Cyber security is supposed to reduce risk and be cost effective at the same time. It’s supposed to take the burden of legwork away from the CISO and his or her team. It’s supposed to reduce the financial and reputational risk posed by malicious actors in an efficient, intelligent manner.
What it’s not supposed to do is generate reams and reams of near-to-useless information, burying the security team in an avalanche of flags and alerts. It’s not supposed to make the job of a security analyst close to impossible. We’ve become so obsessed with the idea of cybersecurity rigour – obviously a very good thing in its own right – that we’ve come full circle and are starting to become inefficient through information overload.
Water is good in a glass – it’s less good rising up to the ceiling. It’s the same with security alerts. It’s one thing to receive targeted alerts about potential incidents in the network, but it’s another to receive a flag every time the system encounters anything at all – any anomaly, any intrusion attempt, any suspicious code, any unusual data movement. To switch metaphors, it’s the difference between having a child put their hand up in class and the whole room shouting out at once. Past a certain point, too much information is the same as no information. How does anyone make sense of the noise?
With all that said, the result is that CISOs should simply switch off any system that doesn’t mitigate threats automatically at their source, or prioritise the alert for the security teams. Anything that just flags up alerts is pointless – no-one is looking at them, and if you have a SIEM solution, more alerts means more cost. Surveys after surveys and reports after reports are telling us that there are simply too many of them to sift through. Companies are spending billions on alert systems that they just don’t need – alerts which make the life of their security teams harder, not easier.
We need to see a shift in the industry away from this ‘data flood’ mentality, cutting down the number of meaningless alerts to drive home the few that mean something. In a world of increasingly vast data volumes, ‘flag everything’ must be replaced by ‘flag intelligently’. Automated mitigation systems and AI-enabled notification systems can cut the menial work of the security team in half, sealing off regular threats quickly and identifying issues that need human attention at speed.
How did we get here?
Before we look at how to improve the situation, it’s worth asking why the situation is the way it is. For years, cyber security as an industry has been buoyed up by the fear factor: the fact that at the bottom of every sales pitch from every vendor was the dark implication that if you didn’t buy this expensive bit of endpoint protection, there was always the chance that that endpoint would be the one that sunk your business. High-profile disasters like Heartbleed, Target, TalkTalk and WannaCry provided the perfect bogeymen to back up that narrative, making it clear that those companies that sailed along on a wave of unconcern would find the beach coming up to meet them pretty quickly. As a result, the average security deployment ballooned as twitchy CISOs built rampart on rampart in an attempt to keep out the invisible attacker.
At the same time, the number of potential attack vectors also grew. Connectivity grew exponentially, linking more and more devices, companies and people to one another, forming a vast and fragile web of varyingly-secure entry points. WANs were no longer easy to fire-trench. CISOs had to develop eyes in the back, top and sides of their heads. How do you build an effective endpoint protection programme when you’re linked into an untold number of potentially insecure vectors?
Finally, there was the spiralling evolution of hacking techniques. The good old genres of phishing, malware, DDoS and spoofing marched on, splitting and subdividing into thousands of other tools and tactics. Add all that together and over time security systems had to go into overdrive, reeling out ever more alerts on the off chance that the one piece of code that wasn’t flagged was the one that took the company down.
In its infancy, cyber security was seen as a kind of impenetrable shield surrounding the whole company. Now that the digital age is reaching its early maturity, that assumption is wildly inaccurate. Total protection is impossible. What’s needed is not more walls – it’s more intelligent observation and automated responses.
Review your security network
Reducing alert fatigue is not simply a matter of switching off alarms or safety systems, tempting as that might sound. What’s required is a root-and-branch reform of an organisation’s security network: one that encompasses every IT resource – from databases to cloud, applications to virtualisation systems – and then conducts a thorough review of the various security tools used to protect these resources.
