One of my top cybersecurity initiatives for 2022 is improving threat detection and response. Initial compromises are inevitable, and most often originate from phishing attacks, social engineering, or insider threats. The initial compromise lays the groundwork for enabling malware to be installed and it’s very difficult to predict against. You can have pretty good defensive measures where you are filtering out a lot and are helping security teams to be more effective. But it doesn’t change the fact that only one compromised system can cause a lot of damage. As someone once said, one apple can spoil the whole bunch. So, you must be ready to detect and prevent against even a single compromise.
The other issue is around reducing the burden on security teams. What can we do when we have a security skills shortage, and it’s becoming more and more difficult to be able to scale a team up? We need to be able to accelerate investigations with the skills we have on deck. What that really means is we have to provide enough context to help everyone in security at any level to be able to identify anomalies that are part of an overarching attack campaign much sooner in the discovery phase – ideally, in real time.
This requires security analysts to be told what an actual threat is, or they need to be able to figure it out for themselves by investigating further to determine whether it’s a true threat. But they need to be able to do this in a fast and responsive way. Unfortunately, a lot of solutions out there make it very difficult to be able to tie those pieces together.
The real end goal though, is response. Now that you know that something anomalous is inside your network and you know that it’s part of the attack campaign, what do you do right now? What do you do next? And how do you respond quickly before of the attacker can do damage? Whether that’s stealing data, causing disruption, turning off systems, or downloading ransomware – all of these are destructive actions that an attacker can take. And you need to be able to respond before any malicious action occurs. Obviously, it can get quite damaging and quite costly if you don’t respond rapidly and definitively.
There are challenges with current XDR and SIEM solutions that you may have invested in that provide incomplete infrastructure-wide visibility. Read more about what XDR is. You’ve got remote workers. You’ve got cloud solutions. And you need to pull in data from all sorts of different environments. Without getting a full, complete picture of all the data that’s out there, you’re unable to actually see what’s going on. This is where a lot of these environments are insufficient because they’re not pulling the data from every location across multi-cloud. So that leaves a lot of visibility gaps. Those are visibility gaps that attackers know to exploit. So, this is where you really need infrastructure-wide visibility and have solutions in place that can actually pull in all that data effectively.
The lack of real time adaptability to new threats is really key because what we’re seeing is that attackers aren’t just sitting on their laurels leveraging an attack or leveraging vulnerabilities they’ve seen. They’re changing up existing attacks, making new variants, changing techniques, and doing whatever they can do to evade existing systems. The problem with security platforms that aren’t adaptable is that they don’t really learn from prior behaviors and prior events. You’re reliant on the vendor to create patches and create new signatures, new pattern matches, to be able to identify that those attacks are going on.
First, the vendor has to know about the attack. Second, they have to develop the actual new pattern and they have to be able to get it to you in a timely manner before the attack takes hold inside your systems. And they have to get it right. It’s quite a challenge when you are depending on the solution you have and the vendor you have to get it right. A lot can and does go wrong. A better approach is to work with a vendor like Gurucul who provides true machine learning models that can adapt to changing conditions and virus variants in real-time. Self-learning algorithms is what machine learning is all about in the real world of defense in depth cybersecurity.
It’s surprising to me after all this time that we are still seeing security teams chasing false positive alerts. Security teams are overburdened. The amount of data that they require to be able to do their job doesn’t mean that the indicators of compromise (IoC) and the events popping up need to go up as well. This is where consuming more data ends up being super noisy with traditional XDR and SIEM systems. You end up receiving too many indicators of compromise. That’s not the solution. All it does is throw more noise at security analysts and dilute the real attacks.
You need to be able to reduce the noise level to what’s really important, and keep analysts from chasing down those annoying false positives, which is a major problem. There are statistics that show 70% of what security analysts investigate are false positives. So, reducing that number is just as important as reducing the overall noise that’s coming in. This is one of the areas that can lessen the burden on a security team, and where you can certainly do more with less. You don’t have to hire 10 more people if you can simply process and address more of the key alerts that need to be investigated.
