In Security, Less Is More

One of my favorite quotes comes from John Naisbitt's book Megatrends: "We are drowning in information but starved for knowledge." This quote so accurately captures much of modern life. In particular, it succinctly describes the state of many enterprise security programs that, unfortunately, suffer from high levels of false-positives and other "noise" that reduce their effectiveness.

To understand why security teams are so held back by noise, we must first understand the consequences of noise for the security team. While not an exhaustive list, here are a few key repercussions.

Wasted cycles: When security teams build a workflow around a centralized work queue, that work queue needs to be attended to — from triage and incident-handling to analysis, investigation, forensics, and recovery. That means that all events in the queue need to be prioritized and reviewed. Noise fills this queue with items to review that do not add value to the security program. In other words, noise wastes the security team's precious and valuable cycles.

Missed true-positives: The phrase "finding a needle in a haystack" is an apt one in security, and in security operations in particular. The needle represents true-positive security incidents, while the haystack represents false-positives. The more false-positives there are, the more difficult that makes finding the real security incidents that are buried in the noise.

Increased infrastructure costs: Noise also comes with an infrastructure cost. Each log, alert, and event, regardless of whether it adds value, must be retained. Thus, if the team is collecting a large amount of information that adds little to no value, they are merely using excess infrastructure. This comes with a cost that takes budget away from areas where it could add significantly more value. Identifying budget for a never-ending list of security priorities is always high on the list for security leaders.

Skewed metrics: False positives tend to skew metrics. Certain metrics, particularly those that focus on percentage of time spent on security incidents, ratios of true-positives to false-positives, volume of incidents, number of incidents handled, and analyst time per incident will be highly affected by the volume of noise. The lower the rate of false positives can be, the more accurately and favorably these metrics will turn out.

How to Eliminate the Noise

Knowing a few of the reasons why false-positives and noise negatively affect our security program helps us build a plan to address the problem. Here are nine suggestions that I've found helpful over the course of my career.

1. Begin with risk: Not surprisingly, a firm understanding of and commitment to risk is the strongest of bases for building a strong security program. Assess the risks and threats to the enterprise, understand what within the enterprise they affect, and learn the potential cost and potential for damage and loss associated with each one.

2. Create goals and priorities: Selecting when to address what is one of the most important strategic decisions a security team can make. Prioritize the risks and threats enumerated in the previous step and create goals and priorities that will be addressed both near-term and longer-term.

3. Assess impact: Identifying critical assets, key resources, and important data stores, among other things, helps the team understand the potential impact of an incident. Knowing where the most sensitive and important assets, resources, and data are helps focus the team on where gaps in telemetry exist.

4. Identify data overkill and gaps: Understand the existing telemetry collection in place and evaluate whether each data source contributes to improving detection for the security team. If it doesn't, then collecting it just adds infrastructure costs while not adding value. Identify gaps in telemetry that leave the team blind to potential security incidents and develop a plan to address those gaps.

5. Consider technology overkill and gaps: Look closely at existing technology that is in place. Examine where technology is helpful, such as producing highly reliable security alerting, collecting valuable telemetry data, or making process and workflow more efficient. Keep a close eye on where technology is fighting, rather than helping, the security team, as well as where gaps exist in telemetry and detection.

6. Throw out the default rule set: Rules, signatures, and other detection techniques that generate a large volume of noise do not add value to the security program. Instead, they bury the team in false-positives and actively work against timely and accurate detection of security incidents. It may sound radical, but there are far more benefits to throwing out the default rule set than there are disadvantages.

7. Implement tight detection: Truly embracing the "less is more" philosophy includes incisively interrogating the data to produce high-fidelity, high-reliability alerts and events. While implementing more sophisticated approaches to detection requires a significant time investment up front, it pays big dividends. The better the alerting and eventing, the more signal and the less noise the work queue will have.

8. Focus on process: The highest quality work queue in the world won't help when there are broken or nonexistent processes. A world-class security team has mature, efficient, and effective processes that guide and govern how they work.

9. Continuously improve: No security program is in an ideal state, and the best security teams are keenly aware of their weaknesses and opportunities for improvement. Taking lessons learned from each of the above points and using them to continuously improve the security program is critical to its long-term success.

The conventional wisdom that more data, more events, and more alerts make for better detection is outdated and misinformed. Through a strategic focus on risk and a methodical approach to reducing noise, enterprises can improve both the state of their detection capabilities and the maturity of their security programs. Improving the signal-to-noise ratio and embracing the "less is more" philosophy for security can help enterprises detect security incidents sooner and more accurately while wasting significantly fewer resources on false-positives and noise.