The goal of this review is to mitigate alert fatigue by reducing the noise-to-signal ratio. The idea is not to turn off alarms in an arbitrary manner, but rather to ensure that security teams receive fewer but more accurate alerts.
The best place to start is by conducting data discovery and classification to determine where your sensitive data resides and assess the level of risk to its integrity, confidentiality, and availability. Cyber-criminals monetise on the value of the data they steal. As one customer of ours said in a recent meeting: ”data is the new perimeter”. I have a feeling that may catch on….
Organisations will likely find that systems that don’t contain sensitive data are firing numerous alerts which, while they will need to be investigated, are hardly urgent priorities when compared to systems that contain, say, customer financial data.
The next stage is to conduct a behavioral analysis to create a behavioral baseline profile or ‘whitelist’ of typical patterns of access to databases, file shares, and cloud-based applications based on functional unit and role. The goal here is to identify many of the false positives that contribute to the constant stream of alerts and which prevents CISOs from spotting the alarms that need urgent attention. Behavioural analysis has a secondary aim, though one that’s just as important: it helps to spotlight the riskiest users, client hosts, and servers, enabling security teams to prioritise their investigation whenever an anomaly arises.
Build an intelligent defence
Having conducted a thorough review of your existing IT estate, the next stage is to deploy intelligent systems that can determine which flags are truly necessary. The best place to start is with the alerts themselves. One of the biggest contributions to alert fatigue is the difficulty of distinguishing between notifications of various urgency.
That’s why it’s vital that a modernised threat warning system should incorporate a sliding scale of alert levels. A red light tells you nothing about a threat; instead, each alert should warn CISOs of the threat priority, notification and escalation channels, and appropriate responses for each type.
An intelligent defence should also adjust anomaly-detection thresholds based on risk classifications, behavioral analysis, and alert levels to ensure receiving the types of alerts you want to receive (for example, compromised file scans, failed login to root accounts, phishing attempts, and so forth).
A strong defence should take a holistic approach to threat detection, which is why organisations should consolidate and simultaneously run network, application, and file scans in order to see issues across the environment. Using context-based access control (CBAC), meanwhile, enables the business to authenticate both the user and device to control what a user can see or do. For example, an authorized user accessing sensitive data from a personal tablet can see and do less than if he or she accessed that data from a corporate-issued laptop.
Finally, businesses should use a single platform (rather than email) to collect alerts from the organisation’s security tools. Ensure that the tool can contextualize the alerts—the source, user, and activity leading to the alert. This helps determine whether multiple alerts are from the same source, user, or activity, which may indicate malicious activities.
Automate the everyday
A CISO has enough on their plate without have to monitor every single alert and undertake the appropriate actions each time. At the same time, only a human expert has the insight and experience that can distinguish between real threats and false positives, and to identify the ones that require urgent attention.
While it’s impossible – and unwise – to place threat monitoring entirely in the hands of machines, automation has an incredibly important role to play in mitigating threats and sifting through masses of potential alerts before they reach the eyes of the CISO. This is doubly true given the dearth of skilled IT personnel which leaves teams overstretched even at the best of times.
That’s why automated threat response is such an important part of any defence. Automating processes ensures that common threats are caught and dealt with early, while automatic alert investigation and escalation will deal with many of the more common types alerts – for example, failed logins, phishing attempts, and malware detection.
Security orchestration, automation, and response (SOAR) can do everything from stitching together an organisation’s disparate policy enforcement infrastructure, such as firewalls, gateways and other types of controllers, as well as existing event management systems. Many steps of the resolution process can also be partly- or fully-automated, from patch management and incident response to automatically block emerging threats based on continual threat intelligence and signature updates.
Having undertaken a thorough review of your network, built intelligence into your defences and, where possible, automated security systems, CISOs will be able to look forward to a future where incessant interruptions are a thing of the past. Instead, they can concentrate on their day-to-day job, knowing that any alert that comes through to them is truly urgent and worthy of their time and expertise.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.