I mentioned the security skills gap, where we’re having a lot of junior folks coming into security and learning on the job. The lack of contextual information and the ability to prioritize what’s important is really hurting them too. Because honestly, they don’t know what next steps to take. They may escalate an investigation to a senior analyst and quickly overburden that analyst, one of the tier one analysts. That’s far from optimum because there are very few tier one security analysts out there so we need to reserve their expertise for the most difficult cases.
More context, more help, more automation is what’s needed to help junior security analysts get to answers more quickly, and improve their ability to do their job. And it also reduces the burden on the more senior analysts who are focused on much deeper investigations. This is all part of what’s needed to improve security operations.
So, let’s talk about where to invest. When we talk about some of the investment areas, one of them we talked about getting consolidated views across on-prem, multi-cloud, and remote systems. The key here is to do it without escalating costs. That’s really the chat, is that most security solutions, especially monitoring SIEM solutions, data collection solutions, whatever they are, end up charging based on the data that’s incoming. That’s not cost effective. Finding solutions that are charging based on helping security teams pull in as much data as possible, and being able to investigate those sources are more effective. We are hearing from a lot of people, especially as they move to cloud and remote offices, that the amount of data they’re collecting has gone up quite a bit.
And suddenly they’re getting charged a lot more for being able to do that data collection for functionality that they should be getting already. They’ve already paid for that. So again, this is something where people are looking to invest in solutions that can help reduce that burden and especially the cost. More data with less alerts and false positives is the key. How do I ingest more data and yet reduce my workload at the same time? Solutions that can help filter all out of that noise and lower the false positive rate are critical for security teams to be successful.
Being able to provide more refined data is key to enabling our security analysts. Delivering with a high confidence anomalous data to be investigated is critically important to prevent junior analysts from unnecessarily chasing false positive alerts. It really enables them to be more effective at their job and learn more quickly how to do a better job so they aren’t escalating everything, and aren’t chasing things they shouldn’t be chasing. We want them hyper focused on high priority alerts only. Then help them come to a conclusion around what they you need to do to be able to fix or remediate the issue. That’s going to help you not only accelerate your investigations, but also your responses, which means you’re going to have less attacks that are actually successful.
It’s important to understand the nuances behind vendor claims around analytics and machine learning. Many vendor “analytics” capabilities are really just correlation rules. To stave off today’s threats, you absolutely need true advanced analytics. Machine learning and artificial intelligence has been thrown around a lot in the last several years. Unfortunately, it’s been misused quite a bit. But if you can find vendors that really are using proper machine learning techniques. That’s where the power is in terms of helping to automate not only your investigations, but also your threat detection and even your response capabilities. True machine learning adapts to new variants in real time. You’ll have a higher confidence in what’s out there and what you’ve identified as actual attack campaign. You’ll also know what the steps are to be able to remediate that attack campaign before it does damage.
Adding behavior analytics into your security practice is important. We’ve come a long way from old network behavior analytics to where user and entity behavior analytics are really key because we’re seeing things like privileged access violations. Baselining what’s normal, what’s not normal. Being able to with high confidence correlate that data to know, “This is something new that we haven’t seen before, but we know it’s an attack.” Again, this is where we’re seeing organizations invest in security analytics and next generation SIEMs.
Sanjay Raja, VP Product Marketing and Solutions, Gurucul
Sanjay brings over 20 years of experience in building, marketing and selling cyber security and networking solutions to enterprises, medium-to-small business, and managed service providers. Previously, Sanjay was VP of Marketing at Prevailion, a cyber intelligence startup. Sanjay has also several successful leadership roles in Marketing, Product Strategy, Alliances and Engineering at Digital Defense (acquired by Help Systems), Lumeta (acquired by Firemon), RSA (Netwitness), Cisco Systems, HP Enterprise Security, Crossbeam Systems, Arbor Networks, Top Layer Networks, Caw Networks (acquired by Spirent Communications), Nexsi Systems, 3Com, and Cabletron Systems. Sanjay holds a B.S.EE and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP as well as Pragmatic Marketing certified.
Watch The Webinar
Want to hear directly from me on this topic? Watch this webinar where I talk about this topic and recommendations for 2022 that every CSO should consider.