From chasing dragons to streamlined incident response: Speeding up SOC threat detection while reducing frequency

Just because you work in a security operations center (SOC) doesn’t mean you have to waste your time chasing  dragons. And by “dragons,” we mean the traditional SOC’s difficulty identifying cyberattacks that originate in the black box of the application layer. 

The analogy comes from Will Derksen — Contrast Security Sales Engineer and a former SOC senior analyst who has managed security for tens of thousands of users — who figured out how to stop the frustrating waste of time. Manually slogging through alerts, investigation and triage "was literally chasing a dragon," Derksen said — a grueling chore, particularly when it comes to threats originating from applications and application programming interfaces (APIs). 

As Derksen notes, one thing that would have saved him “an enormous amount of time” would have been “being able to stop threats further up the chain." He’s speaking about attack chain disruption, with earlier detection in the attack life cycle of the MITRE ATT&CK matrix leading to a reduced mean time to detect (MTTD) attacks, breaches and threats.

Before we get to Derksen’s realization that it’s possible to jump off the wearisome dragon hunt, let’s start with the time-consuming reality of how traditional SOC incident response prohibits fast incident detection and response:

The challenges that bog down traditional SOC incident response:

Overwhelming alert volumes leading to SOC alert fatigue

Derksen's team, like many SOCs, faced a constant barrage of alerts, leading to alert fatigue and delayed threat identification. “The full life cycle of the incident would generally start with an alert, usually from our endpoint tool,” he recalled. “Aggregated through the [security information and event management, or SIEM] … it would either auto-generate or generate a ticket or an incident in service,   which we were leveraging heavily: both service management and change management. Kind of everything." 

“Kind of everything” leads to a high volume of alerts triggering incidents, which of course leads to alert fatigue. 

Manual investigation and triage

The alert volume led to SOC analysts spending excessive time manually sifting through logs and correlating data, slowing down critical response times and skewering the mean time to respond (MTTR) on which the SOC was tracked, Derksen continues. "I would have to respond within a certain accepted period of time,” he notes — usually, within 10 minutes. 

As well, the SOC was tracked on MTTD when an incident actually began. After that, things got dirty, he says: "From there, the process was very manual in terms of having to kind of go out, probe other tools and probe the server for syslog information that would give me indicators of compromise [IoCs]."

Difficulty prioritizing active threats

Without clear visibility into application attack vectors, SOCs struggle to prioritize active threats, hindering their ability to contain breaches. This circles back to the “black box” situation Derksen referred to: "Sometimes [the alert] would come from a syslog, saying, ‘Hey, this is odd!’” (This was before everybody was leveraging artificial intelligence (AI) to look for anomaly detection, he noted). 

“This was a very manual type of process,” he says, highlighting the difficulty of discerning genuine threats from mere noise when you lack advanced analysis. “It was a black box, so to speak: We generally didn't have any relationship with the network or the application development team. Our software engineers were very much siloed, and kind of had their own processes." 

Lack of visibility into the application layer

Information silos lead to lack of visibility, making it difficult to prioritize threats, Derksen stresses. But lack of visibility is also caused by the fact that, while many SOC teams have tools to monitor network traffic and endpoint activity, they can’t see what's happening within the applications and APIs themselves. This blindspot leaves them vulnerable to attacks that exploit application vulnerabilities.

Traditional security solutions like web application firewalls (WAFs) attempt to address this gap, but they fall short. WAFs often rely on signature-based detection, making them ineffective against novel or complex attacks. They can also generate false positives, blocking legitimate traffic and disrupting business operations. Essentially, WAFs can’t analyze the application’s behavior and therefore struggle to differentiate between legitimate traffic and malicious activity, leading to either overblocking or underblocking.

Root cause analysis blindspots

The application-layer blindspots meant that the SOC would see downstream events — as in,   processes that would happen as a result of, well, something. “Sometimes we might have to pull specific network logs or look at firewall logs to see where the traffic actually originated, because we couldn't put 2 and 2 together with what we had in our current tool repertoire," Derksen says. 

The result: the SOC had no idea of how many attacks were actually coming in through the application layer. “Nope,” Derksen says. “It was hard for us to be able to manage that." 

