Automated systems: Flag smarter, not everything
Imagine dealing with 1,000s of security alerts a day, whilst simultaneously juggling the tasks that are part of your day-to-day job. Challenging right? This is the current problem cybersecurity professionals are facing. Rather than making their jobs easier, automated systems are adding more work to the workload of the CISO and his or her team.
Cybersecurity professionals are constantly receiving a large number of security alerts from these automated systems – most of which are near-to-useless information. As opposed to flagging potential incidents in the network, these systems are flagging alerts every time it encounters anything – any anomaly, any intrusion attempt, any suspicious code, any unusual data movement.
With all that said, the result is that CISOs should simply switch off any system that doesn’t mitigate threats automatically at their source, or prioritise the alert for the security teams with actionable insights as to the threat. Anything that just flags up alerts is pointless – no-one is looking at them, and if you have a SIEM solution, more alerts means more cost. Surveys after surveys and reports after reports are telling us that there are simply too many of them to sift through. Companies are spending billions on alert systems that they just don’t need – alerts which make the life of their security teams harder, not easier.
We need to see a shift in the industry away from this ‘data flood’ mentality, cutting down the number of meaningless alerts to drive home the few that mean something. In a world of increasingly vast data volumes, ‘flag everything’ must be replaced by ‘flag intelligently’. Automated mitigation systems and AI-enabled notification systems can cut the menial work of the security team in half, sealing off regular threats quickly and identifying issues that need human attention at speed.
The current state of the cybersecurity landscape
Before we look at how to improve the situation, it’s worth asking why the situation is the way it is. For years, cybersecurity as an industry has been buoyed up by the fear factor: the fact that at the bottom of every sales pitch from every vendor was the dark implication that if you didn’t buy this expensive bit of endpoint protection, there was always the chance that that endpoint would be the one that sunk your business. As a result, the average security deployment ballooned as twitchy CISOs built rampart on rampart in an attempt to keep out the invisible attacker.
At the same time, the number of potential attack vectors also grew. CISOs had to develop eyes in the back, top and sides of their heads. How do you build an effective endpoint protection programme when you’re linked into an untold number of potentially insecure vectors?
Finally, there was the spiralling evolution of hacking techniques. The good old genres of phishing, malware, DDoS and spoofing marched on, splitting and subdividing into thousands of other tools and tactics. Add all that together and over time security systems had to go into overdrive, reeling out ever more alerts on the off chance that the one piece of code that wasn’t flagged was the one that took the company down.
In its infancy, cybersecurity was seen as a kind of impenetrable shield surrounding the whole company. Now that the digital age is reaching its early maturity, that assumption is wildly inaccurate. Total protection is impossible. What’s needed is not more walls – but more intelligent observation and automated responses.
Rethinking the security system
Reducing alert fatigue is not simply a matter of switching off alarms or safety systems, tempting as that might sound. What’s required is a root-and-branch reform of an organisation’s security network: one that encompasses every IT resource – from databases to cloud, applications to virtualisation systems – and then conducts a thorough review of the various security tools used to protect these resources.
The goal of this review is to mitigate alert fatigue by reducing the noise-to-signal ratio. The idea is not to turn off alarms in an arbitrary manner, but rather to ensure that security teams receive fewer but more accurate alerts.
The best place to start is by conducting data discovery and classification to determine where your sensitive data resides and assess the level of risk to its integrity, confidentiality, and availability. Cybercriminals monetise on the value of the data they steal. As one customer of ours said in a recent meeting: ”data is the new perimeter”. I have a feeling that may catch on.
Organisations will likely find that systems that don’t contain sensitive data are firing numerous alerts which, while they will need to be investigated, are hardly urgent priorities when compared to systems that contain, say, customer financial data.
The next stage is to conduct a behavioral analysis to create a behavioral baseline profile or ‘whitelist’ of typical patterns of access to databases, file shares, and cloud-based applications based on functional unit and role. The goal here is to identify many of the false positives that contribute to the constant stream of alerts and which prevents CISOs from spotting the alarms that need urgent attention. Behavioural analysis has a secondary aim, though one that’s just as important: it helps to spotlight the riskiest users, client hosts, and servers, enabling security teams to prioritise their investigation whenever an anomaly arises.
A smarter line of defence
Having conducted a thorough review of your existing IT estate, the next stage is to deploy intelligent systems that can determine which flags are truly necessary. The best place to start is with the alerts themselves. One of the biggest contributions to alert fatigue is the difficulty of distinguishing between notifications of various urgency.
That’s why it’s vital that a modernised threat warning system should incorporate a sliding scale of alert levels. A red light tells you nothing about a threat; instead, each alert should warn CISOs of the threat priority, notification and escalation channels, and appropriate responses for each type.
An intelligent defence should also adjust anomaly-detection thresholds based on risk classifications, behavioral analysis, and alert levels to ensure receiving the types of alerts you want to receive (for example, compromised file scans, failed login to root accounts, phishing attempts, and so forth).
A strong defence should take a holistic approach to threat detection, which is why organisations should consolidate and simultaneously run network, application, and file scans in order to see issues across the environment.
Using context-based access control (CBAC), meanwhile, enables the business to authenticate both the user and device to control what a user can see or do. For example, an authorized user accessing sensitive data from a personal tablet can see and do less than if he or she accessed that data from a corporate-issued laptop.
Finally, businesses should use a single platform (rather than email) to collect alerts from the organisation’s security tools. Ensure that the tool can contextualize the alerts—the source, user, and activity leading to the alert. This helps determine whether multiple alerts are from the same source, user, or activity, which may indicate malicious activities.
Taking the burden off the CISO
CISOs have enough on their plate without have to monitor every single alert and undertake the appropriate actions each time. At the same time, only a human expert has the insight and experience that can distinguish between real threats and false positives, and to identify the ones that require urgent attention.
While it’s impossible – and unwise – to place threat monitoring entirely in the hands of machines, automation has an incredibly important role to play in mitigating threats and sifting through masses of potential alerts before they reach the eyes of the CISO. This is doubly true given the dearth of skilled IT personnel which leaves teams overstretched even at the best of times.
That’s why automated threat response is such an important part of any defence. Automating processes ensures that common threats are caught and dealt with early, while automatic alert investigation and escalation will deal with many of the more common types alerts – for example, failed logins, phishing attempts, and malware detection.
Incessant interruptions will be a thing of the past. CISOs will be able to concentrate on their day-to-day job, knowing that any alert flagged is truly urgent and worthy of their time and expertise.