© 2021 www.richardwalz.com
Richard Walz
All rights reserved.

A Good Security Operations Center (SOC) should be enriching raw security telemetry and not just alerts.

I have worked with a few Security Operation Centers (SOC), but only a handful of high-caliber organizations seem to be doing the right thing for their customers. It also surprises me when I see organizations contract for SOC services, but they are only sending their security alerts to the organization for review. While this is okay for a Managed Detection and Response (MDR) outfit, the service provider should also receive and enrich raw telemetry from your endpoints. This raw telemetry is produced by many different endpoint software solutions, including Microsoft Defender for Endpoint, Carbon Black, SentinelOne, etc.

Any good SOC should not just receive security alerts but also the raw telemetry that is being produced by your security tooling. While receiving alerts is helpful for a pro-active managed detection and response service, the real value comes from an additional layer enrichment that may not be surfaced through the endpoint’s built-in rule engine.

What is raw security telemetry and why is it useful?

It is paramount in today’s security climate; with the high number of attacks taking place, you are sending the raw security telemetry to your provider so that they can ingest and surface these additional attack behaviors. Raw security telemetry is verbose logs generated from any system or user action on a machine. Attacks today are way more sophisticated than from years past. While malware may still be in the form of executables, it has also shifted to file-less base malware. Email phishing attacks may utilize web-based payloads to download additional malware. In addition, there may be user behaviors that are harmless individually but, when combined, are malicious. Once you have the configuration in place, the next task is to verify that the provider is receiving and generating alerts.

Check out the MITRE ATT&CK framework to learn more.

Microsoft Defender for Endpoint Raw telemetry

In Microsoft Defender for endpoint, when configuring the Streaming API, make sure you review the settings and have at least the following items checked off. In this example, we are not sending “Alerts” to the SOC provider as we handle those within our environment. Yet, we want to transmit the telemetry to enhance the data against their custom rules and secret sauce.

How to verify raw telemetry?

  • Option #1 Ask the provider if they are receiving the raw telemetry from your endpoint software
  • Option #2 If the provider can search their data-set, look for processes that ran in your environment to see if they exist in there..
  • Option #3 Test your SOC. Run a simulated attack against one of your endpoints and see if an alert is generated from your SOC provider. This is also an excellent way to test the capabilities of your endpoint software as well. Check out the Atomic Red Team Project created by the Red Canary SOC company to validate. These are platform agnostic tests, and they have many simulated attacks that can run on Windows, Linux, and macOS. It is a great project. Their attacks map to the MITRE ATT&CK framework as well. These tests are also handy to periodically test your security controls or validate claims of a security tool.
  • Option #4 Hire an outside company to perform an internal pentest.

If the provider produces no alert, this is a red flag. You should contact the provider and learn why this behavior/attack was not identified or raised as an alert. This test could shed light on a configuration issue within the data feed or something deeper such as the security level proficiency of the provider.