/negatives and ensures that we continue to deliver the best security outcomes to our clients.”
How do you integrate with the wider engineering team?
The Content Team evolved from Engineering so we work very closely together. We liaise with engineers to understand how SIEM and EDR technologies are performing in relation to content in development.
It’s our responsibility to ensure that all the content we create is using resources efficiently and does not degrade the performance of security tools.
How do you use MITRE ATT&CK?
The threat detection rules we create are mapped to the MITRE ATT&CK framework. This helps us to identify gaps in coverage and areas for development. Our colleagues in Sales and Engineering use this data to produce ATT&CK Navigator layers and explain to clients the level of coverage they will receive based on certain data sources. This helps our customers prioritise data sources according to likely outcomes.
What goes into building use cases?
To build an effective use case, it’s important to understand what malicious behaviour looks like in the monitored data. Our Threat Intelligence Team reports on techniques which have been observed in the wild. Alternatively, our Red Team might demonstrate a technique that we want to create rules around/adapt to. Either way, a set of logical conditions can be developed to identify particular techniques, tactics and procedures (TTPs). When critical exploits are published, we need to move fast to ensure that detections are in place.
The Content Team is often challenged to develop use cases for new data sources. We need to understand what a data source is doing, where it exists in a customer’s estate, which services are live/enabled and the quality of data being generated. Gathering this information helps us to understand the art of the possible. Our customers, vendor documentation and parsing rules are all helpful resources in this scenario.
Once a data source is understood, we cross reference it against the MITRE ATT&CK framework to understand which techniques the data source could be used to detect and mitigate. Once a data source has been mapped to ATT&CK, we design the use cases as a set of logical conditions. When the designs are complete, the use cases are created in a test environment where their performance is evaluated.
Tuning is often required to address false negatives or positives. For example, additional key-value pairs might need to be normalised or a process might have to be whitelisted. Once we have fully tested and optimised the use cases they can be rolled out across our client-base.
“The Content Team is often challenged to develop use cases for new data sources. We need to understand what a data source is doing, where it exists in a customer’s estate, which services are live/enabled and the quality of data being generated.”
What do you find most rewarding about your role?
When your use case identifies a true positive, it’s very satisfying. I regularly check our CyberOps threat management platform to assess whether a use case has fired and to see the outcome of an investigation. It’s rewarding when you see a rule has mitigated an attack against a customer environment. In recent months we’ve stopped threat actors that have made headlines elsewhere.
Tell us about your career path
After 12 years in investment banking, selling and trading commodities, I decided it was time for a career change and was attracted to the idea of working in cyber security. I completed two Masters degrees: Computing and Information Technology (St Andrews), followed by Cyber Security Engineering (Warwick). After that, I worked at BT as a SIEM Engineer and then started at Redscan as a Security Engineer before moving into my current role.
What advice would you give to people looking to work in this area of cyber security?
Some SIEM and EDR vendors offer free community editions which you can install at home. Monitoring your own devices and building use cases and parsers is a really good way to develop highly relevant skills for this kind of career.
Uploading your work on GitHub or social media is a great way to showcase your skills and will help to engage prospective employers. If there’s something you’re proud of, at Redscan we’re always interested in hearing from candidates that have a passion for security.