santiago silver - Fotolia
Peter Schawacker, managing director of cybersecurity operations at Agio, has spent two decades developing security operation centers. A Silicon Valley software company, however, has turned what he learned about service delivery and SOC staffing on its ear.
Agio, a managed security services provider (MSSP) based in New York, in February took the wraps off a partnership with Respond Software, a 4-year-old Mountain View, Calif., firm that offers a robotic decision automation product. The MSSP has incorporated Respond Software's technology into its managed detection and response (MDR) service. About 60 clients have access to the technology and Agio plans to extend coverage to its entire customer base of some 300 companies over the next couple of years. The company works with financial services firms, healthcare organizations and payments enterprises.
The traditional model for providing intrusion detection and response was built around a multi-tier SOC, Schawacker said. Low-level analysts would filter through events, looking for indications of attacks. Incidents would then move up the chain to more-experienced analysts. That approach, although honed for years, has proven inadequate for handling today's threats, he noted.
The conventional SOC model "pits the least-experienced analysts against, sometimes, nation-state attackers who have an interest in not being detected," Schawacker explained. "We wanted to try to find a way to automate decision-making that occurs at the level 1, triage stage and get ahead of some of the more complex attacks."
Agio began looking at Respond Software, and its Respond Analyst product, in 2019. And while the software was new to the MSSP, the company's leadership wasn't. Schawacker said he was already acquainted with Respond Software's founders, having created a SOC practice around ArcSight, a security incident and event management (SIEM) system from Hewlett Packard Enterprise (HPE). The software firm's founders previously worked at HPE.
Agio's partnership with Respond Software is non-exclusive, although the relationship is on somewhat different footing given the history among the executives. Dan Lamorena, vice president of marketing at Respond Software, also cited Agio's "cutting-edge" MDR service, an approach he said differs from what other companies provide in that market.
"Our relationship with Agio is deeper, but … our goal is to help all companies be more secure," Lamorena said.
Dealing with the anomalous
The MSSP began piloting Respond Software's technology in September 2019 and, based on early results, rolled out the MDR service to the initial group of clients in January 2020.
Schawacker said Respond Analyst has been able to sniff out attacks the company wouldn't be able to detect with other tools. Thus far, the software has provided early ransomware detection, identified what appeared to be some form of worm malware and caught phishing-based attacks as they attempted to extend access from compromised systems.
Respond Software reinforces Agio's SIEM and security orchestration, automation and response (SOAR) tools. SIEM is good at detecting clearly malicious activities, Schawacker noted, while SIEM, used in combination with SOAR, can investigate suspicious activities when intention is more in doubt. Respond Software, he added, deals with a third category of activity: anomalous occurrences that are new and novel or develop slowly over a period of days, weeks for months.
Peter SchawackerManaging director of cybersecurity operations, Agio
So-called low-and-slow attacks might not trigger a SIEM, Schawacker said. They will also typically elude human analysts because they unfold over a period of time extending well beyond an employee's shift.
Respond Software's offering acts as a virtual analyst, emulating a seasoned analyst's judgment and analyzing more data without adding personnel, according to the company.
"Most MSSPs and MDR [providers] are just throwing bodies at the problem and that just won't work," he said.
SOC staffing cost reduction
Schawacker said Respond Analyst is altering its SOC staffing approach.
"We find level 1 isn't necessary anymore," Schawacker said. "The number of events that an analyst can handle is somewhere around 75 per hour. With Respond, we can … let it handle millions of events per hour and across longer spans of time. We can see, very easily, all of the various parts of an attack over time, instead of having to piece them together manually."
Schawacker said Respond Software keeps Agio's costs down because it reduces spending on analysts. In addition, the software lets the MSSP detect attacks more quickly and earlier in the kill chain, he added.
The virtual analyst software hasn't eliminated the need for other cybersecurity staples such as SIEM, Schawacker said. Respond Software, however, does let Agio tune its SIEM "much more tightly," so it only flags events appropriate for level-2 analysts, he noted.