While most organizations have largely built their entire security infrastructure around the outdated capabilities of SIEMs (security information and event management solutions), they have not evolved to keep pace with the current volume of data. SIEMs were designed to meet the challenges of the early 2000’s – when most security monitoring and reporting was done in a centralized manner. These days, however, that approach produces far too many alerts for analysts to monitor and validate quickly and soundly.
This inundation of alerts has caused a “crying wolf effect,” in which several dozen surveyed analysts readily admit to not checking alerts because the clear majority (90-95% for an average SIEM rule) are false positives, and hardly demand the attention of a highly trained SOC member, let alone any type of a response. According to recent research, the majority of SIEM owners agreed that these products failed to provide scalability, useful threat intelligence, and lacked analytic capabilities. The key for reducing false-positive alerts and allowing analysts to focus on the real threats (where their skills are needed most) is to increase the fidelity and clarity of the data that SIEMs collect, which is by no means a simple process.
SIEMs are decent tools for storing and aggregating log and network data for compliance purposes, and while they are also designed to generate rules-based security alerts, these only apply to threats that have already been discovered. Writing separate rules for each indicator of compromise (a known attack vector) is an arduous process that inevitably fails because organizations lack the expertise to establish the necessary precision in calibrating these rules.
Strain Not Easily Addressed through More Hires
By leveraging threat intelligence and the forensic analysis of past breaches, organizations can generally devise rules to protect themselves from KNOWN threats. But as attackers use ever-stealthier tactics, it’s the unknown IOCs that pose the most serious threat. And as data from mobile and application technology is integrated into already strained security operations centers – the digital “impressions in the sand” are expanding along with the attack surface for all enterprises.
People, processes, and technology aren’t being utilized as efficiently as possible inside most organizations today, and with a growing lack of skilled security personnel it cannot be solved by simply throwing additional employees at the problem – there simply aren’t that many to go around these days. Many organizations have also tried the “expense in depth” strategy by purchasing different, disparate pieces of technology to work independently to serve highly specific functions – each providing a few clues for an astute analyst, but not enough to solve the puzzle. So, continues the problem…
Since there is no unified platform (like there is for sales, human resources, or accounting functions) security operations teams generally must “reinvent the wheel” when it comes to processes, often leading to more obfuscation of clear roles and responsibilities for dealing with threats and blurring an already concealed threat landscape.
Manual Processes Just Don’t Cut It
Automation and machine learning have become marvels that allow organizations to increase their efficiency by handling redundant tasks. Plus, machines are now teachable and able to absorb new information to help prevent making repeat mistakes. Those organizations that are still solely relying on manual processes are akin to taking on a heavyweight boxing champion blindfolded with one hand tied behind their backs. Hackers routinely scour the internet for this easy prey and then pummel them with elaborate, targeted and automated attacks.
Security professionals need to know what and where their most valuable assets are, and by fusing automation with network processes they can quickly discover when sensitive assets have been moved to unusual parts of the network. One of the core functions of an analyst is to validate and triage an alert. The mundane research and investigation can be automated to look up user or device network activity or cross reference redundant alerts. Advances in cognitive automation have allowed for the continuous, real-time automatic scoring or prioritizing of alerts, which greatly reduces the time and volume of material that human analysts previously faced.
The Right Mix of People, Processes and Technology
The headaches associated with manually vetting a few thousand false-positive alerts can cause many SIEM owners to consider the wisdom of the expense. Even medium-sized companies can receive several thousand of these per day. SIEM technology is inherently difficult to query, and it usually doesn’t speak the same language as other security products. Security analysts and CISOs would benefit tremendously from having a single, centralized view of all information feeds from their various security products – providing true orchestration where it’s needed most.
In a perfect world, we would be able to automate wherever possible and alert a human decision maker only when necessary. While many large companies will boast about the insanely high number of alerts at an SOC (which we even see on national TV commercials these days) this does not equal success – far from it. It only means that security products are alerting more often about increasingly incorrect security incidents.
Being aware that a threat exists solves nothing without the willingness and capability to act in a quick and decisive fashion. Organizations must find the right mix of people, processes and technology that will enable them to keep pace with the growing sophistication of attackers and the subtle breaches that occur, then escalate in access and privilege across an entire ecosystem over time.
Today’s security tools require the capability to triage, respond, and resolve the surging tide of “fake security” alerts – and to intelligently validate them before inundating the SOC analysts. Otherwise, your security tools will offer little return on investment, and leave your organization even more vulnerable to the current “wild west” digital reality.
Chris Jordan is CEO of College Park, Maryland-based Fluency (www.fluencysecurity.com), a provider of Security Automation and Orchestration solutions.