In other words, traditional SOC tools   show a complete lack of root cause visibility regarding application and API-based attacks.

"It's one of the things where you're so focused on the set of things that you're currently designated to do,” the former SOC analyst sums up. “And you're like, Oh, sh*t! There's this other thing. There's this other thing [i.e., the application layer] that I need to probably take a look at now."

Inefficient, prolonged incident postmortems

Derksen and his team found that postmortems were time-consuming and inefficient due to this lack of detailed attack data. Manual processes, limited visibility and difficulty correlating data means that post-incident analysis was cumbersome — and likely incomplete. The lack of application-level data created a huge hole in any postmortem having to do with attacks involving applications or APIs.

Besides being inefficient, lack of visibility also hampered effective root cause analysis, thereby prolonging incident resolution, Derksen says. Fortunately, there was a way out of this mess: Contrast Application Detection and Response (ADR). 

Contrast ADR: Enabling SOCs to neutralize threats faster

The average breakout time — i.e., the average time it takes an adversary to move laterally within a victim network after gaining access — was 62 minutes in 2023, according to the Crowdstrike Threat Hunting Report 2024.

Contrast Security empowers SOCs to become proactive defenders that can neutralize threats before they escalate into breaches. By embracing technologies like Contrast, organizations can reclaim their time and strengthen their security posture.

Contrast Security empowers SOCs to detect and respond to attacks earlier in the attack life cycle, reducing MTTD and enabling faster incident containment. By providing real-time visibility into application attacks, Contrast empowers SOCs with:

• MITRE ATT&CK early detection: ADR technology provides highly accurate alerts, with accelerated attack detection at the earliest stages of the MITRE ATT&CK chain, giving you a critical head start to reduce dwell time before attackers can establish a foothold. 
• Focus on active threats: Contrast minimizes false positives, allowing analysts to concentrate on genuine, active threats.
• Streamlined investigation and triage: Contrast provides detailed contextual information about application attacks, accelerating investigation and significantly reducing triage time.
• Prioritize active threats effectively: ADR delivers real-time visibility into application attacks, alerting the SOC to threats as they emerge and enabling the SOC to prioritize active threats based on their potential impact.
• Rapid containment: ADR equips the SOC with the tools to swiftly isolate and contain application attacks, minimizing disruption and protecting critical applications and APIs.
• The means to provide immediate root cause analysis: Contrast provides the visibility needed to quickly determine the root cause of an attack, accelerating incident response.
• Improved incident postmortem processes: Detailed attack data enables efficient and effective postmortems, improving future incident response.

Contrast ADR: Slashing time for incident response

• Faster incident response: Accelerated attack detection and streamlined investigation enable SOCs to neutralize incidents earlier in the attack chain, minimizing potential damage.
• Increased analyst productivity: Accurate and clear contextual information free up analysts to focus on critical incident response tasks.
• Reduced operational costs: Efficient incident response reduces the costs associated with breaches and security management.
• Fast attack containment: Rapid identification and prioritization of active threats enable SOCs to contain breaches more effectively.

Time is $$$

While remediation is essential, the SOC's immediate concern is detecting and containing active threats. As it is, the average cost of a breach was $4.88 million in 2024. The cost of a breach is $1.38 million lower when a breach is detected early. 

Clearly, time is of the essence. With the cost of breaches now sky-high, the SOC doesn’t have the luxury of spending time on probing tools and Syslog information for indicators of compromise. Contrast ADR empowers SOCs to secure their applications by enabling earlier detection, accelerated incident response and more effective threat containment.

As Derksen has said before, if only he’d known ADR was possible when he was a SOC analyst. Instead of being paged at 3 a.m. to respond to a breach, he would have gotten a good night’s sleep … all the better to chase innovation instead of dragons. 

Tired of wasting your time? Try Contrast today. 

Read more: 

• Contrast blog: Application Detection and Response Analysis: Why ADR? How ADR Works, and ADR Benefits
• Contrast blog: If only I’d known ADR was possible when I was a SOC analyst!
• Contrast blog: Analyst: Application Detection and Response is an ‘emerging category’
• Contrast monthly ADR Report: Application attacks jump 30%; method tampering up 800%
• Contrast blog: 4 ways ADR will slash workload and speed incident response for IR teams