So Many Alerts, So Few Insights: Moving The Focus To Awareness And Response
You’re under assault. Despite your best efforts — and significant investments in point solutions — to protect your organization from cyberthreats, the hits just keep on coming.
- Cybercrime reports to the FBI have multiplied by a factor of nearly four since Covid-19 took hold. The FBI’s Internet Crime Complaint Center now gets 3,000 to 4,000 reports per day.
- This year has seen a sevenfold increase in ransomware attacks over 2019, according to Bitdefender research (via ZDNet). In one instance this year, the University of California, San Francisco (UCSF), shelled out more than $1 million in bitcoin to recover its encrypted files from ransomware attackers. Many major companies have also fallen victim to ransomware. But ransomware attacks are not reserved for large organizations.
- IT leaders are not confident they would be able to prevent a wireless attack, as evidenced by a recent report by Outpost24 (via InfoSecurity) — and no IoT device is immune from an attack. Hackers once used a network-connected fish tank to stage a lateral attack to other, higher-value connected systems in a Las Vegas casino.
The kicker is that many environments that are hacked were considered secure. Recent research from Sophos indicates 91% of enterprises that have been breached were running up-to-date security stacks. An impenetrable perimeter would be ideal, but it’s just not always feasible.
The bottom line is that you can expect to be breached. If you are, you’ll want to know it. More importantly, you’ll want to respond to the breach before it spins out of control.
That’s not an easy thing to do, especially when you have a small cybersecurity operation or have to address security as a one-person show. This leaves you behind the eight ball, knowing you’re vulnerable yet lacking the control you need to protect your organization. But with the right solutions and best practices, it is possible to both identify and act to isolate cyberattacks.
Use A Broader Dataset
Current thinking is that cybersecurity starts with understanding if you’ve been breached. Organizations commonly work to understand if they’ve been breached by looking for anomalous behavior using security information and event management (SIEM) solutions. But many organizations don’t send all relevant sources of information to the SIEM.
That limits their accuracy in identifying events that do or do not require attention. Supplement the security-related log data in your SIEM with information that contextualizes your alerts, such as authentication logs, flow-related metadata and a rich set of threat intelligence. Combining this information with the right analytics rules can help you identify advanced threats that may have bypassed existing security controls.
Also consider using an endpoint detection and response (EDR) solution in addition to endpoint antivirus protection. (Full disclosure: My company offers EDR and MDR solutions.) That way, your security operations center (SOC) can do further analysis of alerts generated by endpoints that connect to the network. This is valuable because 2019 research from Absolute (via Security) indicates that 70% of breaches start at the endpoints.
Pair The Power Of AI And People
This points to another challenge with SIEMs: They generate lots of alerts that don’t necessarily make sense and can’t be automatically sorted. The cybersecurity marketplace attempted to address this with security orchestration, automation and response (SOAR). But SOAR solutions don’t fully address the problem either because you often don’t get the right outcomes based on the complexity of the orchestration required to respond to some threats. Also, SOAR can be difficult to integrate with disparate commercial solutions that don’t offer a rich API set or require escalated privileges to modify the configuration.
This realization gave rise to SOCs. These make some sense because alerts require a human eye. But there’s a challenge here as well. Using humans to track alerts is extremely costly and doesn’t always scale. Sixty percent of SOC analysts surveyed by Fidelis (via TechRepublic) in 2018 said they can investigate only seven to eight alerts per day, and just 10% said they could check into eight to 10 alerts.
A better approach is to use the power of artificial intelligence (AI) and machine learning (ML) to identify attack patterns by using historical data as a guide and then add the human eye. Rely on security analysts to uncover more nuanced signals of attack.
Leverage Connectivity To Contain Threats
Identifying breaches is not meaningful unless you act on that information. Choose a managed detection and response (MDR) solution that controls the network so it can tell you what’s wrong and begin remediation with pre-approved actions.
The solution should isolate infected devices from the network or block connectivity to email or other applications and network elements. Infections spread quickly, racking up costs, exposing private data, marring reputations and creating headaches. I believe the important measure is not time to detection; it’s time to reaction.
Know What To Look For To Identify The Solutions For You
Seek solutions that use their own detection sensors to monitor potential attack surfaces. Many providers simply collect logs and attempt to make sense of or identify threats from all the data. This approach can be noisy due to the volume of alerts and overall information and a lack of understanding of the underlying systems. As a result, undetected threats or false-positive security incident reports can take significant time to track down. Sensors can provide a “source of truth” for the SOC team. Combine these sensors with other log data to add context and make it easier for defenders to more accurately identify threats.
Choose solutions that offer containment and advice for responding to threats around your specific security concerns. Are you worried about ransomware, account compromises or theft of data? Look for solutions that have experience and containment capabilities in these areas.
Most organizations operate in hybrid environments. Select a solution that considers all potential attack surfaces in your specific hybrid environment.
Now is the time to adopt an active cybersecurity stance so you’re ready when attacks hit. When you move from alerts to insights to action, you can avoid more widespread damage, deliver better experiences, enjoy improved growth potential and become a more resilient organization.
Originally published on Forbes.